US regulators have increased their focus on cybersecurity issues impacting financial services companies, with a host of guidance documents recently released by the US Securities and Exchange Commission (SEC), the three federal banking agencies—the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency—and the US Department of Labor (DOL). Often targeted for its data and money, the rapid digitalization of the financial sector has led to an increase in global cyber threats.
Cyberattacks can take shape in a number of different forms, be carried out by organized cyber crime rings or third-party vendor attacks, and vary in scale and scope, but the overarching theme is that they are disruptive and cause not only financial but also reputational damage.
The most common types of breaches experienced by organizations include IT failure (24%); human error (21%); supply chain attack (19%); destructive attack (17%); ransomware attack (11%); and other malicious attack (8%). Reaching an all-time high, the cost of a data breach averaged $4.35 million in 2022, climbing 12.7% from $3.86 million in 2020.
Department of Homeland Security
In March 2022, US President Joseph Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which would, among other things, require the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA within 72 hours (from reasonable belief) from the time when the incident occurred.
Additionally, any federal entity receiving a report on a cyber incident after the effective date of the final rule must share that report with CISA within 24 hours. While the comment period is open with a final rule pending, enactment of CIRCIA marks a notable milestone in improving America’s cybersecurity.
US Securities and Exchange Commission
The SEC issued a notice of proposed rulemaking on March 15, 2023 that would require SEC-regulated investment advisers, investment companies, and broker-dealers to provide notice to individuals affected by certain types of data breaches, among other related requirements.
With no currently existing SEC requirement of notifying affected individuals in the event of a data beach, the proposal would require Covered Entities to notify individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.
It would also require covered institutions to develop, implement, and maintain written policies and procedures for an incident-response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. The comment period ends on June 5, 2023.
Simultaneously, the SEC proposed a new cybersecurity risk management requirement for broker-dealers and “Market Entities” that would require broker-dealers to annually (1) review the effectiveness of their policies and procedures and (2) prepare a written report.
This proposal mirrors the recently proposed risk management requirement for investment advisers and investment companies, under which Covered Entities would need to notify the SEC in the event of a cybersecurity incident within 48 hours. The comment window recently has reopened.
The SEC is also proposing to broaden and align the scope of the Safeguards Rule and Disposal Rule (related to disposal of collected information) to cover “customer information,” a new defined term. This change would expand those rules to both nonpublic personal information that a Covered Entity collects about its own customers and nonpublic personal information that a Covered Entity receives about customers of other financial institutions. The new notification requirement only relates to the first subset of information.
In March 2022, the SEC proposed new rules and amendments to mandate disclosure regarding cybersecurity risk management, strategy, governance, and incident reporting, including amendments to Forms 8-K, 10-Q, and 10-K.
Department of Labor
Turning its focus to the intersection of cybersecurity practices and ERISA’s fiduciary duties, on April 14, 2021 the DOL issued three pieces of subregulatory guidance addressing the cybersecurity practices of retirement plan sponsors, their service providers, and plan participants, respectively.
Financial institutions may want to consider reviewing their policies, procedures, and contracts with service providers to ensure compliance with the new requirements. Some best practices that financial institutions should consider include the following:
If you are interested in New Cybersecurity Rules Impacting Financial Services Companies, as part of our Technology Marathon 2023, we invite you to subscribe to Morgan Lewis publications to receive updates on trends, legal developments, and other relevant areas.