As FinOps Report goes to press, the Colorado Division of Securities is set to finalize rules which, as of July 15, will make the state the first in the US to require fund managers and broker-dealers to follow a required list of procedures to mitigate the potential for a data breach. Even if the appointment of a CISO is not mandated, fund managers and broker-dealers would have to follow some of the same requirements recently imposed by New York State for banks. Therefore, they would need to pick someone to handle the same responsibilities.
Seven of the ten operations managers at fund management shops and broker-dealers contacted by FinOps Report say that they are taking Colorado’s rules seriously. “We are evaluating how the rules match our current procedures before making a decision on whether we need to hire a CISO,” says one operations manager at a fund management shop in Denver. Yet another operations manager at a broker-dealer in Denver says his firm’s decision on who to appoint in the role of CISO will depend on how rigorously Colorado’s securities commissioner decides to enforce the rules. “We might be able to rely on our chief technology officer to handle a cybersecurity program or outsource the role to a consultancy,” he says.
Colorado’s securities commissioner Jerry Rome has publicly stated that his division will be checking for effective cybersecurity programs during the normal examination process for fund managers and brokers. That leaves fund managers and broker-dealers worried about how their compliance will be judged. Those who aren’t up to snuff could face anything from a deficiency letter all the way to a fine.
Although many states have enacted statutes that require firms to implement “reasonable” security measures they do not elaborate on what reasonable means. That makes Colorado and New York the trailblazers and raises the broader question of whether other states will follow suit. If they do, compliance could become a more onerous challenge if the rules are not consistent, say legal experts.
In March, New York became the first state to impose prescriptive cybersecurity rules for banks doing business in the state. The New York Department of Financial Services has stipulated that those firms must have a dedicated CISO to oversee and enforce a cybersecurity program. Not so with Colorado. However, Colorado’s rules also mandate, to the extent reasonably possible the use of secure email containing personal information including the use of encryption and digital signatures; authentication practices for employee access to electronic communications, databases and media; procedures for authenticating client instructions received via electronic communication, and disclosure to clients of the risks of using electronic communications. Colorado’s rules require firms to assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of personal information.
“Many asset managers and broker-dealers shouldn’t be overly burdened by Colorado’s rules, as they represent reasonable business practices that many firms already apply,” says Charles Horn, a partner with the law firm of Morgan Lewis in Washington DC. However what might sound perfectly reasonable could be overwhelming to some.”Colorado’s rules are more prescriptive than federal regulations and will likely be far more burdensome for small and medium-sized fund managers and broker dealers than for larger firms with more IT and cybersecurity capacity,” says Gary Swiman, president of Compass Regulatory and Compliance Advisors, a compliance consultancy affiliate of the New York accounting firm of Grassi & Co.
What to Do
Swiman’s recommendation: hope for the best and prepare for the worst. “Colorado may well end up enforcing cybersecurity rules even more rigorously than the US Securities and Exchange Commission or Financial Industry Regulatory Authority,” he says. The SEC and FINRA, the watchdog for the broker-dealer community, have indicated cybersecurity management as a top priority for annual exams. The SEC currently does not have any specific rules regulating cybersecurity for fund managers and broker-dealers. In 2015, the agency published cybersecurity guidance for financial advisers similar to Colorado’s rules, but that guidance has not been formally adopted. The SEC has relied on the protection of client information as a principle to take enforcement action.
Colorado’s rules do appear to allow fund managers and broker-dealers to tailor their compliance programs to reflect their cybersecurity risk profiles. Those profiles include a firm’s size, relationships with third-parties, procedures and training of employees, authentication practices, and process for reporting of lost and stolen devices. Still, Swiman says that fund managers and broker-dealers shouldn’t feel too comfortable about any leeway and should consider shutting down some offices if compliance with the cybersecurity rules becomes too costly.
Given that most fund managers and broker-dealers might well operate out of multiple offices, John Cunningham, CISO for Docupace, a document preservation and protection firm in Los Angeles, recommends creating a centralized cybersecurity program that will apply to all employees. “Fund managers and broker-dealers can’t count that each of their offices is already relying on the same technology, policies and procedures,” he warns. “Firms must come to the realization that every computer must be centrally managed, have a consistent set of security tools and be continually monitored for ongoing compliance.” The rules of the house must apply to everyone regardless of location or organizational title.
Any firm-wide policy needs to include restrictions on access to data, acceptable use of work computers and the internet, cybersecurity breach response procedures, and annual audits. Among the most costly provisions will be required uses of encryption and authentication, predicts Cunningham. For many firms, it’s not current practice. Yet another expensive element for smaller firms: conducting an annual cybersecurity risk assessment.
Is appointing a CISO absolutely necessary? Maybe not. After all, it won’t be easy to find the right person who understands far more than the basics of technology, but also regulations involving data security. “You can’t simply put an IT manager in charge of a cybersecurity program,” says Cunningham. “The cybersecurity responsible officer will need to cross the divide and communicate well with every business line, C-level management and the board of directors.”
Larger firms, with deeper pockets, might hire someone from the outside from a bank or consultancy. By contrast, in a smaller firm, the person responsible for creating and monitoring a cybersecurity program may have to end up being the individual who already has a compliance or risk assessment role.
Simply creating a written policy and hoping it works won’t be enough. “There are plenty of IT tools available for cybersecurity protection,” acknowledges Justin Kapahi, the Miami-based vice president of solutions and security for External IT, which provides a secure managed tech platform with built-in security and compliance features to support advisers’ cybersecurity issues. At issue, he believes, is how firms will persuade not only their own employees, but also clients and third-party service providers that they must follow the same rules.
What happens if they don’t want to? The broker-dealer or asset manager must ultimately have to decide whether to maintain the relationship or cut bait. Financial advisors can’t afford to cut corners. Fortunately, as Kapahi explains, the rise of cybercrime provides some incentive for compliance with the terms set by the fund manager or broker-dealers.
Regardless of how a fund manager or broker-dealer decides to comply with Colorado’s rules, when effective, one thing is certain. The age-old rule of kill with paper applies. “You need to be able to defend any decisions or changes made. Therefore, it is important to document every step of the way from the creation of the cybersecurity program, to its testing and ongoing monitoring,” says Swiman.