For the last few years, the SEC has been issuing guidance as to appropriate cybersecurity policies and procedures for financial firms. In a move that signal’s the regulator’s willingness to put muscle into its cybersecurity guidance, the SEC announced an agreement with St. Louis-based investment company, R.T. Jones Capital Equities Management (“R.T. Jones” or “the company”), to settle charges that the company failed to adequately safeguard the personal information (“PI”) of approximately 100,000 individuals. Consistent with this trend, the SEC has announced that its Office of Compliance Inspections and Examinations (“OCIE”) would be conducting a second round of investigations into the cybersecurity practices of brokerage and advisory firms (the “Cybersecurity Examination Initiative”). These moves signal the SEC’s increasing scrutiny of investment firms’ information security practices and indicate the regulator’s willingness to enforce the guidance that it has issued.
Earlier this summer, the Federal Financial Institutions Examination Council (FFIEC) released its highly anticipated Cybersecurity Assessment Tool (Assessment), which is designed to assist financial institutions in identifying and assessing risks and weaknesses in, and the overall maturity of, their cybersecurity preparedness programs. Financial Institutions’ management, directors, in-house counsel, and regulatory/compliance personnel need to be aware of this development. Now there is increased guidance on the type of cybersecurity systems and procedures that need to be implemented to satisfy post-hoc regulatory or judicial scrutiny. This guidance may also impact how regulators, or in the event of a problem, courts hearing civil lawsuits, assess both the institution’s level of preparedness and how the company’s directors and officers discharged their responsibilities in creating and maintaining cybersecurity measures.
On Feb. 26, 2015, in an effort to make “New York State’s computer infrastructure the most secure in the nation,” the New York State Senate passed a suite of four cybersecurity-related bills focused on protecting critical infrastructure entities, such as providers of financial services, telecommunications, energy and health care. The bills mark an aggressive effort to toughen penalties on cybercriminals who attack critical infrastructure (S3404 and S3406),1 to implement cybersecurity review processes and reporting by key state agencies (S3405),2 and to establish a “baseline framework” and information-sharing protocols around cybersecurity risks (S3407).
On February 3, 2015, the U.S. Securities and Exchange Commission released a Risk Alert addressing cybersecurity issues at brokerage and advisory firms, along with suggestions to investors on ways they can protect themselves and their online accounts. FINRA issued a similar, more extensive “Report on Cybersecurity Practices” on the same day.