US financial services regulators are continuing to enhance cyber reporting requirements in response to increasing geopolitical tensions, emerging technologies, the proliferation of cyber-attacks, and larger market events. Over the last year, at least seven separate federal financial services regulators along with state financial services regulators have ramped up their regulatory activity to enhance cybersecurity reporting requirements, motivated largely to prevent systemic cyber-attacks against the nation’s financial lifeblood.
The intensified focus on reporting requirements is not a surprise considering the increased federal focus on cybersecurity. In May 2021, the White House declared its efforts to strengthen America’s cybersecurity. indicating that existing regulations, such as the Red Flag Rules applicable to certain financial institutions, are not currently providing sufficient protection of cybersecurity threats at a federal level.
On March 15, 2023 the Securities and Exchange Commission (SEC) proposed amendments to Regulation S-P to enhance the protection of customer information by, among other things, introducing a requirement for broker-dealers, investment companies, registered investment advisers, and transfer agents (collectively, covered institutions) to provide notice to individuals affected by certain types of data breaches that may put them at risk of identity theft or other harm. Although Regulation S-P requires covered institutions to notify customers about how they use their financial information, there is currently no SEC requirement to notify customers about breaches. Under the proposal, covered institutions should adopt written policies and procedures for an incident response program to address unauthorized access to or use of customer information and provide notice to individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization, within 30 days after the covered institution becomes aware that an incident involving unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred at the covered institution or a service provider. The proposed amendments will create an additional obligation on covered institutions among myriad existing reporting requirements for US entities, and if adopted, entities can expect the SEC to closely follow implementation as cybersecurity remains an Examinations Priority for the SEC.
Along with the proposed amendments to Regulation S-P, the SEC also proposed a new rule for broker-dealers and others, including transfer agents, which would require notification to the SEC of the occurrence of a significant cybersecurity incident and reporting of detailed information related to the incident to the SEC and the public. Currently, the SEC does not require broker-dealers to immediately notify the SEC of a significant cybersecurity incident nor are they required to publically file a description of any incident. The proposed rule would require covered entities to immediately notify the SEC by electronic means and to promptly, but in no case later than 48 hours, provide the SEC with written electronic notice of a significant cybersecurity incident at the covered entity or a service provider using proposed Form SCIR, including a description of the event and the entity’s efforts to respond to and recover from the incident. In addition, covered entities would be required to publically disclose summary descriptions of their cybersecurity risks and the significant cybersecurity incidents experienced during the current or previous calendar year. This proposal further demonstrates the SEC’s heightened interest in cybersecurity.
A year earlier, in March 2022, the SEC also proposed rules (the March 2022 Proposal) that would require public companies subject to the reporting requirements of the Securities Exchange Act of 1934 to report, within four business days, any material cybersecurity incidents (including when a series of individually immaterial incidents has become material in the aggregate) and update the SEC as to previously reported incidents. Currently, covered organizations need only disclose material cybersecurity risks under the SEC’s 2018 Interpretative Release. Under the March 2022 Proposal, covered organizations would also need to disclose their cybersecurity risk management policies, management’s role and expertise in managing cybersecurity risks, and the board’s oversight into the entity’s cybersecurity. This proposal followed closely after the SEC’s February 2022 proposal that required registered investment advisers (Advisers) to report significant cybersecurity incidents affecting the Adviser or its fund or private fund clients to the SEC within 48 hours after having a reasonable basis to conclude that a significant Adviser cybersecurity incident or a significant fund cybersecurity incident had occurred or is occurring (the February 2022 Proposal). Under the February 2022 Proposal, Advisers and registered investment companies (Funds) would also have to comply with enhanced disclosure requirements relating to significant cybersecurity risks and cybersecurity incidents that affect Advisers, Funds and their service providers. The SEC recently re-opened the comment period for the February 2022 Proposal, with the intent that the comments be analyzed in conjunction with comments for the SEC’s proposed amendments to Regulation S-P.
The New York’s Department of Financial Services (NY DFS) is currently reviewing comments on its latest proposal (published November 9, 2022) to enhance cybersecurity requirements for financial services companies (NY DFS Proposal). Currently, the NY DFS Cybersecurity Rule requires covered entities to notify the superintendent of cybersecurity events: (i) impacting the covered entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or (ii) that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity, as promptly as possible but in no event later than 72 hours from a determination that a reportable cybersecurity event has occurred. The NY DFS Proposal, among other things, introduces an obligation to file notifications through a prescribed electronic form and imposes a continuing obligation to update NY DFS as things progress. The NY DFS Proposal also significantly expands the scope of events that trigger mandatory reporting within 72 hours to include cybersecurity events: (i) where an unauthorized user has gained access to a privileged account; or (ii) that resulted in the deployment of ransomware within a material part of the covered entity’s information system. Further, the NY DFS proposal requires 24-hour notice of any ransom payment, mandating the entity to explain, within 30 days, why payment was necessary and the steps the entity took to find an alternative to paying the ransom and to ensure that it complied with any anti-money laundering rules when making the payment. If adopted, NY DFS registered entities will have to update existing incident response plans and operational processes to comply with the additional obligations.
Also, in November 2022, the Commodity Futures Trading Commission (CFTC) proposed updates to its cybersecurity reporting requirements. Currently, the CFTC requires derivatives clearing organizations (DCOs) to report any software or hardware malfunction, security incident, or targeted threats that materially impairs of creates a significant likelihood of material impairment, of automated system operation, reliability, security or capacity. In addition, DCO’s must report any activation of the DCO’s business and continuity disaster plan. The proposal significantly widens a DCO’s reporting obligations to cover any security incident or threat that compromises or could compromise the confidentiality, availability, or integrity of any automated system, or any information, services, or data, including third-party information, services, or data, relied upon by the DCO in discharging its responsibilities. The new rule would expand the scope of notification to all threats, not just targeted threats, and include malfunctions due to “operator error.” The CFTC is currently reviewing comments to the proposed rule.
United States agencies in charge of regulating banks also now require breach notifications. Beginning May 1, 2022, the OCC, FDIC, and Federal Reserve all now require banking organizations to notify their primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident,” as soon as possible and no later than 36 hours after the organization determines that a notification incident has occurred. A “notification incident” is a computer-security incident that has materially disrupted or degraded, or is likely to materially disrupt or degrade, a banking organization’s ability to carry our banking operations, its business lines, or its operations if the failure or discontinuance of those operations would pose a threat to the financial stability of the United States. The same rule also requires that bank service providers provide similar notifications to the banks they service. There is a similar rule for credit unions which will take effect on September 1, 2023. Beginning that date, federally chartered and federally insured credit unions will be required to notify the National Credit Union Administration of any “reportable cyber incidents” as soon as possible and no later than 72 hours after the credit union reasonably believes the incident has occurred. A reportable cyber incident means a “substantial cyber incident.”
The United States legislative branch has also entered the mandatory cybersecurity notification realm through its passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The Act requires that companies operating in critical infrastructure sectors, including some financial services, report covered incidents within 72 hours of the companies’ reasonable belief that a cyber-incident has occurred and report ransom payments within 24 hours after payment. The Act directs the Cybersecurity and Infrastructure Security Administration (CISA) to issue a proposed rule implementing the reporting requirements by March 2024. Until a final rule is implemented, organizations do not have any obligation to report to CISA, but CISA “encourages all organizations to share information about unusual cyber activity and/or cyber incidents.”
Given the multitude of laws and regulations with varying reporting and cybersecurity requirements, financial services organizations are likely required to face enhanced security requirements and expectations, as well as multiple cyber incident reports. Organizations should analyze their reporting requirements as part of their incident response programs to ensure they have processes in place to assess and comply with reporting requirements within aggressive timescales.