In our first Cyber Blog post, we predicted that the rules-based approach adopted by the NYDFS would become the model for cybersecurity regulation. Two years later, we’re feeling pretty good about that prediction, as the FTC recently proposed incorporating a number of aspects of the NYDFS cybersecurity rules into its Standards for Safeguarding Customer Information rule (the “Safeguards Rule”). The proposal would also expand the Safeguards Rule’s definition of “financial institution” to include “finders,” or companies that connect potential parties to a transaction. As a reminder, the Safeguards Rule applies to financial institutions that are not regulated by the federal banking agencies, the SEC, or state insurance authorities, including non-bank mortgage lenders, payday lenders, finance companies, check cashers, money transmitters, collection firms, and tax preparers. Continue reading
On April 1, 2019, new cybersecurity requirements outlined in the NFA’s Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 will come into effect. These new requirements apply to NFA Members, including registered futures commission merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, and swap dealers. They are designed to “establish general requirements relating to Members’ information systems security programs (ISSPs) but leave the exact form of an ISSP up to each Member.” These ISSP obligations relate to, among others, approval and third-party cyber diligence (see our previous blog post).
Perhaps the most significant new obligation is the imposition of onerous breach notification requirements, which require NFA Members to notify the NFA “promptly” of any cybersecurity incident related to its commodity interest business that results in:
- any loss of customer or counterparty funds;
- any loss of an NFA Member’s own capital; or
- the NFA Member providing notice to customers or counterparties under state or federal law.