A more specific regulatory approach to data security
November 2020 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
November 2020 Issue
The global financial sector continues to be a major target for cyber attacks. Information security teams across the sector are grappling with various types of threats on a daily basis – ransomware, business email compromise and credential stuffing – to name a few. Although the sector overall is heavily regulated, it has traditionally enjoyed less oversight in the area of data security. That is changing.
The cyber threat landscape is growing, and financial services companies now recognise the value of Big Data, leading them to gather vast amounts of personal and commercial data for various business purposes. Regulators are taking notice, and the trend is toward states and financial regulators imposing specific data security requirements through laws and guidance. Financial services companies will need to grapple with how to address this shifting regulatory landscape.
In 1999, the Gramm-Leach Bliley (GLB) Act introduced data security requirements to the broader financial sector. Since it was first promulgated in the early 2000s, the Act’s Safeguards Rule has provided the basic information security framework that the financial sector has used to protect customer records and information. The Safeguards Rule provides standards for developing, implementing and maintaining reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information.
The standards were designed to apply to a broad range of companies within the financial sector and were intended to provide them with the discretion to design information security programmes suited to their size, complexity and activities. The standards are more conceptual than specific and served to establish a baseline for the financial sector that has remained relatively unchanged for the past 20 years. This model involving reasonable and appropriate safeguards and flexible, scalable standards has been applied in the healthcare sector by the Federal Trade Commission (FTC) and in other regulatory regimes.
This regulatory landscape – where companies have broad leeway to design their information security programmes – is starting to shift as cyber security threats loom large and have become a daily reality for the financial sector. In addition, financial institutions and other financial services companies, both large and small, increasingly recognise the importance of Big Data. Companies are racing to amass and analyse vast troves of personal and other commercial information to leverage for various business purposes. This increase in the amount and sensitivity of information increases a company’s risk profile and exposure in the event of a data security incident.
Regulators are taking notice of this pattern and are imposing more stringent and specific data security requirements on the financial sector. Many will be familiar with two recent examples from New York, a financial services hub. The New York Department of Financial Services (NYDFS) Cybersecurity Regulation was the first of its kind, imposing detailed cyber security requirements on covered entities. The regulation extends not just to customer personal information, such as GLB, but to confidential information more generally.
The regulation requires all NYDFS regulated entities, subject to certain exemptions, to adopt the core requirements of a cyber security programme, including a cyber security policy, effective access privileges, risk assessments, and training and monitoring for all authorised users. There are also provisions designed to ensure senior leadership’s attention to cyber security, including a senior officer or the board of directors must approve the cyber security policy, the chief information security office must report annually to the board of directors on the programme and risks, and the board of directors must certify compliance to the regulator each year.
New York also recently amended its data breach statute to impose more specific data security requirements on financial services companies that own or license the private information of a New York resident, even though they might not otherwise fall under NYDFS’s jurisdiction. The law now includes a reasonable security requirement and enumerates components of a compliant information security programme that fall into three categories: administrative safeguards, technical safeguards and physical safeguards. Specific requirements include a risk assessment, employee training, system monitoring, and detecting and responding to security incidents.
Another regulator with responsibility for GLB, the FTC, may also be shifting its approach. After moving toward more specific data security orders in its enforcement activities over the past two years, the FTC has proposed numerous changes to the Safeguards Rule for entities within its jurisdiction. The changes would impose more detailed requirements on companies, including encryption, access controls and multifactor authentication. Although the proposed changes are largely drawn from the NYDFS cyber security regulation, they go further in some areas, seeking comment on issues like minimisation and elimination and requiring a legitimate business justification for collecting data in the first instance.
Faced with this clear trend, companies in the financial sector will need to make a choice. Companies that are not yet affected by the New York laws can either wait for regulators to impose more specific data security standards or they can proactively try and anticipate what is surely down the road. There are pros and cons to each approach.
Many companies in the financial sector already have mature information security programmes due to their risk profile and focus on compliance generally. Their programmes might already comply with many of the aforementioned laws and proposals, and so there are reasons to take a ‘wait-and-see’ approach. Because technology and the threat landscape change so rapidly, it might not make sense for these companies to try and anticipate additional measures given the associated costs and uncertainty over what the laws might be in two to three years.
For companies that are still developing their information security programmes, there is good reason to look at the recently passed laws and proposals for guidance on components of a good information security programme. Although the approaches are more specific, they still allow for some measure of flexibility. In thinking about bringing their information security programmes into alignment with the newer laws, financial services companies should also be thinking about third-party technical standards, for example the Financial Services Sector Coordinating Council (FSSCC) Cybersecurity Profile, the NIST Cybersecurity Framework, the ISO Cybersecurity Standard, and the ISACA COBIT Framework. These typically form the basis for policymaker’s discussions when debating new laws and provide tested models for cyber preparedness.
Regardless of whether companies take a wait and see approach or try to anticipate more specific requirements, all financial services companies should be regularly reviewing their information security programmes and benchmarking them against these third-party standards. Not only does this ensure that programmes are consistent with best practices, but documenting adherence to these standards acts as a kind of affirmative defence against litigation and enforcement actions relating to data security. Indeed, many of these standards are relied on by regulators in their oversight of regulated entity cyber security and system safeguards and form the basis of examination procedures.
Finally, all financial services companies should be thinking of other ways to reduce their cyber security risk. Financial services companies need to stay on top of technology developments to ensure their security tools and practices are up-to-date. Compliance departments should ensure they are read into any business or operational changes that may increase cyber security risks. Monitoring the security issues that similarly situated financial services companies are facing and learning from those incidents is also an important part of preparedness. Although the instinct is oftentimes to compile more and more data, that also increases a company’s risk profile.
Business, leadership and compliance organisations should think strategically about data and whether all that data is really necessary and useful and consider data minimisation in areas wherever that is possible. De-identifying information is also another way for companies to minimise risk while still giving them the ability to analyse data and discern important trends for various business uses.
Kirk J. Nahra is a partner and Arianna Evers is counsel at WilmerHale. Mr Nahra can be contacted on +1 (202) 663 6128 or by email: kirk.nahra@wilmerhale.com. Ms Evers can be contacted on +1 (202) 663 6122 or by email: arianna.evers@wilmerhale.com.
© Financier Worldwide
BY
Kirk J. Nahra and Arianna Evers
WilmerHale