The close of 2019 witnessed a significant development in data security law that impacts companies engaged in the trading of public securities, as well as those companies that provide services to such organizations. Nationwide, the regulation significantly impacts approximately 3,000 organizations, including banks, securities brokerage firms and insurance carriers.
In October, the National Securities Clearing Corporation (NSCC) filed with the SEC a Proposed Rule Change to Require Confirmation of Cybersecurity Program. The regulation requires NSCC members, as well as organizations applying for membership, to submit a Cybersecurity Confirmation as part of the initial membership application and on an ongoing basis at least every two years. In addition, any organization that reports trade data to the NSCC could be held to the same standard. The Cybersecurity Confirmation is a form provided by NSCC that, according to the new rule, must be “signed by the submitting entity’s designated senior executive” making “specific representations regarding the submitting entity’s cybersecurity program and framework.”
The regulation went into effect on December 9, 2019 meaning that NSCC members are now federally regulated in terms of the substance and reasonableness of their written cybersecurity programs, with a member of senior management responsible for certifying compliance. This is no simple “check-the-box” undertaking. The requirements to comply with the new regulation are substantive and impose significant risks on organizations subject to the rule.
What Is the NSCC?
The NSCC, a wholly-owned subsidiary of Depository Trust & Clearing Corporation (DTCC), is a market utility. It plays a prominent role in providing clearance, settlement, risk management and central counterparty services. It also assists to provide a guarantee of completion for virtually all broker-to-broker trades involving equity securities, corporate and municipal debt securities, American depository receipts, exchange traded funds, and unit investment trusts.
Under the Dodd-Frank Act, the NSCC was designated a Systemically Important Financial Market Utility (SIFMU). As noted in the SEC’s approval of the new rule, the designation is significant because it indicates the recognition that a failure of the NSCC by a cyberattack or other means would risk significant liquidity problems spreading among financial institutions and markets, thereby threaten the stability of the U.S. financial system itself.
What are the New Requirements?
The Cybersecurity Confirmation requires organizations to confirm that they maintain a comprehensive cybersecurity program built upon risk assessments, which protects the confidentiality, integrity and availability of the organization’s data and information systems. The cybersecurity program, moreover, must be aligned with industry recognized frameworks, such as NIST’s Cybersecurity Framework or the ISO 27001 standard.
As specified by the new regulation and the Cyber Confirmation form created by the NSCC for execution, a company must make specific representations embedded in the Cybersecurity Confirmation for, including third-party vendor risk management. A member of an organization’s senior management must execute the confirmation attesting that his or her organization has:
- “Defined and maintains a comprehensive cybersecurity program and framework that considers potential cyber threats that impact the organization and protects the confidentiality, integrity and availability” of the organization’s data and information systems
- “Implemented and maintains written enterprise cybersecurity policy or policies approved by senior management … or board of directors,” and that its framework is aligned with industry “best practices and guidelines”
- If using third-party services, “an appropriate program to evaluate the cyber risks and impact of [those] third parties, and to review the third-party assurance reports”
- A “cybersecurity program and framework that protects the segment of the company’s system that connects to and/or interacts with NSCC”
- An “established process to remediate cyber issues identified to meet regulatory and/or statutory requirements”
- “A comprehensive review of the cybersecurity program and framework has been conducted by one of the following:” 1) the company itself, if it also has filed and maintains a Certificate of Compliance under the New York Department of Financial Service Cyber Regulations, 2) a regulator who assesses the organization’s cybersecurity programs; 3) an independent organization with relevant cybersecurity expertise; or 4) an independent internal audit function reporting directly to the organization’s board of directors.
The confirmation also must affirm that the organization’s “cybersecurity program’s and framework’s risk processes are updated periodically based on a risk assessment or changes to technology, business, threat ecosystem and regulatory environment.” The stated purpose of the Cybersecurity Confirmation is to provide NSCC information on how its members manage their cybersecurity risks with respect to its connectivity to NSCC, and to enable NSCC to make informed decisions about cyber risks or threats, or otherwise protect its network.
What Does the Regulation Mean?
It yet unclear what level of enforcement and punishments for non-compliance will be levied in connection with this new regulation. Given NSCC’s designation as a SIFMU and that cybersecurity programs are evaluated based upon the sensitivity of the systems, data and associated risks involved, perfunctory cybersecurity programs—even programs that were deemed sufficient in early 2019—may not satisfy the anticipated requirements of the Cybersecurity Confirmation.
The new rule states that the NSCC need only provide 180 days’ notice of a required Cybersecurity Confirmation. Organizations should not be caught unaware. Member organizations of the NSCC, as well as their service providers, should review their cybersecurity programs in the wake of these changes to ensure that necessary adjustments are made before their confirmation is required.
Aside from the impact on NSCC members, the cybersecurity rule is expected to have a ripple effect. For instance, members moving forward may require similar certifications and embed strict data privacy and security requirements in their vendor and supplier contracts.
By connecting cybersecurity requirements with risks associated to the disruption of NSCC operations, the new regulations are creating a more stringent lens at the federal level through which organizations’ (and their services providers’) cybersecurity programs will be assessed. Combined with the personal certification requirement to compliance and specific representations regarding an organization’s data security, the new rule also creates more clear-cut liability.