Tannenbaum Helpern Syracuse & Hirschtritt, LLP
About Us Careers Contact Us Search
Home Practice Areas Industries Case Results Attorneys Publications Events Press Room

Overview of Data Privacy and Cybersecurity Regulatory Landscape for Investment Advisers and Other Financial Services Companies

Numerous regulatory authorities and self-regulatory organizations are now focusing intently on cybersecurity and privacy practices of investment advisers and other financial services companies. These regulators include:

  • the Securities and Exchange Commission (“SEC”);
  • the Financial Industry Regulatory Authority (“FINRA”);
  • the Commodity Futures Trading Commission (“CFTC”);
  • the Federal Trade Commission (“FTC”);
  • the Consumer Financial Protection Bureau (“CFPB”);
  • the National Futures Association (“NFA”);
  • state regulatory agencies, such as the New York State Department of Financial Services; and
  • state attorneys general.

SEC: The SEC has identified cybersecurity as a very important issue facing investment advisers and broker-dealers. For example, cybersecurity has been included in the list of examination priorities issued by the SEC’s Office of Compliance Inspections and Examinations (the “OCIE”) during the last few years. In connection with its two cybersecurity initiatives in 2014 and 2015, the OCIE conducted examinations of SEC-registered investment advisers and broker-dealers to identify cybersecurity risks and to assess cybersecurity preparedness in the securities industry. These examinations primarily focused on the following general areas:

  1. governance and risk assessment;
  2. access rights and controls;
  3. data loss prevention;
  4. vendor management;
  5. training; and
  6. incident response.

In conducting these examinations, the OCIE obtained various documents and other information from registered investment advisers and broker-dealers, regarding the cybersecurity-related areas. Some of the questions the OCIE asked of its examinees tracked information that was outlined in the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology.

In 2016 and 2017, the OCIE advanced its examination efforts relating to cybersecurity, which included testing and assessments of firms’ implementation of data security procedures and controls. Additionally, the OCIE recently placed cybersecurity at the top of its list of market-wide risks on which it would focus.

FINRA: FINRA is a self-regulatory organization that oversees brokerage firms, branch offices and registered securities representatives. In the cybersecurity space, FINRA reviews broker-dealers’ ability to protect the confidentiality, integrity and availability of sensitive customer information. This includes reviewing each firm’s compliance with SEC regulations, such as Regulations S-P and S-ID, which are discussed later.

Not long ago, FINRA conducted an examination “sweep” of a cross-section of firms. That sweep focused on the types of cyber threats that firms face, areas of vulnerabilities in their systems and firms’ approaches to managing these threats. FINRA has announced that during 2017, it plans to continue to assess its regulated firms’ programs to mitigate those cyber risks.

FTC: The FTC is a primary federal regulator in charge of policing corporate cybersecurity practices. Since 2002, the FTC has commenced dozens of cases and administrative proceedings against companies for allegedly unfair or deceptive practices that endanger the sensitive personal data of consumers.

CFPB: The CFPB is a new entrant into the world of cybersecurity enforcement. Although it has brought few cybersecurity-related enforcement actions so far, it may have broad authority to do so under its power to prohibit unfair, deceptive or abusive acts or practices (which are also known as the CFPB’s “UDAAP” authority).

This article provides a high-level overview of the cybersecurity laws and regulations that apply to investment advisers and other financial services companies. It also describes recent enforcement actions that regulators have pursued in the cybersecurity field. Download the full overview.
Like us on FaceBook Follow us on Twitter Get LinkedIn with us Pin It! Email Us Print this Page

Sitemap | Terms of Use | Privacy | Attorney Advertising

Tannenbaum Helpern Syracuse & Hirschtritt LLP provides legal advice only to individuals or entities with which it has established an attorney-client relationship and such advice is based on the particular facts and circumstances of each matter. Contacting us through this site, or otherwise, will not establish an attorney-client relationship with us. Any e-mail or other communication sent to THSH or its lawyers through this site will not be treated as subject to the attorney-client privilege or as otherwise confidential and you should not include any confidential information in any such communication.