The tides are turning for investment advisors and brokers
when it comes to cybersecurity. The states are starting to flex their authority
in a realm that has historically fallen under the jurisdiction of Federal
authorities. We urge investment advisors and brokers to keep apace of the
regulatory outcomes pending this May as developments may have a deep impact on
their compliance obligations and trigger a need for additional firm resources.
For a number of years, the SEC and other federal regulators have
mandated that their member firms establish cybersecurity policies and
procedures. The SEC, for instance,
requires its members to establish policies and procedures that will (i)
identify the firm’s Cybersecurity risks to Network Components, assets, data and
capabilities; (ii) develop necessary policies and procedures to limit or
contain the impacts of potential Cybersecurity Incidents; (iii) develop and
implement policies and procedures to identify the occurrence of Cybersecurity
Incidents; (iv) identify and implement appropriate activities to combat
detected Cybersecurity Incidents; and (v) develop and implement appropriate
procedures for restoring any capabilities or services impaired as a result of a
Cybersecurity Incident. The actual policies and procedures that a firm develops
and maintains will be dependent on a number of factors, including the size of
the firm, the complexity of its technology architecture and the use of third
party vendors.
In a departure from the past, several states have started to
promulgate their own rules in recent months.
In March of this year, for example, Colorado regulators proposed changes
to increase the amount of electronic security that financial firms must
exercise when dealing with secure client information. The two new rules of the Colorado Securities
Act are Rule 51-4.8 and Rule 51-4.14(IA)— both of which may be referenced here.
Among other aspects, the proposed rules would require broker-dealers and
investment advisors to include cybersecurity in their annual risk assessment procedures
and uphold a set of written procedures to protect clients from these risks.[1] There are many areas where the proposed
cybersecurity rules in Colorado overlap with the SEC guidelines, but there are
also areas in which the proposed rules are more prescriptive. For instance, the Colorado proposal requires
use of secure email, including digital signatures and encryption, and would
require firms to inform clients regarding the risks of using electronic
communications.[2] In such cases, the more stringent regulation
would have to be followed and the onus would be on the firm itself to recognize
this distinction. A hearing on the proposal is set for May 2nd. If the rule is approved
as proposed, it will mean that any investment advisor and broker-dealer that
conducts business within Colorado will have to comply with the new state regulation.
This translates into a need for additional cost and time resources to implement
these new requirements.
New York also has their own cybersecurity rules for
financial institutions. Though New York State does not license investment
advisers and brokers, it does issue licenses and exercise regulatory oversight
over banks and insurance companies through the Department of Financial Services
(DFS). Advisors will be compelled to
follow state rules if they are licensed by the department in another capacity
(e.g. agents who sell insurance).
While the overarching theme of the new laws is clear, we
anticipate seeing much variety on a state by state basis. Investment advisors
and broker dealers seeking expert advice on the impact of laws in your specific
state should reach out to Lawrence Wagner, Managing Director of COMPASS
Regulatory and Compliance Advisers, at lwagner@compassadvisers.net for a
consultation.
[1] United
States, Colorado Division of Securities, Department of Regulatory Agencies. Code of Colorado Regulations, Rules Under
the Colorado Securities Act 3 CCR 704-1, Draft Statement of Basis and Purpose,
Promulgation of Amendments to Division Rules. Colorado Division of
Securities, March 6, 2017. Retrieved from https://drive.google.com/file/d/0BymCt_FLs-RGUWl5c3lDUVlzeDg/view
on April 26, 2017.
[2]
Ibid.
No comments:
Post a Comment