Developments in Cybersecurity Law Governing the Investment Industry

By: Luke T. Cadigan, Sean P. Mahoney

The Investment Lawyer, Vol.21, No. 8, August 2014
Reprinted with Permission

Regulatory focus on cybersecurity is intensifying. Unlike other compliance matters, the deterrent effect of enforcement actions following data security breaches may be insufficient to achieve regulators’ purpose of ensuring that technology platforms are secure before an event occurs. Thus, in the area of cybersecurity, regulators appear to be shunning granular, prescriptive rules and instead insisting upon more holistic management of cybersecurity risk.

While regulations and guidance imposing cybersecurity requirements can be difficult to decipher, there are a number of sources that one can look to in order to discern regulatory expectations. By way of current law, brokers, dealers, investment companies and investment advisers (SEC-regulated Entities) can look to Securities and Exchange Commission (the SEC) Regulation S-P, promulgated pursuant to Title V of the Gramm-Leach-Bliley Act, enforcement actions taken under that rule, and state laws governing information security generally. More current guidance was discussed at a roundtable on cybersecurity hosted by the SEC and an alert with a sample request for information, providing more detail on expectations, was released by the SEC Office of Compliance Inspections and Examinations (OCIE). In addition to OCIE guidance, the National Institute of Standards and Technology (NIST) issued its cybersecurity framework, which appears to have been accepted by the SEC.

To read the full article, click here.