Standardizing cybersecurity regulations is becoming more important as the focus on cybersecurity continues to spur new laws, regulations and guidelines. Just recently Treasury Secretary Steven Mnuchin noted that since the safety of the financial system is critical, he has made cybersecurity his top technology priority and that he will use his authority as chairman of the Financial Stability Oversight Council to push for financial regulators to strengthen cybersecurity. While cybersecurity is critical to the stability of the financial industry, it’s not a new to broker-dealers and investment advisors.
Over the last few years, the Securities and Exchange Commission and the Financial Regulatory Authority have issued multiple notices and guidelines regarding cybersecurity and have sanctioned both broker-dealers and investment advisory firms for not embracing best practices, especially those that resulted in breaches. Additionally, the New York Department of Financial Services (“DFS”) recently created Cybersecurity standards for New York based financial institutions. When released, DFS noted that in the effort to obtain Cybersecurity standards, they were attempting to simplify the overlapping and sometimes conflicting rules from regulators for New York based financial firms. It was also noted by DFS that it was believed that by sharing the standards it might help the financial industry to establish conformity with respect to Cybersecurity standards.
However, with more than a dozen authorities with differing perspectives issuing regulations, “the guidance tends to differ,” said Stephen Scharf, chief security officer for Depository Trust and Clearing Corp. “Sometimes it does create a challenge.”
To this end, SIFMA has pointed out that many firms expend unnecessary energy on cybersecurity compliance instead of actually mitigating real threats. According to SIFMA and the American Bankers Association (“ABA”), financial services firms spend approximately 40 percent of their cybersecurity efforts on compliance as opposed to security. SIFMA and the ABA said in a February letter to banking regulators about proposed cybersecurity rules that “substantial resources are already being invested in complying with regulatory requirements rather than directly targeting security risks.”
Hope springs eternal, and it appears that authorities might just be getting the message. The Federal Reserve, Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. were praised in December for proposing cybersecurity rules jointly. These rules appear to often have “common themes”, most of which broker-dealers and investment advisors have already had to address in their operations. For instance, most regulators require firms to have a senior-level cyber point-person, written policies and procedures, mandating internal and external risk-assessments, and making sure that risks posed by outside vendors are minimized.
In any event, broker-dealers and investment advisors should be hopeful that they will benefit from the harmonization and standardization of cybersecurity regulations, because as the rest of the financial industry catches up the guidelines and oversight that the SEC and FINRA have already issued, new guidance may evolve that eases the impact on smaller financial firms.