Not that long ago, financial sector regulations seldom mentioned cybersecurity expressly, instead addressing the issue indirectly through restrictions focused on general system safeguards and omnibus reporting requirements. Gone are those days. Over the past few years, federal and state regulators have increased focus on information security issues impacting financial institutions, introducing a spate of cyber rules that often include stringent regulatory reporting and disclosure requirements. This year was no different.Continue Reading Making a List and Checking it Twice: The Impact of Cybersecurity Regulations on Financial Services in 2023

On November 9, 2022, the New York Department of Financial Services (“NYDFS”) announced proposed amendments to its Part 500 Cybersecurity Rules (“Proposed Amendments”), revising an initial set of draft amendments released in July 2022. While NYDFS may have relatively limited jurisdiction, its emphasis on rapid breach reporting and data governance have had considerable influence on other U.S. financial services regulators. The current Cybersecurity Rules impose a 72-hour reporting requirement for cybersecurity events, and the Proposed Amendments go farther, creating an additional 24-hour notification obligation in the event a ransomware payment is made. Additionally, the Proposed Amendments create new requirements for larger “Class A” companies, including a risk assessment by an external expert every three years and an independent audit of cybersecurity programs annually.Continue Reading NYDFS Proposes Significant Amendments to its Cybersecurity Rules

On October 26, 2022, in a divided 3-2 vote, the Securities and Exchange Commission (“SEC”) proposed a new rule, 206(4)-11, under the Investment Advisers Act of 1940 and related amendments (the “Proposed Rule”) requiring SEC-registered investment advisers to exercise effective and sufficient oversight over their service providers so as to fulfill the adviser’s fiduciary duty, comply with the federal securities laws and protect investors from potential harm.  Notably, the Proposed Rule prohibits advisers from outsourcing certain services or functions to service providers without meeting minimum diligence and monitoring requirements. Continue Reading The SEC’s Proposed Outsourcing Oversight Requirements for Investment Advisers

On June 30, 2022, the Department of Justice (“DOJ”) announced four enforcement actions involving allegations of fraud in the cryptocurrency space. The enforcement actions, which collectively bring criminal charges against six individuals, demonstrate the breadth of potential conduct that may expose participants in the blockchain industry to regulatory and enforcement risk. In connection with these

The FTC’s recent publication, FTC Safeguards Rule: What Your Business Needs to Know (the “Guide”), provides a helpful overview of the FTC’s recent Safeguards Rule amendments. The FTC’s Safeguards Rule is applicable to “financial institutions,” such as private funds, subject to the FTC’s jurisdiction but not the jurisdiction of another regulator under the Gramm-Leach-Bliley Act (GLBA). Ropes & Gray has previous reviewed the Safeguards Rule amendments here and here. The Guide does not break any substantial new ground but does provide a useful summary of the Safeguards Rule’s security requirements along with additional details regarding the controls the FTC considers part of a reasonable information security program.

The Guide identifies nine elements of an information security program required under the Safeguards Rule. Companies that maintain personal information regarding fewer than 5,000 consumers are not subject to all of these requirements, as summarized further here. Additionally, companies are not required to have in place all of the controls described until December of this year, but should work toward implementation now, as many will require time intensive processes.Continue Reading FTC Publishes Guide to Safeguards Rule Compliance Applicable to Private Funds

Banking organizations and their service providers are now subject to a tight 36-hour breach notification timeframe—the shortest timeline of any U.S. data breach notification law. Starting earlier this month, on May 1, covered banks and providers were required to be in full compliance with a new cyber incident notification rule (“Banking Rule”), issued by the Federal Reserve, the Federal Deposit Insurance Corporation (“FDIC”), and the Treasury Department’s Office of the Comptroller of the Currency (“OCC”) (“the Agencies”), mandating disclosure of triggering cybersecurity incidents (“notification incidents”) within 36 hours after an organization determines such an incident has occurred.

As we observed in a previous post, the Banking Rule, which became effective on April 1, comes at a time when cyberattacks are on the rise and when regulators have, in response to increasing cyber intrusions, enacted or proposed a series of stringent incident reporting requirements. In December 2021, the Federal Trade Commission (“FTC”) proposed an amendment to the recently updated Safeguards Rule that, if adopted, would require covered financial institutions to report to the FTC any security event involving the misuse of customer information of at least 1,000 consumers. Shortly thereafter, in February, the Securities and Exchange Commission (“SEC”) proposed extensive new rules for registered investment advisers and registered investment companies (“funds”) that would, among other things, require advisers to report “significant adviser cybersecurity incidents” and “significant fund cybersecurity incidents” to the SEC within 48 hours of concluding an incident occurred. A month later, the SEC followed up with proposed updates its public-company cybersecurity disclosure rules, which, if adopted, would compel issuers to file an amended Form 8-K within four business days after a triggering material cybersecurity incident took place.

Notably, the final Banking Rule, as well as the flurry of recently proposed cyber reporting regulations, surfaced against the backdrop of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which President Biden signed into law in March, that requires owners and operators of critical infrastructure to report cyber incidents to the Cybersecurity and Critical Infrastructure Agency (CISA) within 72 hours. CIRCIA’s 72-hour timeframe is in line with the breach reporting timeline of the EU’s Global Data Protection Regulation (“GDPR”) and the New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation, which applies to certain insurance and other financial services companies licensed in New York.Continue Reading Banks Must Comply with 36-Hour Notification Rule for Certain Cyber Incidents

On February 9, 2022, the SEC published a release addressing Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies (“Release”). The Release contained proposed new rules under the Advisers Act (Rules 206(4)-9 and 204-6) and the Investment Company Act of 1940 (Rule 38a-2) and amendments (collectively, the “Proposals”), which would require

Private funds that are excluded from the definition of “investment company” under sections 3(c)(1) or 3(c)(7) of the Investment Company Act of 1940 (“ICA”) will face significantly stricter cybersecurity requirements under the FTC’s revised Safeguards Rule, which comes into full effect as of December 9, 2022. The FTC’s updated Safeguards Rule breaks new ground for

Federal banking regulators have recently moved the goal post for financial institutions that suffer a data breach with approval of a new rule mandating the disclosure of certain cyber incidents within 36 hours after banks determine that a triggering incident has occurred. The rule, which puts in place the fastest regulatory notification clock we have seen in the U.S., was issued by the Federal Reserve, the Federal Deposit Insurance Corporation, and the Treasury Department’s Office of the Comptroller of the Currency, and largely conforms to the notice of proposed rulemaking that the agencies issued in January. The new rule goes into effect April 1, 2022, and covered banks must begin compliance by May 1, 2022—leading many banks to revamp systems designed to give notice in 30 days.

The new rule comes at a time in which cyberattacks are a larger problem than ever and show no sign of slowing. Financial institutions have always been major targets but have recently suffered an even greater barrage. While the Bank Secrecy Act and the Interagency Guidance on Response Programs for Unauthorized Access to Consumer Information and Customer Notice already require banks to provide the agencies with information regarding certain computer security incidents, the new rule encapsulates regulators’ desire for even more rapid alerts regarding a wider range of such events. According to the banking regulators, the new rule will promote early agency awareness of the most serious threats, helping banks and their supervisory agencies address these threats before they endanger the entire financial system.Continue Reading Banking Rule Sets a New Bar for Cyber Incident Notification Timelines