Cybersecurity rules for the U.S. banking industry could eventually be extended to money managers, sources said.
In October, the Federal Reserve, Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. issued a call for input on what cybersecurity rules should be applied to banks and bank holding companies. What comes out of those efforts could serve as a prototype for cybersecurity regulations at the Securities and Exchange Commission and the Commodity Futures Trading Commission, the sources said.
“It wouldn't surprise me” if money managers ultimately must meet the banking requirements, said Mark Nicholson, principal, cyber risk services, Deloitte LLP, New York. “It would bear out the fact that there's been a lot of focus and activity within ... the SEC and the Fed and banking agencies in terms of cybersecurity.”
The Fed, OCC and FDIC issued a joint advance notice of proposed rule-making related to cybersecurity, requesting that entities they oversee submit recommendations that the agencies could later craft into proposed regulations that could potentially become mandatory for banks and bank holding companies.
Money managers are not under the aegis of banking regulators, but the crafting of such regulations for banks could put pressure on the SEC and CFTC to do the same — or on individual money managers to up their game as a matter of competitive advantage.
“It's not clear if the Fed, FDIC or OCC has the authority to regulate directly bank-affiliated money managers that are under formal SEC or CFTC oversight,” said Charles Horn, partner, investment management and securities industry practice, at law firm Morgan, Lewis & Bockius LLP, Washington. “A couple of banking law provisions make a pretty strong case that they don't.”
But Mr. Horn added that banks and bank holding companies could choose to apply any bank cybersecurity rules to their money manager subsidiaries. “The agencies have an enterprise-level cybersecurity standard in mind, which would mean that cyber risk management requirements would have to be established across all of a bank's business, and that could include money manager subsidiaries,” Mr. Horn said. “In turn, how one can keep those rules from bleeding over into SEC- or CFTC-regulated firms is uncertain. A lot of large banking organizations already have enterprise-level risk management standards, and it's easier for many banks to apply one set of standards to all subsidiaries than to have different standards for different types of subsidiaries. Also, it's possible that the SEC or CFTC could conform, or at least harmonize, any current or future cybersecurity requirements with federal bank cybersecurity standards.”