Upcoming bank rules could serve as a model for money management firms
Cybersecurity rules for the U.S. banking industry could eventually be extended to money managers, sources said.
In October, the Federal Reserve, Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. issued a call for input on what cybersecurity rules should be applied to banks and bank holding companies. What comes out of those efforts could serve as a prototype for cybersecurity regulations at the Securities and Exchange Commission and the Commodity Futures Trading Commission, the sources said.
“It wouldn't surprise me” if money managers ultimately must meet the banking requirements, said Mark Nicholson, principal, cyber risk services, Deloitte LLP, New York. “It would bear out the fact that there's been a lot of focus and activity within ... the SEC and the Fed and banking agencies in terms of cybersecurity.”
The Fed, OCC and FDIC issued a joint advance notice of proposed rule-making related to cybersecurity, requesting that entities they oversee submit recommendations that the agencies could later craft into proposed regulations that could potentially become mandatory for banks and bank holding companies.
Money managers are not under the aegis of banking regulators, but the crafting of such regulations for banks could put pressure on the SEC and CFTC to do the same — or on individual money managers to up their game as a matter of competitive advantage.
“It's not clear if the Fed, FDIC or OCC has the authority to regulate directly bank-affiliated money managers that are under formal SEC or CFTC oversight,” said Charles Horn, partner, investment management and securities industry practice, at law firm Morgan, Lewis & Bockius LLP, Washington. “A couple of banking law provisions make a pretty strong case that they don't.”
But Mr. Horn added that banks and bank holding companies could choose to apply any bank cybersecurity rules to their money manager subsidiaries. “The agencies have an enterprise-level cybersecurity standard in mind, which would mean that cyber risk management requirements would have to be established across all of a bank's business, and that could include money manager subsidiaries,” Mr. Horn said. “In turn, how one can keep those rules from bleeding over into SEC- or CFTC-regulated firms is uncertain. A lot of large banking organizations already have enterprise-level risk management standards, and it's easier for many banks to apply one set of standards to all subsidiaries than to have different standards for different types of subsidiaries. Also, it's possible that the SEC or CFTC could conform, or at least harmonize, any current or future cybersecurity requirements with federal bank cybersecurity standards.”
Across industry types
While federal banking regulations most likely will deal with cybersecurity issues directly related to that industry, Deloitte's Mr. Nicholson said some hacking methods go across industry types.
“Broadly, banks have been victimized by cyber risk more so than the investment management industry,” Mr. Nicholson said.
“That said, things such as "ransomware' do not differentiate between industries. There's no discrimination among cybercriminals. If there's less size or scale (at a money manager or bank), they're an easier target. Additionally, it's important for managers to look at cybersecurity from a business perspective. Would a manager be able to execute a trade despite a denial-of-service attack on their trading system? Are they confident they can withstand someone stealing IDs and passwords?”
Currently, the SEC and CFTC have only recommended that money managers and other registered investment advisers create a strategy to prevent, detect and respond to cybersecurity, including more internal security measures, data encryption and backup, and restrictions on the removal of storage media.
However, New York State Department of Financial Services rules effective in January will require money managers and other financial institutions that operate in New York to hire a chief information security officer and implement measures to protect consumer data, and detect and deter cyber intrusions. They also set requirements for notification in case of a cyber breach.
Requirements such as those being enforced in New York “could change the dynamic in how banks operate,” said Charles Jacco, partner, head of the financial services section, KPMG LLP, New York. “They'll need someone on a bank's board who knows and oversees cyber risk, and maybe there'll also be a universal cyber risk policy that feeds into a mass cyber risk organization. Right now, there's no universal framework on cyber risk management.”
There is a voluntary national cybersecurity framework established by the National Institute of Standards and Technology, the U.S. Department of Commerce unit that establishes broad measurement and standards for U.S. businesses. But Mr. Jacco said,
“It's not a regulatory body; it only provides a framework for cybersecurity.”
Federal rules most likely will be cybersecurity guidance, similar to the New York rules, Deloitte's Mr. Nicholson said. “That means firms will be required to have a cybersecurity strategy, with expertise at the executive level with senior leaders responsible for cybersecurity,” he said.
“They will assess cyber risk through their business units, with independent oversight given to a chief risk officer. They'll most likely be required to do both internal dependence management based on a firm's critical assets and external dependence management to assess the risks of their third parties and vendors. They'll also look at incidence response and at cyber resilience, how a firm maintains critical business functions in the case of a cyber incident.”
Mr. Jacco believes banking regulations on cybersecurity will eventually apply to money managers. “It will be harder for them,” he said. “Some of them don't have big external websites; maybe they just have trading sites. Now on top of that they need a risk management function.”
The regulations also will create a compliance change and organizational shift at money managers, Mr. Jacco said.
The federal regulations, once established, “could create a new market standard for cybersecurity in general. The market may force everyone — managers, regulators — into that direction. But this phenomenon could take a long time to play itself out,” said Morgan Lewis' Mr. Horn.
Mr. Horn also said the expectation of reduced regulatory oversight of the financial services industry under the incoming administration of President-elect Donald J. Trump won't extend to cybersecurity.
“Cybersecurity is one of those areas that has bipartisan interest and support,” he said.
“I don't think this area will be carved back, unless there is a perception of serious regulatory overreach. It's too important of a systemic issue for the regulatory agencies and both political parties not to be interested in this.”
This article originally appeared in the November 28, 2016 print issue as, "Managers might see cybersecurity regulations soon".