States are developing their own cybersecurity regulations. Here's what advisory firms should know.
As a report from Accenture laid out earlier this year, not only are financial services firms targeted by cybercrime more than any other sector, but breaches have actually tripled over the past five years. Technology has revolutionized this sector, but in doing so, it has opened financial advisors and other industry professionals to threats and liabilities in ways never before imagined. Potential consequences range from the unnerving to the catastrophic.
The Cybersecurity Regulation Benchmark
Fortunately, advances in codifying a defense system to protect the industry from these incursions are also developing at a rapid pace. As with much of this nation’s critical legislative framework, the impetus for development in this area comes from the state rather than the federal level.
In fact, New York state began the charge in this area with their cybersecurity regulations, first announced and published in September 2016. The steps specified by these first-in-the-nation cybersecurity rules establish quite an exhaustive checklist for protection:
- Requiring the development of cybersecurity programs and policies
- The undertaking of periodic risk assessments
- The appointment of a chief information security officer
- Imposing technical security requirements
- Adding record keeping, compliance, oversight and incident reporting requirements.
Those covered by the New York regulations will be required to be in compliance with all its sections by March 1, 2019, while meeting milestones in the interim as well.
More states are beginning to firm up their requirements around safe operations in this area. In fact, in the summer of 2017, Colorado and Vermont published regulations patterned on New York’s, and legal thinking is that the popularity and adoption of these regulations will continue to snowball as time goes on.
While New York’s regulations, and those structured in their likeness, do require a marked commitment to fulfill, they also go a long way toward clarifying the situation regarding cybersecurity in this industry in the aggregate.
A Focus on Cybersecurity
Both the Financial Industry Regulatory Authority (FINRA) and the Securities Exchange Commission (SEC) have stressed the importance of advisors placing a focus on cybersecurity. However, they have not codified their intentions on the matter to a large extent.
FINRA has laid down certain rules in the area of post-incursion activity but has been light on defensive measures; the SEC, meanwhile, is focused on enforcement actions to target and hold accountable cyber-related misconduct. The state-driven mandates fill the gap by clearly illuminating the finish line — at least, where it stands today.
So, given that compliance is the coming trend, there is no time like the present to begin moving toward an accord with these standards. The level of actual difficulty that you can expect to have meeting the bar set by the New York state regulations varies, depending on the size and culture of your practice.
Advisors and Cybersecurity
Large advisories, for example, may find that the first step in embracing an environment that is forward-thinking with respect to cybersecurity is in hiring a chief information security officer who can spearhead the charge toward compliance in all areas. Smaller advisories, meanwhile, may want to consider hiring a third-party service provider to guide your activities.
If you are a small practice, don’t make the mistake of thinking that these rules either do not apply to you or that surely cybersecurity dangers will not threaten your activities. In fact, while some sections of New York state’s regulations exempt smaller covered entities from compliance, the majority of the standard set by the New York State Department of Financial Services requires compliance from every firm, regardless of size.
Across the board, the vulnerability of small businesses to cybersecurity threats is anything but small — and that includes financial services firms. In fact, a recent report from Ponemon Institute noted that small- and medium-size businesses are particularly vulnerable to cyber attacks: 61 percent experienced an attack in 2017, and 54 percent experienced a data breach. When you consider these statistics together with the fact that the same report states that the financial services industry is the highest-targeted sector, it is clear that regardless of your business’ size, it’s important to take measures quickly.
Regardless of which course you choose to pursue with your cybersecurity planning, it is also a good idea to review your errors and omissions insurance while you are at it. Check to ensure that your current policy includes a cybersecurity rider, and if it does not, make the upgrade. Among other things, this rider could prove critically important in the unfortunate event of a breach at a third-party service provider, limiting your liability if your clients’ personal information is disclosed through no fault of your own.
With every advance comes additional responsibilities. Internet-based technology enables progress in many respects for financial advisory clients. Now, it is time to commit to their safety in light of this progress and, while doing so, invest in your own safety as well. MORE