Few topics in the financial news have gotten more attention recently than the rise of cryptocurrency and initial coin offerings (ICOs), which allow startups to raise money from users in exchange for digital currency. In 2017, ICOs raised more than $3 billion in funding, surpassing early-stage venture capital funding for internet companies, and solidifying ICOs as a financing strategy among tech entrepreneurs.

But with surging popularity comes increasing attention and scrutiny from regulators, most notably the US Securities and Exchange Commission (SEC or Commission). Previously, the SEC had adopted a more cautionary approach, advising potential investors to perform due diligence, and issuing trading suspensions for certain issuers that made questionable claims regarding ICO investments. As we have previously reported, however, the SEC has recently taken a more aggressive stance toward ICOs.

On February 16, 2017, the New York Department of Financial Services (DFS) released its final self-described “first-in-the-nation”cybersecurity regulations (the Rules). The Rules become effective March 1, 2017, but will be phased in on a staggered basis beginning 180 days after the effective date. Proposed cybersecurity regulations were initially released on September 13, 2016 to become effective January 1, 2017, but on December 28, 2016, the DFS delayed the effective date and simultaneously issued a revised proposal. Morgan Lewis submitted comment letters recommending several modifications to both the initial proposal and the revised proposal.

Although the DFS did take comments into account in initial revisions, the Rules still raise important operational, compliance, and risk management concerns for financial institutions, financial services companies, insurance firms, and other DFS-regulated entities (Covered Entities). The Rules have only minimal changes from the revised proposal, aside from certain changes made to the exemptive provisions, in particular with regard to Covered Entities that are insurance enterprises.

As National Cybersecurity Awareness Month comes to a close, the federal financial regulators have been releasing guidance related to cybersecurity and financial technology (FinTech) issues faster than a teen can complain about slow Wi-Fi.

In the last 10 days, there have been a number of notable releases:

  • The Board of Governors of the Federal Reserve System (Federal Reserve Board), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) released a joint advance notice of proposed rulemaking titled Enhanced Cyber Risk Management Standards that would apply to large supervised financial institutions and their service providers.
  • The Federal Reserve Board’s Secure Payments Task Force identified its key priorities for addressing secure payments: payment identity management, information sharing to mitigate payments risk and fraud, and data protection. The task force has invited industry feedback on these priorities through November 8.

The New York Department of Financial Services (NYDFS) has just issued proposed cybersecurity rules (Proposal) applicable to NYDFS-regulated firms (Covered Entities). The Proposal would impose mandatory “minimum requirements,” including the requirement that each Covered Entity establish a cybersecurity program and a cybersecurity policy that addresses 14 areas, including customer data privacy, vendor and third-party service provider management, risk assessment, incident response, audit trail, encryption, and periodic testing requirements. The Proposal also includes requirements for an annual compliance certification made by the board of directors and notification to NYDFS of “cybersecurity events.”

Comments on the Proposal are due by November 12, 2016 and the Proposal indicates that Covered Entities should be prepared to comply by June 30, 2017—180 days after the proposed January 1, 2017 effective date.

For a fuller discussion of the Proposal, please read our LawFlash on this subject.

The Federal Financial Institutions Examination Council (FFIEC) has issued a joint statement warning financial institutions of the increasing frequency and severity of cyber attacks involving extortion, including ransomware, denial of service, and theft of sensitive customer information that is used to extort victims. In turn, financial institutions are advised to develop and implement effective programs to identify, protect, detect, respond to, and recover from these types of cyber attacks. Actions to be taken include conducting ongoing risk assessments, assuring the security of systems and services, protecting against unauthorized access, and a number of other specific measures. In addition, financial institutions that are victims of cyber extortion are advised to notify law enforcement agencies and their primary regulatory agencies, especially if sensitive customer information is accessed, and consider filing Suspicious Activity Reports.

While the joint statement specifically states that it does not purport to create any new regulatory expectations, in fact it recommends a series of specific measures that should be taken in cyber-extortion situations, and reminds financial institutions of their prudential and compliance obligations under current regulatory guidance. More generally, the joint statement underscores the financial agencies’ continuing – and perhaps increasing – concerns over cybersecurity and data breaches.

Financial institutions therefore should treat the joint statement as a regulatory directive on appropriate preventative and response strategies for cyber breaches involving extortion, as well as a reminder to make cybersecurity and data protection a top governance and operational priority that their regulators will regularly test during the examination and supervision process. The FFIEC statement contains links and references to existing guidance and resources from the FFIEC, FBI, and other agencies that, as a threshold manner, financial institutions should review and ensure have been incorporated into their compliance and risk management processes, as appropriate.

In a recent letter to the 18 members of the Financial and Banking Information Infrastructure Committee (FBIIC), Acting Superintendent of the New York Department of Financial Services (NYDFS) Anthony Albanese requested collaboration and regulatory convergence among the members on cybersecurity standards for financial institutions. FBIIC member organizations include the eight federal financial institution regulatory agencies, the US Department of the Treasury, two Federal Reserve Banks, the National Association of Insurance Commissioners, the Conference of State Bank Supervisors, and the Securities Investor Protection Corporation.

Acting Superintendent Albanese stressed the need for coordinated efforts with relevant state and federal agencies to develop a comprehensive cybersecurity framework, addressing the most critical issues while preserving flexibility to address NYDFS-specific concerns. In NYDFS’s view, potential regulations would require a financial institution to maintain a cybersecurity program covering 12 key areas:

  1. Information security
  2. Data governance and classification
  3. Access controls and identity management
  4. Business continuity and disaster recovery planning and resources
  5. Capacity and performance planning
  6. Systems operations and availability concerns
  7. Systems and network security
  8. Systems and application development and quality assurance
  9. Physical security and environmental controls
  10. Customer data privacy
  11. Vendor and third-party service provider management
  12. Incident response, including by setting clearly defined roles and decision making authority

The Office of the Comptroller of the Currency’s (OCC’s) Committee on Bank Supervision has released its Fiscal Year 2016 priorities. Not surprisingly, the top supervision and examination priorities are

  • governance and oversight,
  • credit underwriting and risk, and
  • cybersecurity.

Other priorities include the Bank Secrecy Act/money laundering, operational risk, compliance, interest rate risk, and fair access. The OCC’s expectations under each of the priorities differ for large banks and midsize and community banks. The OCC continues to emphasize compliance with its guidance on third-party relationships. OCC examiners will also begin to use the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool released in June 2015 to supplement their exam work.. The Cybersecurity Assessment Tool has caused some concerns among smaller banks for potentially being too rigid.

These supervisory priorities are consistent with the top risks identified in the OCC’s Spring 2015 Semiannual Risk Perspective. All OCC-supervised institutions should be mindful of the 2016 priorities and be prepared for examiners to emphasize each of the categories during the next exam.

Read the OCC Fiscal Year 2016 Operating Plan.