The close of 2019 witnessed a significant development in data security law
that impacts companies engaged in the trading of public securities, as well as
those companies that provide services to such organizations. Nationwide, the
regulation significantly impacts approximately 3,000 organizations, including
banks, securities brokerage firms and insurance carriers.
In October, the National Securities
Clearing Corporation (NSCC) filed with the SEC a Proposed Rule Change to
Require Confirmation of Cybersecurity Program. The regulation requires NSCC
members, as well as organizations applying for membership, to submit a
Cybersecurity Confirmation as part of the initial membership application and on
an ongoing basis at least every two years. In addition, any organization that
reports trade data to the NSCC could be held to the same standard. The
Cybersecurity Confirmation is a form provided by NSCC that, according to the
new rule, must be “signed by the submitting entity’s designated senior
executive” making “specific representations regarding the submitting entity’s
cybersecurity program and framework.”
The regulation went into effect on December 9, 2019 meaning that NSCC
members are now federally regulated in terms of the substance and
reasonableness of their written cybersecurity programs, with a member of senior
management responsible for certifying compliance. This is no simple “check-the-box” undertaking. The requirements
to comply with the new regulation are substantive and impose significant risks
on organizations subject to the rule.
What Is the NSCC?
The NSCC, a wholly-owned subsidiary
of Depository Trust & Clearing Corporation (DTCC), is a market utility. It
plays a prominent role in providing clearance, settlement, risk management and
central counterparty services. It also assists to provide a guarantee of
completion for virtually all broker-to-broker trades involving equity
securities, corporate and municipal debt securities, American depository
receipts, exchange traded funds, and unit investment trusts.
Under the Dodd-Frank Act, the NSCC
was designated a Systemically Important Financial Market Utility (SIFMU). As
noted in the SEC’s approval of the new rule, the designation is significant
because it indicates the recognition that a failure of the NSCC by a
cyberattack or other means would risk significant liquidity problems spreading
among financial institutions and markets, thereby threaten the stability of the
U.S. financial system itself.
What are the New Requirements?
The Cybersecurity Confirmation
requires organizations to confirm that they maintain a comprehensive
cybersecurity program built upon risk assessments, which protects the
confidentiality, integrity and availability of the organization’s data and
information systems. The cybersecurity program, moreover, must be aligned with
industry recognized frameworks, such as NIST’s Cybersecurity Framework or the
ISO 27001 standard.
As specified by the new regulation
and the Cyber Confirmation form created by the NSCC for execution, a company
must make specific representations embedded in the Cybersecurity Confirmation
for, including third-party vendor risk management. A member of an
organization’s senior management must execute the confirmation attesting that
his or her organization has:
- “Defined and maintains a comprehensive cybersecurity program and framework that considers potential cyber threats that impact the organization and protects the confidentiality, integrity and availability” of the organization’s data and information systems
- “Implemented and maintains written enterprise cybersecurity policy or policies approved by senior management … or board of directors,” and that its framework is aligned with industry “best practices and guidelines”
- If using third-party services, “an appropriate program to evaluate the cyber risks and impact of [those] third parties, and to review the third-party assurance reports”
- A “cybersecurity program and framework that protects the segment of the company’s system that connects to and/or interacts with NSCC”
- An “established process to remediate cyber issues identified to meet regulatory and/or statutory requirements”
- “A comprehensive review of the cybersecurity program and framework has been conducted by one of the following:” 1) the company itself, if it also has filed and maintains a Certificate of Compliance under the New York Department of Financial Service Cyber Regulations, 2) a regulator who assesses the organization’s cybersecurity programs; 3) an independent organization with relevant cybersecurity expertise; or 4) an independent internal audit function reporting directly to the organization’s board of directors.
The confirmation also must affirm
that the organization’s “cybersecurity program’s and framework’s risk processes
are updated periodically based on a risk assessment or changes to technology,
business, threat ecosystem and regulatory environment.” The stated purpose of
the Cybersecurity Confirmation is to provide NSCC information on how its
members manage their cybersecurity risks with respect to its connectivity to
NSCC, and to enable NSCC to make informed decisions about cyber risks or
threats, or otherwise protect its network.
What Does the Regulation Mean?
It yet unclear what level of
enforcement and punishments for non-compliance will be levied in connection with
this new regulation. Given NSCC’s designation as a SIFMU and that cybersecurity
programs are evaluated based upon the sensitivity of the systems, data and
associated risks involved, perfunctory cybersecurity programs—even programs
that were deemed sufficient in early 2019—may not satisfy the anticipated
requirements of the Cybersecurity Confirmation.
The new rule states that the NSCC
need only provide 180 days’ notice of a required Cybersecurity Confirmation.
Organizations should not be caught unaware. Member organizations of the NSCC,
as well as their service providers, should review their cybersecurity programs
in the wake of these changes to ensure that necessary adjustments are made
before their confirmation is required.
Aside from the impact on NSCC
members, the cybersecurity rule is expected to have a ripple effect. For
instance, members moving forward may require similar certifications and embed
strict data privacy and security requirements in their vendor and supplier
By connecting cybersecurity
requirements with risks associated to the disruption of NSCC operations, the
new regulations are creating a more stringent lens at the federal level through
which organizations’ (and their services providers’) cybersecurity programs
will be assessed. Combined with the personal certification requirement to
compliance and specific representations regarding an organization’s data
security, the new rule also creates more clear-cut liability.