How Financial Services Companies Can Prepare for and Comply with New Federal Cybersecurity Requirements

US regulators have increased their focus on cybersecurity issues impacting financial services companies, with a host of guidance documents recently released by the US Securities and Exchange Commission (SEC), the three federal banking agencies—the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency—and the US Department of Labor (DOL). Often targeted for its data and money, the rapid digitalization of the financial sector has led to an increase in global cyber threats.

Cyberattacks can take shape in a number of different forms, be carried out by organized cyber crime rings or third-party vendor attacks, and vary in scale and scope, but the overarching theme is that they are disruptive and cause not only financial but also reputational damage.

The most common types of breaches experienced by organizations include IT failure (24%); human error (21%); supply chain attack (19%); destructive attack (17%); ransomware attack (11%); and other malicious attack (8%). Reaching an all-time high, the cost of a data breach averaged $4.35 million in 2022, climbing 12.7% from $3.86 million in 2020.

Federal Regulatory Activity

Department of Homeland Security

In March 2022, US President Joseph Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which would, among other things, require the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA within 72 hours (from reasonable belief) from the time when the incident occurred.

Additionally, any federal entity receiving a report on a cyber incident after the effective date of the final rule must share that report with CISA within 24 hours. While the comment period is open with a final rule pending, enactment of CIRCIA marks a notable milestone in improving America’s cybersecurity.

US Securities and Exchange Commission

The SEC issued a notice of proposed rulemaking on March 15, 2023 that would require SEC-regulated investment advisers, investment companies, and broker-dealers to provide notice to individuals affected by certain types of data breaches, among other related requirements.

With no currently existing SEC requirement of notifying affected individuals in the event of a data beach, the proposal would require Covered Entities to notify individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.

It would also require covered institutions to develop, implement, and maintain written policies and procedures for an incident-response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. The comment period ends on June 5, 2023.

Simultaneously, the SEC proposed a new cybersecurity risk management requirement for broker-dealers and “Market Entities” that would require broker-dealers to annually (1) review the effectiveness of their policies and procedures and (2) prepare a written report.

This proposal mirrors the recently proposed risk management requirement for investment advisers and investment companies, under which Covered Entities would need to notify the SEC in the event of a cybersecurity incident within 48 hours. The comment window recently has reopened.

The SEC is also proposing to broaden and align the scope of the Safeguards Rule and Disposal Rule (related to disposal of collected information) to cover “customer information,” a new defined term. This change would expand those rules to both nonpublic personal information that a Covered Entity collects about its own customers and nonpublic personal information that a Covered Entity receives about customers of other financial institutions. The new notification requirement only relates to the first subset of information.

In March 2022, the SEC proposed new rules and amendments to mandate disclosure regarding cybersecurity risk management, strategy, governance, and incident reporting, including amendments to Forms 8-K, 10-Q, and 10-K.

Department of Labor

Turning its focus to the intersection of cybersecurity practices and ERISA’s fiduciary duties, on April 14, 2021 the DOL issued three pieces of subregulatory guidance addressing the cybersecurity practices of retirement plan sponsors, their service providers, and plan participants, respectively.

• Tips for Hiring a Service Provider with Strong Cybersecurity Practices provides guidance for plan fiduciaries when hiring a service provider such as a recordkeeper, trustee, or other provider that has access to a plan’s nonpublic information.
• Cybersecurity Program Best Practices is a collection of best practices for recordkeepers and other service providers and may be viewed as a reference for plan fiduciaries when evaluating service providers’ cybersecurity practices.
• Online Security Tips contains online security advice for plan participants and beneficiaries.

Preparation Is the Key to Protection

Financial institutions may want to consider reviewing their policies, procedures, and contracts with service providers to ensure compliance with the new requirements. Some best practices that financial institutions should consider include the following:

• Conduct a risk assessment; while there is no one-size-fits-all approach, a risk assessment can help ensure that policies are tailored to the potential risks that a company may face.
• Determine who has access to the network: does this include former or terminated employees after they are no longer connected to the company?
• Consider implementing a classified data program that can help identify sensitive and critical data.
• Consider having a management and/or board role that will have oversight of cybersecurity risks.
• Encrypt or tokenize sensitive and critical data in transit and at rest.
• Maintain, update, and test incident response and business continuity plans at least once a year.
• Back up data, as such data is extremely important and can leave the threat actors with little to zero leverage and aid in minimizing disruption to operations. Ensure that data is backed up to an offline or segregated source.
• Conduct regular employee trainings on key risk areas and consider risks associated with remote work.
• Keep security software up to date.
• Review cybersecurity insurance policies and address privilege and legal protection issues.
• Address third-party vendor issues and risks and make sure policies and procedures cover such issues and risks.
• Consult with counsel for legal guidance—the earlier the better.

If you are interested in New Cybersecurity Rules Impacting Financial Services Companies, as part of our Technology Marathon 2023, we invite you to subscribe to Morgan Lewis publications to receive updates on trends, legal developments, and other relevant areas.