At the North American Securities Administrators Association ("NASAA") cybersecurity roundtable held on June 23, 2017, NASAA President Mike Rothman detailed the growing cybersecurity risks for members and affirmed NASAA's commitment to managing these risks.

Mr. Rothman explained that as cyberattacks increase in both complexity and frequency, there is significant potential for adverse consequences in financial services firms. He pointed to the recent "WannaCry" ransomware attacks (see previous coverage and Cadwalader memorandum) as an example of cyberattacks that had widespread effects on global computer networks. On the lurking financial impacts of cyberattacks, Mr. Rothman explained:

"Criminal data breaches will cost businesses a total of $8 trillion over the next 5 years, predicts a new report from Juniper Research. This report also forecasts that the number of personal data records stolen by cybercriminals will reach 2.8 billion this year and 5 billion in 2020."

Mr. Rothman stressed the importance of cooperative efforts between firms and regulators to address cybersecurity issues, noting that cybersecurity efforts must focus not only on prevention, but also on mitigation and recovery.

The roundtable also included discussions on various cybersecurity issues faced by securities firms and ways that smaller firms can effectively utilize cybersecurity resources while operating on a limited budget.

Commentary / Joseph Facciponti

The truly frightening increase in cyberattacks – according to the New York Attorney General, there were 1,300 data breaches reported by businesses in New York alone in 2016, up 60 percent from the prior year – underscores the need for regulators and the financial services industry to work together to better protect sensitive data and systems. NASAA's commitments to fostering collaboration between regulators and the industry and in providing guidance to firms are welcome steps toward addressing cybersecurity threats.

Commentary / Steven Lofchie



A question for regulators is whether they are able to improve cybersecurity through industry cooperation and information sharing, or if the preferred regulatory tool will be enforcement action against any firm suffering a material cyberattack event.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.