Cybersecurity has become one of the most significant regulatory practice areas in the securities industry as cyber incidents are reported daily in the financial news and the extent and complexity of them is expanding exponentially. All the major federal financial regulatory agencies, SROs and virtually all the states have assumed a very active role in this area, as exemplified by the recently proposed New York State Cybersecurity Regulation. The regulation contains 22 sections addressing such subjects as cybersecurity programs and policies, Chief Information Security Officers, testing, audits, risk assessment, third party information security, multi-factor authentication, training, encryption and incident response plans. These topics are similar to those contained in the cybersecurity regulations and guidelines issued by the SEC and FINRA, and virtually all the states have issued at least a breach notification requirement, while some – including Massachusetts and New York - have issued detailed regulations.
P&D lawyers regularly advise banks, insurance companies, broker-dealers, investment advisers and public and private funds on all aspects of cybersecurity regulation. We are experts on the entire cybersecurity regulatory structure including Gramm-Leach-Bliley, Regulation S-P, Regulation P, the OCIE 2015 Cybersecurity Initiative, the FINRA 2015 Report on Cybersecurity Practices, the NIST Framework and many others.
P&D lawyers develop information security programs for their clients, guide them through cyberincidents and represent them in any resultant regulatory inquiry. As a part of this, we develop and implement access or IAM policies, governance policies, risk analysis policies, vendor management policies, mobile policies, training plans and incident response plans. We also regularly conduct cybersecurity audits for our clients and have acted as the SEC appointed independent outside consultant in cybersecurity enforcement actions. A member of the firm is currently the Co-Chair of the American Bar Association, Business Section White Collar Crime Subcommittee on Cybersecurity.
P&D lawyers have also written extensively on the regulation of electronic technology in the securities markets, including the following:
“Cybersecurity in Federal Securities Markets,” Bloomberg BNA Treatise, Securities Practice Portfolio Series, 2014.
“Responding to State Breach Notification Requirements,” German American Chamber of Commerce Legal & Tax Newsletter, September 2014.
“Regulatory Guidance Informs Best Practices for Cybersecurity,” The Metropolitan Corporate Counsel, May 1, 2013.
“Record Keeping and Advertising Chapters," PLI Broker-Dealer Regulation Treatise, PLI, 2008.
“Securities Practice & Electronic Technology," Treatise, ALM, 1998.
The following is a list of recent seminars in which P&D lawyers have participated:
“The Financial Regulation of the Third Platform – the Cloud, Big Data, Social Media, and Mobile Devices,” Bloomberg BNA Webinar, October 28, 2015.
“Cybersecurity, Governance, and Data/Network Protection,” IA Summit, Financial Resource Associates, Panelist, July 2015.
“Financial Responsibility, Regulation and Examinations,” PLI Fundamentals of Broker-Dealer Regulation Seminar, Panelist, June 2015.
"Cybersecurity Panel,” SIFMA C&L New York Regional Seminar, Panelist, October 2014.
“Financial Responsibility, Regulation and Examinations,” PLI Fundamentals of Broker-Dealer Regulation Seminar, Panelist, June 2014.
“Cybersecurity in Securities Markets,” Bloomberg BNA Webinar, Panelist, May 14, 2014.
“Cybersecurity for Investment Advisers: Threats and Best Practices,” IAA, Panelist, May 1, 2014.
“Examination and Enforcement Developments,” ALI CLE, Panelist, January 22, 2014.
“Cybersecurity Strategy: Regulatory Guidance and Best Practices to Mitigate Risks,” Commercial Law Web Adviser, Panelist, September 11, 2013.
“Cybersecurity for Investment Advisers and Broker-Dealers,” Panelist, June 2013.
“Financial Responsibility, Regulation and Examinations,” PLI Fundamentals of Broker-Dealer Regulation Seminar, Panelist, 2012 and 2013.
In the Matter of LPL Financial Corp., Respondent Admin. Proc. File No. 3-13181 (2008)
A P&D lawyer was appointed the independent consultant in an SEC enforcement action settlement against LPL Financial, one of the largest independent broker-dealers in the U.S. This matter involved numerous violations of Reg S-P including the firm’s failure to safeguard its customers’ personally identifiable information. The consultant was required to review the firm’s systems and written policies and procedures relating to Reg S-P; make recommendations and revisions to these and file a report with the SEC concerning these policies and procedures with a view to assuring the firm’s compliance with Reg S-P.
Represented broker-dealers and investment advisers in various state regulatory inquiries relating to cybersecurity incidents.
Advised numerous broker-dealers and investment advisers on the development and implementation of their Cybersecurity Information Security Programs
Advised numerous broker-dealers and investment advisers during cybersecurity incidents including an analysis of the ongoing incident, the assessment of PII, the remediation of damage and all communications with regulatory authorities.
Advised numerous broker-dealer and investment adviser, on their registration with the SEC and FINRA, including the development of their operational, compliance and cybersecurity procedures.
Advised one of the country's largest insurance companies on its development and implementation of a records management program and an information security program. This involved the review and analysis of numerous operational and record retention systems and the integration of these systems into a single records management program and, for the ISP, the development and implementation of a risk management system, an access policy, a mobile policy, a vendor policy and an incident response plan.
Advised one of the largest U.S. online broker-dealers on the development and implementation of its record management program. This involved the review and analysis of numerous back office, trading, e-mail and record retention systems and the integration of these systems into a single records management program.
Advised one of the country’s largest broker-dealers in its development and implementation of remedial measures relating to the firm’s failure to comply with the Rule 17a-4 WORM requirement.