As cybersecurity remains in the headlines moving into 2017, we consider recent developments in public policy concerning cybersecurity in the financial services industry.
Given the importance of financial sector infrastructure, sensitivity of financial information and the increasing use of technology in financial services, it is vital for the financial services industry to prioritize cybersecurity and privacy. (And the use of technology in financial services should not be thought of as only online banking and back-end computer systems, but also as innovations in financial services such as mobile payment applications, robo-advisers, peer-to-peer lending, distributed ledger technology, etc., collectively referred to as “fintech.”)
Recent actions by regulatory authorities reflect the current focus on improving financial services cybersecurity and illustrate different forms such actions may take: new or revised regulations (by the New York DFS; FRB, OCC and FDIC; and CFTC), raising awareness (as in the FinCEN advisory) and enforcement (most recently by FINRA).
New York DFS Revises Proposed Cybersecurity Requirements on Financial Services Companies
The New York State Department of Financial Services (DFS) initially published its proposed cybersecurity regulations on September 28, 2016. The regulations were introduced as “first-in-the-nation” rules that would require banks, insurers and other financial services institutions to establish and maintain cybersecurity programs to protect consumers—and the financial system itself—from cyber attacks “to the fullest extent possible.” The proposed regulations were subject to a 45-day notice and comment period.
The proposed regulations were criticized by financial industry groups. In a November 14, 2016 letter to DFS, a collection of such groups raised several issues, including: both duplication of and inconsistencies with existing laws and frameworks; lack of flexibility; and overbroad definitions of material terms. In the same letter, the financial industry groups suggested numerous changes to the proposed regulations.
On December 28, 2016, DFS published updated proposed regulations, in response to some of the comments it received. In the updated regulations, DFS would permit cybersecurity measures to be implemented based on risk assessments, and it substantially revised the sections on exemptions (entities with fewer than ten employees are now exempted), chief information security officers, third party service providers, encryption, cybersecurity event notifications and penetration testing. DFS also delayed the effective date of the proposed regulations, from January 1, 2017 to March 1, 2017, and provided additional time for covered entities to comply with specified provisions.
The updated proposed regulations are subject to an additional 30-day comment period, ending on January 27, 2017. Following the changes, the updated proposed regulations have received criticism as being too weak.
Federal Financial Regulatory Agencies Propose Enhanced Cyber Risk Management Standards
On October 26, 2016, the Board of Governors of the Federal Reserve System (FRB), the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) (together, the Agencies) jointly published an advance notice of proposed rulemaking (ANPR) of Enhanced Cyber Risk Management Standards. The Agencies’ stated goal in considering these enhanced standards is to strengthen the operational resilience of large and interconnected financial entities and by doing so reduce the likely impact of a cyber event on the financial system as a whole.
In the ANPR, the Agencies take a standards-based, compartmentalized approach to establishing a cybersecurity framework, with five categories of standards, namely: (i) cyber risk governance, developing, maintaining and implementing a formal cyber risk management strategy, integrated into the overall strategic and governance structures of a covered entity; (ii) cyber risk management, integrating cyber risk management into the responsibilities of at least three independent functions within a covered entity; (iii) internal dependency management, identifying and managing cyber risks associated with a covered entity’s business assets; (iv) external dependency management, managing cyber risks associated with a covered entity’s interconnections to external parties; and (v) incident response, cyber resilience and situational awareness, planning to respond to, contain and recover from cyber incidents.
Further compartmentalizing the approach, the Agencies are considering a tiered implementation, where the additional, higher standards referred to as “sector-critical standards” would apply to systems that are critical to proper functioning of the financial sector. Such “sector-critical systems” would be determined based on their interconnectedness and the importance of their role in the financial sector as a whole.
The Agencies also proposed a limited application of the enhanced standards, where each Agency would apply the standards to entities within its jurisdiction with total consolidated assets of $50 billion or more, due to the potential systemic effects of a cyber attack on such an entity. The consolidated assets are determined on an enterprise-wide basis, and the enhanced standards would also apply on an enterprise-wide basis, to all subsidiaries of a covered entity, on the understanding that each subsidiary is a point of risk to the entity as a whole. The ANPR also includes provisions to apply the enhanced standards to third-party service providers.
The comment period for the ANPR has been extended to February 17, 2017.
FinCEN Issues Advisory on Cyber Crime and Bank Secrecy Act Obligations, Seeking Technical Details in Reports of Suspicious Activity
On October 25, 2016, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an Advisory to Financial Institutions on Cyber Events and Cyber-Enabled Crime (the Advisory), to advise financial institutions on how their obligations under the Bank Secrecy Act (BSA) relate to cyber events and cyber-enabled crime. Under the BSA, financial institutions are obligated to assist the US government in the detection and prevention of money laundering, including by submitting Suspicious Activity Reports (SARs) to report suspicious transactions or series of transactions conducted or attempted that involve $5,000 or more in funds or other assets. FinCEN makes clear that the Advisory does not change current BSA requirements, SAR requirements or reporting obligations to other regulators. Rather, the Advisory discusses proper reporting of cyber events and other means of aggregating information about cyber events. (For these purposes, “cyber event” is defined as an attempt to compromise or gain unauthorized access to electronic systems, services or information.)
As the Advisory makes clear, if a financial institution knows or suspects, or has reason to suspect, that a cyber event was intended to conduct, facilitate or affect a transaction or series of transactions, it should be considered an attempt to conduct a suspicious transaction or series of transactions. Such cyber events are reportable as suspicious activity, but to determine whether it is obligated to report a cyber event, a financial institution should consider all available information, including the nature of the cyber event and its targets, as well as the value of funds or assets involved. As examples of cyber events that trigger mandatory SAR reporting, the Advisory describes a malware intrusion that is suspected to involve at least $5,000 in assets, a hack that exposes sensitive customer information, and a DDoS attack that is used to prevent the detection of an unauthorized wire transfer. In each case, financial institutions should file a SAR detailing the cyber event, even if no actual transactions may have occurred.
In addition, when filing a SAR, financial institutions should include all cyber-related information. Most financial transactions occur over electronic systems, and details such as IP address and timestamps, device identifiers, virtual wallet information, methods or other technical characteristics can be useful in investigations and in connecting related events.
As the Advisory makes clear, there is a great deal of value in sharing cyber-related information, which can be used to track criminals, identify victims and trace funds. Cyber-related information can also be used in aggregate form, as when FinCEN used BSA reporting from more than twenty financial institutions to investigate an internet company facilitating numerous types of crime with digital currency services.
FinCEN encourages information sharing within financial institutions, by collaboration between BSA/anti-money laundering units, cybersecurity units, fraud prevention teams and other units affected by cyber events. Such collaborations can reveal new patterns of suspicious behaviors, identify otherwise unknown bad actors and generally provide a clearer picture of risks and exposure to the financial institution.
FinCEN also encourages information sharing between financial institutions, under the safe harbor provided by Section 314(b) of the USA PATRIOT Act. After notifying FinCEN and satisfying certain requirements, financial institutions may, under a safe harbor from liability, share information with each other, including cyber-related information, for the purposes of identifying and reporting money-laundering and terrorist activities. According to FinCEN, sharing information about cyber events across institutions may reveal suspicious or illegal activities that would not be detected by any single financial institution.
CFTC Issues Final Rules on System Safeguards
Citing the “well-documented increase” and expansion of cyber threats and the resulting need to enhance cybersecurity testing, the Commodity Futures Trading Commission (CFTC) adopted amendments to its system safeguard rules, in order to enhance and clarify cybersecurity requirements (the Final Rules), effective September 19, 2016. Rather than requiring security measures to protect financial data, these Final Rules require certain cybersecurity testing to be performed at all derivatives clearing organizations, designated contract markets, swap execution facilities and swap data repositories.
The Final Rules set forth several required types of testing, namely: (i) vulnerability testing, to identify discoverable information and other vulnerabilities in systems; (ii) penetration testing, attempts to penetrate automated systems to identify and exploit vulnerabilities, may be launched internally or externally; (iii) controls testing, to determine whether controls are correctly implemented and operational (where “controls” refers to safeguards and security measures to protect automated systems); (iv) security incident response plan testing, to determine the effectiveness of the security incident response plan and identify deficiencies and improvements; and (v) enterprise technology risk assessments, to conduct a written assessment of threats and vulnerabilities and to prioritize risks.
Under the Final Rules, these tests must be performed periodically, subject to minimum testing frequencies for specified types of cybersecurity testing. In addition, reports on testing protocols and results must be communicated to covered entities’ senior management and board of directors. Any vulnerabilities or deficiencies discovered through the required testing must be documented, along with analyses of risks posed by such vulnerabilities or deficiencies and the determination of whether to address or accept those risks.
Compliance dates for the Final Rules range from March 18, 2017 to September 19, 2017 (180 days to 1 year from the effective date), varying according to the type of entity.
FINRA Enforcement Action: 12 Firms Fined $14.4 Million for Cybersecurity Deficiencies
As proposed rules and regulations continue to be considered, we can expect agencies’ focus on cybersecurity to also result in enforcement actions. One recent enforcement action in the financial industry may be notable for its scope and for the specificity of the rule enforced.
On December 21, 2016, the Financial Industry Regulatory Authority (FINRA) announced that it had fined 12 firms a total of $14.4 million for alleged violations of federal securities laws and rules. According to FINRA’s findings, each of the firms allegedly failed to store electronic brokerage records or electronic communications in the “write once, read many” (WORM) format as required under the Exchange Act and related federal rules. The WORM format prevents alteration or destruction of electronic records, and as such it ensures that electronic financial records remain accurate and durable over time. Keeping records in the WORM format also better protects those records against hacking efforts. FINRA asserted that, by failing to use the WORM format, these firms left millions or in some cases hundreds of millions of financial records vulnerable to attack or other misconduct.
Echoing the present emphasis on cybersecurity, FINRA Executive Vice President and Chief of Enforcement noted that the agency’s actions stem from its “focus on ensuring that firms maintain accurate, complete and adequately protected electronic records,” and that “the integrity of these records is critical to the investor protection function.”