U.S. Securities and Exchange Commission Building U.S. Securities and Exchange Commission Building

U.S. financial regulators are wiping out ambiguities over cybersecurity standards and best practices, and lawyers say it's not going to stop anytime soon.

Last month, the U.S. Securities and Exchange Commission (SEC) gave the go-ahead for the National Securities Clearing Corporation (NSCC) to enact a cybersecurity requirement for its 3,000 members. The NSCC provides clearing, settlement risk management, central counter-party services and a guarantee of completion for most broker-to-broker trades involving equities, corporate and municipal debt, exchange-traded funds and unit investment trusts.

Despite the NSCC's 3,000 members, which include large banks and other financial institutions, the SEC noted in its Dec. 9 approval that the proposed rule change received no comment during the public comment period. Perhaps the new requirement didn't catch many off guard.

"I think what stuck out about it was no one commented about it," said Debevoise & Plimpton cybersecurity and litigation partner Luke Dembosky. "That may be it was deemed reasonable by industry or deemed inevitable by industry, but whether through acquiescence or regulatory fatigue no one commented, so this simply went through. It should not surprise anyone."

The new requirements require NSCC members, applicants and trade data reporting organizations that connect to NSCC's network to align their cybersecurity frameworks to industry standards like the the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), the International Organization for Standardization standard 27001/27002 (ISO 27001), and others.

Entities are required to submit forms listing specific cybersecurity programs and frameworks used by the company and update its risks processes as its risk, tech, business or regulatory environment changes. Current or aspiring NSCC members' senior executives must all sign the form as well.

Lawyers said most of the NSCC member entities were likely under the scope of regulations that demand similar, if not more stringent, regulations.

"All that the rule is intended to do is require that firms that participate in NSCC would have to provide a cybersecurity certification," said Goodwin Procter partner Bill Stern, whose practice includes fintech. "It doesn't, on its own, impose proscriptive or specific cybersecurity requirements in the way the New York's Cybersecurity Regulation did."

Still, lawyers noted this requirement is the latest in an ongoing effort by U.S. regulators to steer companies toward compliance with new legal mandates and cyber best practices.

Earlier this week, the SEC's Office of Compliance Inspections and Examinations released its cybersecurity best practices to help financial institutions better manage cyber risk. The suggestions echo the recently passed NSCC requirement, noted Michael Best & Friedrich privacy and cybersecurity chair and partner Adrienne Ehrhardt. 

"One of the things they talked about was governance and risks management, which is having that buy-in from the top," she said. Likewise, the new regulation's accountability requirement by a top executive mirrors New York's Financial Services Cybersecurity Regulation, which went into effect in 2017, Ehrhardt noted.

The SEC's latest move also mimics the broader push across industries to enact and proactively monitor cybersecurity plans, she added.

"I think in general the whole idea of better practices you are starting to see reflected even in the California law [the California Consumer Privacy Act]. Having a reasonable security plan is being reflected, having accountability and written procedures in place is a trend seen across not just financial institutions but other industries as well."

But White and Williams chief privacy officer Richard Borden noted observers shouldn't disregard the significance of the NSCC and its designation as a "systemically important financial market utility" under the Dodd-Frank Wall Street Reform and Consumer Protection Act. The new requirement ensures NSCC, its members and third-parties understand their cyber risks.

"Once again there's some financial institutions that are members that are already heavily regulated and have most of this in place, and there are others that don't and this will be  somewhat newer. Every time there is regulation, it increases the burdens."