Cyber Security Update—August 2017

August 10, 2017

Cyber security continues to be a dominant theme for regulators both federal and state.

OCIE Risk Alert:  Observations from Cybersecurity Examinations, August 7, 2017.   At the federal level, the SEC's OCIE issued another of its now periodic Risk Alerts on August 7, 2017.

The Alert summarizes the findings and observations of the SEC's examination and inspection staff in numerous exams of advisers, brokers and funds over the past year and a half.  In September 2015, the SEC announced its Cybersecurity Examination Initiative with the goal of assessing industry announced on  practices and legal and compliance issues associated with cybersecurity.  It was the second such initiative and, accordingly, is referred to as the "Cybersecurity 2 Initiative."

Overall the SEC staff observed a much higher rate of firms attempting to comply with various cybersecurity regulations and best practices.  However, delays in applying security patches and updates were broadly observed.  In addition, the staff noted that broker-dealers were not performing as well as advisers and funds at having formal procedures for verifying customers' identities when clients request electronic transfers.  This is an issue both with respect to cybersecurity as well as custody.

Most critically, the Alert lays out the SEC staff's suggestions for Elements of Robust Policies and Procedures, which we recommend for your review, here: OCIE Risk Alert:  Observations from Cybersecurity Examinations, August 7, 2017.

State Level Actions:

NY State's Cyber Rule.  For certain advisers, as well as many other financial insitituitions, covered by New York's cyber rule, several developements of note.

1.  Compliance deadline:  August 28, 2017

2.  FAQs:   a set of FAQs was released recently by the DFS, NY Department of Financial Services, covering a broad range of topics.  Read it here:   DFS:  FREQUENTLY ASKED QUESTIONS REGARDING 23 NYCRR PART 500

     A nice Manatt law firm analysis is available here:   DFS Provides Answers to Cybersecurity FAQs

3.  Portal launched for reporting and other purposes.   The DFS announced on July 31, the launch of an online cybersecurity portal for businesses to securely report cybersecurity events.   Press release and information:  DFS CONTINUES INNOVATIVE REGULATORY INITIATIVES WITH THE LAUNCH OF NEW ONLINE CYBERSECURITY PORTAL FOR BUSINESSES SEEKING TO REPORT CYBERSECURITY EVENTS IN NEW YORK.  The press release contains a nice summary of the regulation for those who have not reviewed it yet.