Wilson Sonsini Goodrich & Rosati is pleased to introduce the first in a series of monthly updates from the FinTech practice. The purpose of the updates is to provide timely information on issues of interest to WSGR’s FinTech clients and friends of the firm. We hope you find them to be a useful resource.
As shown below, our inaugural issue includes an article regarding new cybersecurity rules for entities regulated by the New York State Department of Financial Services, as well as an article summarizing recent guidance issued by SEC Staff to robo-advisers.
A Reminder for Entities Regulated by the New York State Department of Financial Services (DFS):
On March 1, 2017, the new cybersecurity rules go into effect. The Cybersecurity Requirements for Financial Services Companies are designed to help protect business and customer information and the IT systems of the entities that DFS regulates. While the Cybersecurity Requirements take effect on March 1, 2017, regulated entities have 180 days to comply. The final requirements are available here.
Who Is Regulated?
The Cybersecurity Requirements apply to companies “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” (“covered entities”). Covered entities include banks, savings and loans, trust companies, check cashers, credit unions, money transmitters, lenders, insurers, holding companies, investment companies, mortgage brokers, originators, and servicers, and certain other regulated types of companies doing business in New York. Smaller covered entities are exempt from certain components of the Cybersecurity Requirements, but they are required to file an exemption form with DFS.
What Information Is Regulated?
The Cybersecurity Requirements apply to electronic “nonpublic information,” which includes certain business information and personally identifiable information. Specifically, nonpublic information encompasses business-related information that, if compromised, would have a material adverse impact on the covered entity’s business, operations, or security. Nonpublic information also includes information about an individual’s identity, financial accounts, and health condition and payments, similar to many state breach notification laws.
What Are Covered Entities Required to Do?
Implement a Cybersecurity Program Based on a Risk Assessment. Under the Cybersecurity Requirements, covered entities are required to develop a cybersecurity program based on an annually updated risk management plan designed to protect data and systems, detect cyberattacks, and respond to and recover from cyberattacks to mitigate negative effects. Compliance includes implementing and maintaining a written cybersecurity policy based on risk assessments that cover at least 14 specific areas.
The Cybersecurity Requirements impose specific obligations related to improving a company’s cybersecurity posture, such as the following:
Designate a person to perform the functions of a Chief Information Security Officer (CISO).
Maintain in-house application development standards.
Perform annual system/network penetration testing and bi-annual vulnerability assessments.
Implement auditing mechanisms to help protect system and data integrity.
Limit staff system and data access privileges, and assess whether multi-factor authentication (MFA) should be used. MFA must be used for external access to internal networks.
Encrypt all nonpublic information both in transit over external networks and at rest. If encryption is not feasible, covered entities must implement effective alternative controls that are approved by the CISO and reviewed by the CISO at least annually.
Dispose of nonpublic information when it is no longer necessary for a legitimate business purpose and retention is not required by applicable law.
Provide adequate data security training to cybersecurity personnel.
Document material improvements to the company’s systems, policies, and cybersecurity program, and make such documentation available to DFS upon request.
Assess Vendor Information Security. The Cybersecurity Requirements also require covered entities to implement written policies and procedures governing how they ensure that vendors are properly securing systems and data, including, to the extent applicable:
Perform a risk assessment of the vendor.
Identify the minimum cybersecurity practices required to be met by vendors.
Evaluate the adequacy of vendors’ cybersecurity practices.
Assess vendors’ cybersecurity practices periodically.
Perform due diligence of vendors and contractual protections of covered entities’ information.
Provide Data and System Breach Notice to DFS. Covered entities should have a written incident response plan to meet their obligations under the Cybersecurity Requirements. The Cybersecurity Requirements call for notice to DFS within 72 hours when (1) there was an “act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System” and (2) notice is required to any other regulator or there is a reasonable likelihood of materially harming any material part of normal operations.
Senior Management Has an Active Role
Senior management is required to annually review the company’s cybersecurity policy. The CISO is also required to report, at least annually, to a covered entity’s board of directors or equivalent senior management information about the company’s cybersecurity posture. DFS may request copies of these reports at any time. Finally, the company must certify to DFS that it complies with the Cybersecurity Requirements.
SEC Staff Issues Guidance to Robo-Advisers
Automated advisers (or “robo-advisers”) that provide advisory services directly to clients over the Internet or a mobile application should review their disclosure, suitability, and compliance practices in light of recent guidance published by the SEC’s Division of Investment Management (IM).1 For purposes of this guidance, IM generally characterizes robo-advisers as advisers registered under the Investment Advisers Act of 1940 that have limited human interaction with the client, rely primarily on a questionnaire to understand a client’s finances and investment goals, and employ an algorithm to generate a suggested investment portfolio for the client based on his or her responses to the questionnaire.
The guidance—which highlights three areas of Staff concern for robo-advisers: disclosures, suitability, and compliance—is summarized below.
A robo-adviser, like any adviser, must ensure that its disclosures provide accurate and comprehensive information about its advisory services to enable the client to make an informed decision before employing the adviser. For example, information about the use of any algorithm is critical, and the IM guidance provides a list of disclosures that a robo-adviser should consider providing regarding algorithms. In addition, a robo-adviser should provide disclosures about the inputs it uses to inform its recommendations. For example, a robo-adviser may only rely on questionnaire responses, or it may have access to other client account information that it uses. Further, a robo-adviser should disclose how and when a client should update information provided to the adviser. Moreover, a robo-adviser, like any adviser, must not mislead the client about the advisory services it provides.
In addition to providing adequate disclosures, a robo-adviser should examine when a client is able to view certain disclosures (e.g., before or after the client creates an account, completes a questionnaire, and/or engages the adviser). For example, it may be that certain disclosures are more appropriate for a client to read before completing the questionnaire. A robo-adviser may also wish to emphasize certain Internet disclosures by using pop-up boxes or tooltips,2 or enhance the clarity of certain advisory practices through the use of an FAQ. If the robo-adviser uses a mobile application as part of its business model, it should carefully consider how its disclosures appear through that mobile device format.
Robo-advisers typically rely on questionnaires to help ensure that the advice provided is suitable in light of a client’s finances and investment goals. Because a client generally has limited interaction with an advisory professional when completing the questionnaire, the client may answer questions incorrectly or provide inconsistent responses. An advisory professional, if available, could ask the client clarifying questions or have additional client discussions that would elicit information that could provide greater context. A questionnaire, by itself, cannot do so as easily.
In light of these limitations, a robo-adviser should be thoughtful when designing its questionnaire. A questionnaire should provide the robo-adviser with enough information about a client’s finances and investment goals to enable the adviser to provide suitable advice to the client on an ongoing basis. It should be sufficiently clear so as to avoid confusing and inconsistent responses. For example, the questionnaire could employ pop-up boxes or tooltips to provide additional information to the client to help ensure that he or she is providing responsive information. It could also warn a client (or not permit the client to submit the questionnaire) if he or she has responded inconsistently to different questions.
In addition, if a client is able to override the portfolio recommended by an algorithm and pursue a different investment course that is inconsistent with his or her questionnaire responses, a robo-adviser should implement a mechanism that can alert the client of this inconsistency.
As noted, the use of algorithms, limited human interaction with clients, and Internet- or mobile application-based investment advice are relatively unique features of robo-advisers. Robo-advisers should therefore develop practices and written policies and procedures that address the regulatory and compliance concerns that these features raise.
For example, to what extent is the algorithmic code tested and monitored to help ensure that it performs as represented? Who can alter the code, and what protections exist to safeguard access to the code? If the code is modified, to what extent and how are those changes disclosed to clients? How does the robo-adviser oversee a third party, if any, that develops or maintains the code?
Further, in light of limited human interaction with clients, how does the robo-adviser help ensure that its ongoing investment advice is suitable and appropriate for a client based on the client's current finances and investment goals? How does the robo-adviser collect that information and keep it current? Finally, because the Internet or a mobile application is very important to a robo-adviser’s advisory business, how robust is its cybersecurity program in detecting and preventing threats that could impact its operations?
1IM Guidance Update No. 2017-02 (Feb. 2017). The SEC’s Office of Investor Education and Advocacy also issued an Investor Bulletin to help investors make informed decisions when contemplating the use of a robo-adviser.
2A tooltip permits other information to appear in a text box when a mouse curser hovers over a particular portion of a web page.