Private fund firms in New York state will face an extra regulatory hurdle after March 1, now that the Department of Financial Services has given the all-clear to new rules obliging them to base cybersecurity policies on risk assessments.
Documentation of these “periodic” assessments must detail the firm-specific cyber threats uncovered, the action taken to remedy those threats and how policies and procedures will be updated to reflect new threats as they are revealed.
“The DFS is entirely informed about a firm’s cybersecurity policy by its risk assessment, so it must be robust,” according to one New York-based compliance officer.
The rules are a watered-down version of those the DFS originally put forward, which were revised following widespread industry criticism. But the demands remain stringent, and the consensus among compliance officers is that other states may follow suit, exposing more private fund firms to additional procedures over and above those already required by national legislation.
At a federal level, the good news is that cybersecurity regulation is not expected to evolve much beyond their current form. On the other hand, it’s unlikely they will go in the opposite direction either – the Securities and Exchange Commission said cybersecurity would remain among its top areas of focus in its start-of-the-year update.
The regulator has also reduced the deadlines for examinations – there is no longer time to adapt procedures between receiving a notification call and the start of the exam. This means firms must always be ready for that call. It’s essential that they keep track of new developments that might harm the business, ensure their policies are up to date and make sure the steps they have taken are documented. Failure to do so could risk the wrath of the regulator, and lead to an embarrassing – and costly – breach.