The Big Change in Cybersecurity Regulation That No One Is Talking About

The close of 2019 witnessed a significant development in data security law that impacts companies regulated with respect to or engaged in the trading of public securities, as well as those companies that provide services to such companies. This impacted group includes approximately 3,000 organizations, including banks, securities brokerage firms, and insurance carriers.

In October 2019, under the authority of Section 19(b)(1) of the Securities Exchange Act of 1934 and corresponding Rule 19b-4,^[1] the National Securities Clearing Corporation (NSCC) filed with the U.S. Securities and Exchange Commission (SEC) Proposed Rule Change to Require Confirmation of Cybersecurity Program (SR-NSCC-2019-003) that would require NSCC members, as well as organizations applying for membership, to submit a Cybersecurity Confirmation both as part of the initial application for membership and thereafter on an ongoing basis for members at least every two years.^[2] The proposed rule defined a Cybersecurity Confirmation as a written form provided by NSCC and “signed by the submitting entity’s designated senior executive” making “specific representations regarding the submitting entity’s cybersecurity program and framework.”^[3] Any organization that reports trade data to the NSCC also could be required to submit a Cybersecurity Confirmation.

The SEC did not receive comment letters on the proposed rule change. On December 9, 2019, it approved the rule, effective immediately. Thus, at the close of 2019, NSCC members became federally regulated in terms of the substance and reasonableness of their written cybersecurity programs, and the rule now requires that a member of each organization’s senior management must certify compliance with the regulation. This is no simple “check-the-box” undertaking. Given the enormous risks that the U.S. government has identified as potentially arising out of a member’s information systems be used as a conduit to disrupt NSCC operations, and the requirement for a personal signature on the Cybersecurity Confirmation, the requirements to comply with the new regulation are substantive, and impose significant risks on organizations subject to the new rule.

At the very least, this new rule is the first broadly applicable cybersecurity regulation issued by the federal government. When considered with the SEC’s Statement and Guidance on Public Company Cybersecurity Disclosures,^[4] there is a clear movement towards regulation of Cybersecurity at the federal level.

WHAT IS THE NSCC?

The NSCC, a wholly-owned subsidiary of Depository Trust & Clearing Corporation (DTCC), is a market utility. It plays a prominent role in providing clearance, settlement, risk management, central counterparty services. It also assists to provide a guarantee of completion for virtually all broker-to-broker trades involving equity securities, corporate and municipal debt securities, American depository receipts, exchange traded funds, and unit investment trusts.^[5] The NSCC has approximately 3,000 members, including banks, brokerage firms, and insurance carriers.^[6]

Under Title VIII of the Dodd-Frank Wall Street Reform and Customer Protection Act of 2010 (the Dodd-Frank Act), the NSCC was designated a Systemically Important Financial Market Utility (SIFMU).^[7] The designation is significant. The SIFMU designation signifies the determination that a failure of the NSCC by a cyberattack or other means would risk significant liquidity problems spreading among financial institutions and markets, thereby “threaten[ing] the stability of the financial system in the United States” itself.^[8] Under the new regulation, NSCC now requires significant and substantive safeguards in any member’s cybersecurity program. Given the determined gravity of any risk of disruption to the NSCC, the expected level of compliance with the new requirements will be material and substantial.

WHAT THE NEW RULE REQUIRES

Effective immediately, an organization must submit a Cybersecurity Confirmation to the NSCC at least every two years to confirm compliance with the NSCC’s cybersecurity safeguard requirements. In addition, applicants for membership must submit such confirmations as part of their application. The Cybersecurity Confirmation requires organizations to confirm that they maintain a comprehensive cybersecurity program built upon risk assessments, which protects the confidentiality, integrity, and availability of the organization’s data and information systems. Further, the cybersecurity program must be aligned with industry recognized frameworks, such as NIST’s Cybersecurity Framework or the ISO 27001 standard.

The new regulation also will require specific representations to be embedded in the Cybersecurity Confirmation, including third-party vendor management (an area of increased focus in cybersecurity regulations). A member of an organization’s senior management must execute the confirmation (in a similar manner to the New York DFS Cybersecurity Regulations), attesting that his or her organization has:

• designed and maintains a comprehensive cybersecurity program and framework that considers potential cyber threats and protects the confidentiality, integrity, and availability of the organization’s data and information systems;
• implemented and maintains written cybersecurity policy or policies approved by the organization’s senior management or board of directors that are aligned with industry best practices and guidelines;
• an appropriate program to evaluate the cyber risks and impact of third parties^[9], and to review their cybersecurity programs, whom they use to connect or transact business or to manage the connection with NSCC;
• a cybersecurity program and framework that protects the segment of its system that connects to and/or interacts with NSCC;
• an established process to remediate cyber issues identified to meet its regulatory and/or statutory requirements;
• an established process to periodically update its cybersecurity program based on risk assessments and/or changes in technology, business, threat ecosystem, or regulatory environment; and
• had its cybersecurity program reviewed by (1) itself, if it also has filed and maintains a Certificate of Compliance under the New York DFS Cyber Regulations, (2) a regulator who assesses the organization’s cybersecurity programs; (3) an independent organization with relevant cybersecurity expertise; or (4) an independent internal audit function reporting directly to the organization’s board of directors.^[10]

The stated purpose of the Cybersecurity Confirmation is to provide NSCC information on how its members manage their cybersecurity risks with respect to its connectivity to NSCC, and to enable NSCC to make informed decisions about cyber risks or threats, or otherwise protect its network.

WHAT THIS REGULATION MEANS

Given NSCC’s designation as a SIFMU, and that cybersecurity programs are evaluated based upon the sensitivity of the systems, data, and associated risks involved, perfunctory cybersecurity programs – even programs that may have been deemed sufficient in early 2019 – may not satisfy the anticipated requirements of the new Cybersecurity Confirmation. Thus, at the close of 2019, approximately 3,000 NSCC member organizations, as well as organizations that report trade data to the NSCC, had new regulatory requirements placed upon their efforts to safeguard the privacy and security of their information systems. When suppliers and other third-party vendors, including law firms, of these organizations are considered, the NSCC Cybersecurity Rule undoubtedly will have a ripple effect. NSCC members will embed strict data privacy and security requirements in their contracts. They, too, may require similar certifications.

By connecting cybersecurity requirements with risks associated to the disruption of NSCC operations, the new regulations are creating a more stringent lens at the federal level through which organizations’ (and their services providers’) cybersecurity programs will be assessed. Combined with the personal certification requirement to compliance and specific representations regarding an organization’s data security, the new rule also creates more-clear cut liability. The new rule states that the NSCC need only provide 180 days’ notice of a required Cybersecurity Confirmation. Organizations should not be caught unaware. Member organizations of the NSCC, as well as their service providers should review their cybersecurity programs in the wake of these changes to ensure that necessary adjustments are made before their confirmation is required.

If you have questions or would like further information, please contact Joshua Mooney (mooneyj@whiteandwilliams.com; 215.864.6345) or Richard Borden (bordenr@whiteandwilliams.com; 212.631.4439).

[1] 15 U.S.C. § 78s(b)(1); 17 CFR 240.19b-4.

[2] SR-NSCC-2019-003, A Proposed Rule Change to Require Confirmation of Cybersecurity Program, dated Oct. 15, 2019 (hereinafter, Proposed Rule Change), available at https://www.sec.gov/rules/sro/nscc/2019/34-87392.pdf.

[3] SEC Order Approving Proposed Rule Change, dated December 9, 2019 (hereinafter, Order), at 5, available at https://www.sec.gov/rules/sro/nscc/2019/34-87696.pdf.

[4] See https://www.sec.gov/rules/interp/2018/33-10459.pdf. See also Trick or Treat: Does the SEC’s October Report Signal a New Shift in Cybersecurity Enforcement?, available at https://www.whiteandwilliams.com/resources-alerts-Trick-or-Treat-Does-the-SECs-October-Report-Signal-a-New-Shift-in-Cybersecurity-Enforcement.html.

[5] See Financial Stability Oversight Counsel 2012 Annual Report, at Appendix A at 179, available at http://www.treasury.gov/initiatives/fsoc/Documents/2012%20Annual%20Report.pdf.

[6] A list of the NSCC’s over 3,000 members may be found here: http://www.dtcc.com/client-center/nscc-directories

[7] FSOC Report, Appendix A, at 179.

[8] See Order at 2, citing FSOC Report, Appendix A.

[9] While many companies have done risk assessments, including for compliance with the New York Department of Financial Services Cybersecurity Regulation. 23 NYCRR 500, few of those risk assessments consider the extreme risks to the U.S. financial system posed by connections to and interactions with NSCC.

[10] See Order at 5-6.