Skip to main content
MENU
Subscribe
  • Sign Up Free
  • LOGIN
  • Subscribe
  • Topics
    • Alternatives
    • Artificial Intelligence
    • Consultants
    • Defined Contribution
    • ESG
    • ETFs
    • Face to Face
    • Hedge Funds
    • Industry Voices
    • Investing
    • Money Management
    • Partner Content
    • Pension Funds
    • Private Equity
    • Real Estate
    • Regulation
    • SECURE 2.0
    • Special Reports
    • Washington
    • White Papers
  • Rankings & Awards
    • 1,000 Largest Retirement Plans
    • Top-Performing Managers
    • Largest Money Managers
    • DC Money Managers
    • DC Record Keepers
    • Largest Hedge Fund Managers
    • World's Largest Retirement Funds
    • Best Places to Work in Money Management
    • Excellence & Innovation Awards
    • WPS Innovation Awards
    • Influential Women in Institutional Investing 2023
    • Eddy Awards
  • ETFs
    • Latest ETF News
    • Fund Screener
    • Education Center
    • Equities
    • Fixed Income
    • Commodities
    • Actively Managed
    • Alternatives
    • ESG Rated
  • ESG
    • Latest ESG News
    • The Institutional Investor’s Guide to ESG Investing
    • ESG Sustainability - Gaining Momentum
    • ESG Investing | Industry Brief
    • Innovation in ESG Investing
    • 2023 ESG Investing Conference
    • ESG Rated ETFs
    • Divestment Database
  • Defined Contribution
    • Latest DC News
    • The Plan Sponsor's Guide to Retirement Income
    • DC Money Manager Rankings
    • DC Record Keeper Rankings
    • Innovations in DC
    • DC Plan Design: Improving Participant Outcomes
    • 2023 Defined Contribution East Conference
  • Searches & Hires
    • Latest Searches & Hires News
    • Searches & Hires Database
    • RFPs
  • Research Center
    • The P&I Research Center
    • Earnings Tracker
    • Endowment Returns Tracker
    • Corporate Pension Contribution Tracker
    • Pension Fund Returns Tracker
    • Pension Risk Transfer Database
  • Careers
  • Events
    • View All Conferences
    • View All Webinars
Breadcrumb
  1. Home
  2. REGULATION AND LEGISLATION
November 28, 2016 12:00 AM

Managers might see cybersecurity regulations soon

Upcoming bank rules could serve as a model for money management firms

Rick Baert
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Charles Horn believes banks could easily apply rules to manager subsidiaries.

    Cybersecurity rules for the U.S. banking industry could eventually be extended to money managers, sources said.

    In October, the Federal Reserve, Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. issued a call for input on what cybersecurity rules should be applied to banks and bank holding companies. What comes out of those efforts could serve as a prototype for cybersecurity regulations at the Securities and Exchange Commission and the Commodity Futures Trading Commission, the sources said.

    “It wouldn't surprise me” if money managers ultimately must meet the banking requirements, said Mark Nicholson, principal, cyber risk services, Deloitte LLP, New York. “It would bear out the fact that there's been a lot of focus and activity within ... the SEC and the Fed and banking agencies in terms of cybersecurity.”

    The Fed, OCC and FDIC issued a joint advance notice of proposed rule-making related to cybersecurity, requesting that entities they oversee submit recommendations that the agencies could later craft into proposed regulations that could potentially become mandatory for banks and bank holding companies.

    Money managers are not under the aegis of banking regulators, but the crafting of such regulations for banks could put pressure on the SEC and CFTC to do the same — or on individual money managers to up their game as a matter of competitive advantage.

    “It's not clear if the Fed, FDIC or OCC has the authority to regulate directly bank-affiliated money managers that are under formal SEC or CFTC oversight,” said Charles Horn, partner, investment management and securities industry practice, at law firm Morgan, Lewis & Bockius LLP, Washington. “A couple of banking law provisions make a pretty strong case that they don't.”

    But Mr. Horn added that banks and bank holding companies could choose to apply any bank cybersecurity rules to their money manager subsidiaries. “The agencies have an enterprise-level cybersecurity standard in mind, which would mean that cyber risk management requirements would have to be established across all of a bank's business, and that could include money manager subsidiaries,” Mr. Horn said. “In turn, how one can keep those rules from bleeding over into SEC- or CFTC-regulated firms is uncertain. A lot of large banking organizations already have enterprise-level risk management standards, and it's easier for many banks to apply one set of standards to all subsidiaries than to have different standards for different types of subsidiaries. Also, it's possible that the SEC or CFTC could conform, or at least harmonize, any current or future cybersecurity requirements with federal bank cybersecurity standards.”

    Across industry types

    While federal banking regulations most likely will deal with cybersecurity issues directly related to that industry, Deloitte's Mr. Nicholson said some hacking methods go across industry types.

    “Broadly, banks have been victimized by cyber risk more so than the investment management industry,” Mr. Nicholson said.

    “That said, things such as "ransomware' do not differentiate between industries. There's no discrimination among cybercriminals. If there's less size or scale (at a money manager or bank), they're an easier target. Additionally, it's important for managers to look at cybersecurity from a business perspective. Would a manager be able to execute a trade despite a denial-of-service attack on their trading system? Are they confident they can withstand someone stealing IDs and passwords?”

    Currently, the SEC and CFTC have only recommended that money managers and other registered investment advisers create a strategy to prevent, detect and respond to cybersecurity, including more internal security measures, data encryption and backup, and restrictions on the removal of storage media.

    However, New York State Department of Financial Services rules effective in January will require money managers and other financial institutions that operate in New York to hire a chief information security officer and implement measures to protect consumer data, and detect and deter cyber intrusions. They also set requirements for notification in case of a cyber breach.

    Requirements such as those being enforced in New York “could change the dynamic in how banks operate,” said Charles Jacco, partner, head of the financial services section, KPMG LLP, New York. “They'll need someone on a bank's board who knows and oversees cyber risk, and maybe there'll also be a universal cyber risk policy that feeds into a mass cyber risk organization. Right now, there's no universal framework on cyber risk management.”

    There is a voluntary national cybersecurity framework established by the National Institute of Standards and Technology, the U.S. Department of Commerce unit that establishes broad measurement and standards for U.S. businesses. But Mr. Jacco said,

    “It's not a regulatory body; it only provides a framework for cybersecurity.”

    Federal guidance

    Federal rules most likely will be cybersecurity guidance, similar to the New York rules, Deloitte's Mr. Nicholson said. “That means firms will be required to have a cybersecurity strategy, with expertise at the executive level with senior leaders responsible for cybersecurity,” he said.

    “They will assess cyber risk through their business units, with independent oversight given to a chief risk officer. They'll most likely be required to do both internal dependence management based on a firm's critical assets and external dependence management to assess the risks of their third parties and vendors. They'll also look at incidence response and at cyber resilience, how a firm maintains critical business functions in the case of a cyber incident.”

    Mr. Jacco believes banking regulations on cybersecurity will eventually apply to money managers. “It will be harder for them,” he said. “Some of them don't have big external websites; maybe they just have trading sites. Now on top of that they need a risk management function.”

    The regulations also will create a compliance change and organizational shift at money managers, Mr. Jacco said.

    The federal regulations, once established, “could create a new market standard for cybersecurity in general. The market may force everyone — managers, regulators — into that direction. But this phenomenon could take a long time to play itself out,” said Morgan Lewis' Mr. Horn.

    Mr. Horn also said the expectation of reduced regulatory oversight of the financial services industry under the incoming administration of President-elect Donald J. Trump won't extend to cybersecurity.

    “Cybersecurity is one of those areas that has bipartisan interest and support,” he said.

    “I don't think this area will be carved back, unless there is a perception of serious regulatory overreach. It's too important of a systemic issue for the regulatory agencies and both political parties not to be interested in this.”

    Related Articles
    Asset owners demand info on cybersecurity processes
    New York financial regulator rolls out cybersecurity proposals
    G-7 countries establish elements to target cybersecurity in global finance indu…
    CFTC enforcement division director to leave Feb. 3
    SWIFT rolls out new fraud, cybercrime prevention service
    Recommended for You
    Standards-of-conduct rules approved along party lines
    Standards-of-conduct rules approved along party lines
    Investors hail SEC guidelines on exchanges
    Investors hail SEC guidelines on exchanges
    SEC passes Reg BI package by 3-1 vote
    SEC passes Reg BI package by 3-1 vote
    DC Plan Design: Improving Participant Outcomes
    Sponsored Content: DC Plan Design: Improving Participant Outcomes
    Sponsored
    White Papers
    Exploring the Commercial Application of Artificial Intelligence
    Conflict Minerals: The human cost of our electronics
    Research for Institutional Money Management
    Private real estate entry points emerging amid selloff
    2023 Hot Topics in Retirement and Financial Wellbeing
    Bonds: Shaken, but Not Stirred
    View More
    Sponsored Content
    Partner Content
    The Industrialization of ESG Investment
    For institutional investors, ETFs can make meeting liquidity needs easier
    Gold: the most effective commodity investment
    2021 Investment Outlook | Investing Beyond the Pandemic: A Reset for Portfolios
    Ten ways retirement plan professionals add value to plan sponsors
    Gold: an efficient hedge
    View More
    E-MAIL NEWSLETTERS

    Sign up and get the best of News delivered straight to your email inbox, free of charge. Choose your news – we will deliver.

    Subscribe Today
    December 12, 2022 page one

    Get access to the news, research and analysis of events affecting the retirement and institutional money management businesses from a worldwide network of reporters and editors.

    Subscribe
    Connect With Us
    • RSS
    • Twitter
    • Facebook
    • LinkedIn

    Our Mission

    To consistently deliver news, research and analysis to the executives who manage the flow of funds in the institutional investment market.

    About Us

    Main Office
    685 Third Avenue
    Tenth Floor
    New York, NY 10017-4036

    Chicago Office
    130 E. Randolph St.
    Suite 3200
    Chicago, IL 60601

    Contact Us

    Careers at Crain

    About Pensions & Investments

     

    Advertising
    • Media Kit
    • P&I Custom Content
    • P&I Careers | Post a Job
    • Reprints & Permissions
    Resources
    • Subscribe
    • Newsletters
    • FAQ
    • P&I Research Center
    • Site map
    • Staff Directory
    Legal
    • Privacy Policy
    • Terms and Conditions
    • Privacy Request
    Pensions & Investments
    Copyright © 1996-2023. Crain Communications, Inc. All Rights Reserved.
    • Topics
      • Alternatives
      • Artificial Intelligence
      • Consultants
      • Defined Contribution
      • ESG
      • ETFs
      • Face to Face
      • Hedge Funds
      • Industry Voices
      • Investing
      • Money Management
      • Partner Content
      • Pension Funds
      • Private Equity
      • Real Estate
      • Regulation
      • SECURE 2.0
      • Special Reports
      • Washington
      • White Papers
    • Rankings & Awards
      • 1,000 Largest Retirement Plans
      • Top-Performing Managers
      • Largest Money Managers
      • DC Money Managers
      • DC Record Keepers
      • Largest Hedge Fund Managers
      • World's Largest Retirement Funds
      • Best Places to Work in Money Management
      • Excellence & Innovation Awards
      • WPS Innovation Awards
      • Influential Women in Institutional Investing 2023
      • Eddy Awards
    • ETFs
      • Latest ETF News
      • Fund Screener
      • Education Center
      • Equities
      • Fixed Income
      • Commodities
      • Actively Managed
      • Alternatives
      • ESG Rated
    • ESG
      • Latest ESG News
      • The Institutional Investor’s Guide to ESG Investing
      • ESG Sustainability - Gaining Momentum
      • ESG Investing | Industry Brief
      • Innovation in ESG Investing
      • 2023 ESG Investing Conference
      • ESG Rated ETFs
      • Divestment Database
    • Defined Contribution
      • Latest DC News
      • The Plan Sponsor's Guide to Retirement Income
      • DC Money Manager Rankings
      • DC Record Keeper Rankings
      • Innovations in DC
      • DC Plan Design: Improving Participant Outcomes
      • 2023 Defined Contribution East Conference
    • Searches & Hires
      • Latest Searches & Hires News
      • Searches & Hires Database
      • RFPs
    • Research Center
      • The P&I Research Center
      • Earnings Tracker
      • Endowment Returns Tracker
      • Corporate Pension Contribution Tracker
      • Pension Fund Returns Tracker
      • Pension Risk Transfer Database
    • Careers
    • Events
      • View All Conferences
      • View All Webinars