Although the last few updates have concerned the New York Department of Financial Services (“DFS”) and its proposed amendments to its Cybersecurity Regulation, 23 NYCRR Part 500, it is important to remember that the Securities and Exchange Commission’s (SEC) proposed rule is also nearing implementation. For a refresher, earlier last year the SEC voted to propose cybersecurity rules and amendments related to disclosures, risk management and security incidents for registered investment advisers and registered investment companies.
As discussed, the SEC seems to be taking a page from the DFS Cybersecurity Regulation and its proposed amendments. For instance, the DFS proposed amendments would, amongst others, increase cybersecurity accountability at the executive and board levels. This includes requiring more due diligence – including written analysis and reasoning for responses to cybersecurity incidents – as well as requiring the board to “have sufficient expertise and knowledge or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cybersecurity risk management.”
Likewise, the SEC rule is particularly focused on the Board of Directors to actively participate in the assessment, implementation, and evaluation of the firm’s cybersecurity program. In fact, future SEC filings would require updates on cybersecurity events and to explain the Board’s role in overseeing and implementing the firm’s cybersecurity program.
Another example of the similarity with the DFS Cybersecurity Regulation is the SEC’s focus on third-party service providers. For instance, the SEC is not only interested in how a company is managing third-party cybersecurity risks but also wants to know how a company selects such a third-party service provider in the first place and how risks are mitigated at the start of the relationship. This same approach is within the NYDFS Cybersecurity Regulation, Section 500.11, which focuses on third-party service providers and a company’s due diligence process.
The good news is that the respective agencies all seem to be increasing cybersecurity scrutiny at the same time. Thus, a firm would be wise to fully prepare for the most stringent provisions across the proposed rules and prioritize a thorough review of its cybersecurity programs to determine how it will meet the increased obligations.
Written by John J. Cooney, Esq
With over a combined 25 years of business, legal, and technical experience, The Law Office of John J. Cooney, P.C. offers comprehensive legal strategies and solutions for businesses working seamlessly with management and any existing counsel in an efficient manner. John’s firm concentrates on General Counsel services, Pre-Litigation Investigation, Defense, and Compliance services, as well as the Cybersecurity arena.