The close of 2019 witnessed a significant development in data security law that impacts companies engaged in the trading of public securities, as well as those companies that provide services to such organizations. Nationwide, the regulation significantly impacts approximately 3,000 organizations, including banks, securities brokerage firms and insurance carriers.

In October, the National Securities Clearing Corporation (NSCC) filed with the SEC a Proposed Rule Change to Require Confirmation of Cybersecurity Program. The regulation requires NSCC members, as well as organizations applying for membership, to submit a Cybersecurity Confirmation as part of the initial membership application and on an ongoing basis at least every two years. In addition, any organization that reports trade data to the NSCC could be held to the same standard. The Cybersecurity Confirmation is a form provided by NSCC that, according to the new rule, must be “signed by the submitting entity’s designated senior executive” making “specific representations regarding the submitting entity’s cybersecurity program and framework.”

The regulation went into effect on December 9, 2019 meaning that NSCC members are now federally regulated in terms of the substance and reasonableness of their written cybersecurity programs, with a member of senior management responsible for certifying compliance. This is no simple “check-the-box” undertaking.

[View source.]