As a report from Accenture laid out earlier this year, not only are financial services firms targeted by cybercrime more than any other sector, but breaches have actually tripled over the past five years. Technology has revolutionized this sector, but in doing so, it has opened financial advisors and other industry professionals to threats and liabilities in ways never before imagined. Potential consequences range from the unnerving to the catastrophic.
The Cybersecurity Regulation Benchmark
Fortunately, advances in codifying a defense system to protect the industry from these incursions are also developing at a rapid pace. As with much of this nation's critical legislative framework, the impetus for development in this area comes from the state rather than the federal level.
In fact, New York state began the charge in this area with their cybersecurity regulations, first announced and published in September 2016. The steps specified by these first-in-the-nation cybersecurity rules establish quite an exhaustive checklist for protection:
- Requiring the development of cybersecurity programs and policies
- The undertaking of periodic risk assessments
- The appointment of a chief information security officer
- Imposing technical security requirements
- Adding record keeping, compliance, oversight and incident reporting requirements.
Those covered by the New York regulations will be required to be in compliance with all its sections by March 1, 2019, while meeting milestones in the interim as well.
More states are beginning to firm up their requirements around safe operations in this area. In fact, in the summer of 2017, Colorado and Vermont published regulations patterned on New York's, and legal thinking is that the popularity and adoption of these regulations will continue to snowball as time goes on.
While New York's regulations, and those structured in their likeness, do require a marked commitment to fulfill, they also go a long way toward clarifying the situation regarding cybersecurity in this industry in the aggregate.
A Focus on Cybersecurity
Both the Financial Industry Regulatory Authority (FINRA) and the Securities Exchange Commission (SEC) have stressed the importance of advisors placing a focus on cybersecurity. However, they have not codified their intentions on the matter to a large extent.
FINRA has laid down certain rules in the area of post-incursion activity but has been light on defensive measures; the SEC, meanwhile, is focused on enforcement actions to target and hold accountable cyber-related misconduct. The state-driven mandates fill the gap by clearly illuminating the finish line — at least, where it stands today.