United States: CCPs As Third Party Service Providers: Breach Notification Issues

Among the requirements placed on New York chartered- or licensed-financial institutions is that, pursuant to Section 500.17 (''Notices to the Superintendent''), each such entity must notify the superintendent of the New York State Department of Financial Services as promptly as possible but in no event later than 72 hours following a cybersecurity event.1 This is a difficult standard tomeet within a tight timetable under the best of circumstances; however, in many events the cybersecurity incident will occur not in the financial institution but within a third party service provider (a ''TPSP'').2

Section 500.11 requires each covered entity to have a TPSP security policy.3 Generally speaking, covered entities include New York chartered banks (such as Goldman Sachs Bank and The Bank of New York), and licensed branches and agencies of foreign banks (such as the New York branches of Deutsche Bank and BNP Paribas) (collectively, ''Covered Entities''). As part of this policy, every Covered Entity must have written policies and procedures (based on the risk profile of the entity) that include relevant guidelines for due diligence and/or contractual protections addressing notice to be provided to the entity following a cybersecurity event ''directly impacting . . . [the entity's] Nonpublic information being held by the [TPSP].'' This requirement seems to directly link to the requirement of such entity to provide the 72 hour notification.

Part 500 defines Nonpublic Information (''NPI'') more broadly than did prior, applicable federal law.4 NPI includes (1) business related information of the entity the tampering with which, or disclosure, access or use of which, would cause a material disruption to the business, operations or security of the entity, (2) certain information of individuals which can be used to identify such individual, and (3) certain health care information. Of particular interest is (1), which would cover large and uncertain amounts of an entity's information held by TPSPs.

The most commonly thought of TPSPs are service providers to Covered Entities that handle the entities' information, such as technology service providers (including vendors under outsourcing contracts and cloud computing providers), software companies, couriers, law firms and accounting firms. These TPSPs must now include detailed breach notification provisions in their agreements with financial institutions so that the TPSPs will determine a cybersecurity event has occurred and provide enough detailed information to Covered Entities so that the entity can meet its own 72 hour notification obligation pursuant to Section 500.11.

There is a large category of TPSPs that may not consider themselves covered by Part 500: central counterparties (''CCPs''). CCPs appear to meet the definition to be covered as TPSPs: they are not affiliates of financial institutions, they provide services to financial institutions, and they have access to NPI from the financial institutions (although the amount and type of NPI each CCP holds will vary depending on the services it provides). But there is one difference between CCPs and other TPSPs: CCPs do not negotiate contracts with individual members. As regulated entities themselves (by the Securities and Exchange Commission (the ''SEC'') for securities CCPs and by the Commodity Futures Trading Commission (the ''CFTC'') for derivatives or commodities CCPs), each CCP promulgates a set of rules that govern its actions. These rules are issued by each CCP in its status as a self-regulatory organization (''SRO''), which means they are issued for public comment and approved (by the SEC) or made effective (by the CFTC).

When members join the CCP, they agree to be bound by its rules. They generally do not have the ability to negotiate individual requirements. Many CCP rules do not contain the types of specific, detailed provisions that Covered Entities are negotiating with TPSPs in order to satisfy their requirements under Section 500.11. Therefore, it is unclear if Covered Entities subject to Part 500 that have memberships in CCPs will be able to meet the 72 hour cybersecurity event notification requirement in relation to a cybersecurity breach affecting a CCP.

CCP RULES AND REQUIREMENTS – BIS REQUIREMENTS

Every CCP is different, and each one has its own set of rules. There are, however, national and international requirements that each CCP must meet. For example, in April 2012 the Committee on Payment and Settlement Systems of the Bank for International Settlements (''BIS'') promulgated the Principles for Financial Market Infrastructure (''PFMIs''), which are perhaps the most comprehensive set of standards for CCPs.5 Sections 3.17.2 and 3.17.16 of the PFMIs note that a CCP must prepare for and communicate with authorities about cyberattacks. The PFMIs do not address notifications to members.

In June 2016, the BIS supplemented the PFMIs with Guidance on cyber resilience for financial market infrastructures.6 This guidance detailed how CCPs were expected to enhance their cyber resilience, and provided supplemental detail to that in the PFMIs. The guidance does not, however, state that CCPs should put in place procedures to ensure proper notice of cybersecurity incidents to their members. Rather, the guidance instead proposes that CCPs rely on their members and other stakeholders to support CCP preparations. The focus is on assisting the CCPs in responding to a cyber incident and quickly resuming normal operations and maintaining financial stability; it does not mention assisting the CCP members in complying with their own, separate obligations. Section 6.4.3 of the guidance states the following:

6.4.3 Crisis communication. FMIs should plan in advance for communications with participants, interdependent FMIs, authorities and others (such as service providers and, where relevant, the media). Communication plans should be developed through an adaptive process informed by scenario-based planning and analysis as well as prior experience. Because rapid escalation of cyber incidents may be necessary, FMIs should determine decision-making responsibilities for incident response in advance, and implement clearly defined escalation and decision- making procedures. FMIs should inform relevant oversight and regulatory authorities promptly of potentially material or systemic events.

BUT DO CCPs HAVE ''PLANS IN ADVANCE'' TO TIMELY COMMUNICATE ABOUT SUCH INCIDENTS WITH MEMBERS?7

Both the SEC and CFTC have implemented a series of regulatory provisions to implement certain core principles, as well as the PFMI requirements for CCPs that clear securities (SEC) or derivatives (CFTC) trades.

CFTC

The CFTC in Part 39, Subpart B of its regulations lists the required ''System Safeguards'' a CCP must have in place.8 A CCP is required to have a system of risk analysis and oversight designed to minimize sources of operational risk. This program must include numerous provisions on information security and protection. The program is not, however, mandated to provide timely cybersecurity breach notification to CCP members.

The closest the regulatory requirements come to this concept is to say:

(3) Coordination of plans. A derivatives clearing organization shall, to the extent practicable:

(i) Coordinate its business continuity and disaster recovery plan with those of its clearing members, in a manner adequate to enable effective resumption of daily processing, clearing, and settlement of transactions following a disruption.9

The CFTC's Core Principles are focused on returning a CCP to full operation as quickly as possible, and to limit any potential systemic contagion from a disabling cybersecurity event. There is no provision relating to the CCP assisting its members with their own obligations relating to a breach at the CCP.

This is not to say that there are no notification requirements at a CCP following a cybersecurity breach – it is a reflection of the fact that the only such notification requirement flows upward (to the CFTC) rather than outward (to members):

(g) Notice of exceptional events. A derivatives clearing organization shall notify staff of the Division of Clearing and Risk [of the CFTC], or any successor division, promptly of: (1) Any hardware or software malfunction, security incident, or targeted threat that materially impairs, or creates a significant likelihood of material impairment, of auto- mated system operation, reliability, security, or capacity; or (2) Any activation of the derivatives clearing organization's business continuity and disaster recovery plan.10

SEC

The SEC has operational risk provisions for the CCPs it regulates that are more vague than those of the CFTC.11 A CCP must establish and maintain written policies and procedures reasonably designed to:

(4) Identify sources of operational risk and minimize them through the development of appropriate systems, controls, and procedures; implement systems that are reliable, resilient and secure, and have adequate, scalable capacity; and have business continuity plans that allow for timely recovery of operations and fulfillment of a clearing agency's obligations.12

Similarly, the SEC also requires CCPs to:

(17) Manage the covered clearing agency's operational risks by:

  1. Identifying the plausible sources of operational risk, both internal and external, and mitigating their impact through the use of appropriate systems, policies, procedures, and controls;
  2. Ensuring that systems have a high degree of security, resiliency, operational reliability, and adequate, scalable capacity; and
  3. Establishing and maintaining a business continuity plan that addresses events posing a significant risk of disrupting operations.''13

There is, however, no requirement for a CCP to notify a member of a security breach affecting its information.

BUT DO CCP RULES CONTAIN BREACH NOTIFICATION FORMEMBERS?

There are a limited number of CCPs registered with the SEC or the CFTC. While it is beyond the scope of this client alert to survey each one to determine whether it is obligatory for a CCP to timely notify its members of a cybersecurity breach, there is an industry tool that surveys (and compares) the relevant rules of each CCP.

The Futures Industry Association (''FIA'') CCP Risk Review is a private, industry developed product that permits subscribers to review and compare summaries of the rules and procedures of CCPs worldwide.14 The FIA CCP Risk Review is the most comprehensive review and comparison tool of CCP rules that exists, and it is used by many of the largest Covered Entities to review and monitor their exposure to CCPs.

The FIA CCP Risk Review specifically reviews the relevant provisions of CCP rules:

''Question 127. CCP Disclosure of technology/communication procedures.

Question 127.1 How, if at all, does the CCP disclose information on its technology and communication procedures in respect of [the services it provides]?''

An initial review of the FIA CCP Risk Review summaries of each of the major U.S. CCPs does not reveal any affirmative obligation to timely disclose cybersecurity breaches to members.

HOW CAN CCPs HELP THEIR MEMBERS PROTECT THEMSELVES THROUGH TIMELY NOTIFICATIONS OF CYBERSECURITY BREACHES?

CCPs likely use TPSPs themselves to support their operations. We suggest that CCPs seek to address the timing question specifically in their agreements with such TPSPs. TPSPs understand the importance of information security and typically are willing to agree to be bound by security-related contractual obligations, provided that those obligations are generic in wording and give sufficient flexibility to the TPSP in determining how those security obligations are met. A few examples of backstop provisions in the security provisions of security agreements follow:

  • The security agreement should specify a minimum level of security, even if it permits the TPSP to modify the security procedures over time. Typically, this is done by reference to the information security policy (of the CCP or the TPSP) which will be attached to the services agreement as an exhibit. This approach creates a one-way ratchet dynamic around information security, and sets out a host of security requirements that can serve as definitive reference points in a security audit, or when undertaking a review of a security incident, evaluating whether the TPSP breached the agreement.
  • TPSPs often will propose contractual language obligating them to use commercially reasonable or industry standard practices. Ideally, the service agreement language would supplement such language by specifying that such an obligation includes, but is not limited to, implementing and maintaining industry security standards that are specified by name (e.g., a particular ISO security certification level). In addition to establishing a clearer contractual standard, such industry security standards will provide comfort to the CCP that certain minimum security monitoring and reporting capabilities are maintained on an ongoing basis. TSPSs should also be contractually required to complete security audits at least once annually, and to make the results of those audits available to the CCP.
  • TPSPs often will propose contractual language obligating them to inform the client of a security incident ''promptly'' after an incident is discovered. We suggest expanding this language to cover both confirmed incidents and incidents that are not yet confirmed but that are likely to have occurred, and to include a notice timing backstop: ''promptly, but in any event no later than 24 hours after the applicable confirmed or likely security incident is discovered.''

CCPs should also amend their rules to provide specific assurance and procedures for members to ensure that members may meet their own notification requirements. Such rule changes will likely require the approval of the SEC or CFTC.

CONCLUSION

Covered Entities have spent a significant amount of time and money implementing comprehensive internal information security programs, as well as negotiating detailed protections in contractual arrangements with TPSPs. This combination of protections should assist each Covered Entity in complying with the requirements of Part 500, and limit the potential regulatory exposure should a cybersecurity breach occur (whether originating within the Covered Entity or at a TPSP). Covered Entities that maintain memberships at CCPs may not have such protections, and may find themselves unable to make timely breach notification requirements such a cybersecurity event occur at a CCP.

1 According to the New York Department of Financial Services (''NYDFS''), ''[a] Cybersecurity Event is reportable if it falls into at least one of the following categories: the Cybersecurity Event impacts the Covered Entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body; or the Cybersecurity Event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity. An attack on a Covered Entity may constitute a reportable Cybersecurity Event even if the attack is not successful.'' In a separate answer, the NYDFS noted ''notice to the Department under 23 NYCRR Section 500.17(a)(2) would generally not be required if, consistent with its Risk Assessment, a Covered Entity makes a good faith judgment that the unsuccessful attack was of a routine nature.'' https://www.dfs.ny.gov/about/cybersecurity_faqs.htm.

2 Federal regulation also contains requirements on TPSPs. See, e.g., https://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html.

3 23 N.Y. C.R.R. § 500.11.

4 Title V of the Gramm-Leach-Bliley Act of 1999 (''GLBA''). In particular, Section 509(3) of the GLBA defined NPI as, among other things, ''personally identifiable financial information – (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution. . .'' Similarly, the European Union General Data Protection Regulation (''GDPR''), which will apply from May 25, 2018, applies to ''personal data,'' rather than NPI under Part 500.

5 https://www.bis.org/cpmi/publ/d101a.pdf.

6 https://www.bis.org/cpmi/publ/d146.pdf.

7 We note that notification requirements may differ in the EU. CCPs are specifically identified as ''operators of essential services'' under the Network and Information Security Directive (''NISD'') (specifically, ''Central counterparties (CCPs) as defined in point (1) of Article 2 of Regulation (EU) No 648/2012 of the European Parliament and of the Council'' fall within the subset of Financial Market Infrastructure). NISD introduces a number of security requirements, including a requirement on CCPs to notify significant security incidents ''without undue delay'' (no specific timeframe is given). Despite various types of financial institutions and financial market infrastructure providers being specifically identified in NISD as operators of essential services, NISD provides that where a type of operator is subject to EU-level sectoral legislation having at least equivalent effect to NISD, that type of operator is outside the scope of NISD and the sectoral rules apply instead. The proposed United Kingdom implementation of NISD, for example, does not apply to CCPs even though they are specifically listed in the Directive.

8 17 C.F.R. § 39.18.

9 Id. at 39.18(c)(3).

10 Id. at § 39.18(g).

11 See 17 C.F.R. § 240.17AD-22.

12 Id. at § 240.17AD-22(d)(4).

13 Id. at § 240.17AD-22(d)(17).

14 https://www.fiadocumentation.org/fia/ccp-risk-review.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions