On May 17, 2017, the SEC’s Office of Compliance Inspections and Enforcement (OCIE) issued a cybersecurity alert to the securities firms it regulates. OCIE advised broker-dealers and investment companies to take certain actions in connection with the recent WannaCry and Wanna Decryptor ransomware attacks that affected numerous organizations in over one hundred countries. Specifically, OCIE encouraged firms as follows: (more…)
On February 2, the Italian Data Protection Authority, known as the “Garante,” imposed a fine of EUR 5,880,000 on a UK money transfer company that it found to be in violation of Italian data privacy rules. This is the largest ever publicly-known fine imposed by an EU data protection authority, and it approaches the level of fines that are likely to be imposed under the EU’s General Data Protection Regulation (“GDPR”) that will come into force in May 2018. Although the GDPR is not yet in force, the Garante’s enforcement action shows that European data protection authorities are willing to levy the kind of fines allowed by the GDPR.
On February 16, 2017, the New York State Department of Financial Services (the “NYDFS”) issued its final regulations setting forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Final Regulations”). The NYDFS issued the Final Regulations after considering feedback and criticism received during two comment periods — one following the NYDFS’s initial publication of the proposed regulation (on September 13, 2016) and a second comment period after the NY DFS published a revised version of the regulation (on December 28, 2016.)
The Final Regulations will be effective as of March 1, 2017, with a transitional period of 180 days from that date for Covered Entities to comply with the Final Regulations, except for certain enumerated provisions for which longer compliance periods are specified. The annual certification of compliance (covering the prior calendar year) will be required beginning on February 15, 2018.
On December 28, 2016, the New York State Department of Financial Services (the “NYDFS”) issued revised proposed regulations setting forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Revised Proposed Regulations”). The NYDFS issued the Revised Proposed Regulations after considering feedback and criticism submitted during a 45-day comment period to address the initial proposal, issued on September 13, 2016. The agency has announced an additional and final 30-day comment period from the date of publication to address new comments not previously raised in the original comment process.
After having received over 150 comments on proposed cybersecurity regulations, the New York Department of Financial Services will delay implementation and initiate a new round of notice and comment on a further revised version of cybersecurity regulations. As we reported previously, NYDFS proposed new cybersecurity regulations for the financial sector in September of this year, and the comment period closed mid-November. NYDFS previously announced that the new rules would be effective January 1, 2017 and that covered entities would have 180 days to comply. Reuters reports that NYDFS will now publish a further revised version of proposed regulations on December 28 for public comment with a new effective date of March 1, 2017.
The Office of the Comptroller of the Currency (OCC) has confirmed its intention to explore issuing limited-purpose national bank charters to fintech firms engaged in banking activities — commonly called the “fintech charter.” Earlier this year, the OCC had signaled this possibility. Now, through the release of a policy paper titled “Exploring Special Purpose National Bank Charters for Fintech Companies” (FinTech Paper) and a speech by the Comptroller on Dec. 2, the OCC has taken a more formal step.
A recent speech by the Financial Conduct Authority (“FCA”) Director of Specialist Supervision, Nausicaa Delfas, delivered at the Financial Times’ Cyber Security Summit, shows that the FCA, which is the leading financial services regulator in the United Kingdom, is taking the issue of cyber security seriously and that it believes new approaches are needed to combat the threat to financial services firms.
The FCA’s concerns are consistent with those being expressed by US banking regulators and the Group of Seven (G-7) industrial nations who agreed on a set of guidelines to combat cyber risks affecting global financial institutions.
On Oct. 19, the Board of Governors of the Federal Reserve System (the Board), the Office of the Comptroller of the Currency (the OCC) and the Federal Deposit Insurance Corporation (the FDIC, and collectively with the Board and the OCC, the Agencies) issued a joint advanced notice of proposed rulemaking (ANPR) inviting comment regarding enhanced cyber risk management standards for large and interconnected entities under their supervision and those entities’ service providers. As financial technology continues to advance, the largest, most complex financial institutions have relied more and more on technology to carry out their banking activities and to provide critical services to the financial sector and the U.S. economy. In the event of a cyber attack on a covered entity, the ANPR is intended to enhance the covered entity’s ability to continue to function and to reduce the overall impact on the financial system resulting from interconnectedness.
As the financial services sector becomes ever more reliant on new technologies to decrease costs and create more efficient systems, it becomes more vulnerable to cyber attacks. On October 11, 2016, the Group of Seven (“G7”) industrial nations agreed on a set of guidelines to combat the cyber risks that are “growing more dangerous and diverse, [and] threatening to disrupt our interconnected global financial systems and the institutions that operate and support those systems.” These issues have been particularly visible following a number of high profile cybersecurity attacks at financial institutions.
On Sept. 6, the Hong Kong Monetary Authority (the HKMA) announced two initiatives targeted at raising Hong Kong’s profile as a fintech hub: the setting up of the Fintech Innovation Hub (the Hub) and the Fintech Supervisory Sandbox (the Sandbox).