Imagine the following nightmare scenario. At 5 AM, you get a call letting you know your company has just experienced a cybersecurity incident. Your clients cannot access their accounts. Your employees are also locked out. As you investigate further, you discover that your client data has been breached: names, addresses, account numbers, social security numbers.
Staying on the Right Side of Cybersecurity Regulations
Could this nightmare worsen? Unfortunately, yes. Depending on your business, you may need to notify federal and state regulatory bodies of the incident. Moreover, they may need to review your cybersecurity controls to determine whether you took appropriate measures before, during, and after an incident. An incident in itself does not constitute a regulatory violation, but improper controls can result in penalties and fines added to the already high costs of an incident.
How to Reduce Risks of Non-Compliance
As with any high-risk area, planning and preparation are key. From InnReg’s experience with dozens of financial innovators, we’ve been able to boil risk mitigation down to a checklist. If you have not already completed these essential tasks, our advice is simple: start now!
Review and Preparation
- Perform a detailed review of your existing information security practices
- Map out all required controls and procedures imposed by regulators
- Identify gaps in the existing information security system and prioritize them by probability and impact
- Determine remediation efforts and corrective actions to eliminate any control gaps
- Assess whether current controls would adequately mitigate threats
- Assess your ability to detect a system breach and to determine whether any data has been compromised
Documentation and Implementation
- Document comprehensive Information Security Procedures that are approved by your C-level leaders. Specify detailed program logic and implementation of every element of your cybersecurity system
- Implement your cybersecurity plans by publishing your Information Security Procedures document, conducting employee training, carrying out program performance metrics, and managing reporting and program updates
- Have a plan to be proactive during any regulatory reviews or due diligence processes
Why Cybersecurity Is a Compliance Issue for Fintech
When you consider that regulation intends to protect consumers and businesses, it makes sense that regulators would take an interest in cybersecurity. In the world of financial services, regulators, generally speaking, want to be sure that you are adequately safeguarding both assets and confidential information. Adequate safeguards include measures taken in advance to mitigate cyber risks.
Regulators want to know whether you are meeting appropriate standards of care for the trust placed in you when you hold or manage client assets and data. You may need to demonstrate that you have met their criteria before or after an incident.
The most demonstrable evidence of such care is your compliance program. Your compliance program protects you against risks in advance and equips you to respond to incidents more effectively. Its existence also demonstrates to regulators that you have made real and good faith efforts.
The compliance requirements of specific regulatory bodies are where the rubber meets the road. While detailing every regulator’s requirements would be a better fit for a book than a blog post, below, we highlight a few of the most relevant.
SEC Compliance Requirements for Broker-Dealers
Regulation S-P covers cybersecurity for broker-dealers, as well as for other businesses. According to the SEC, it:
Requires registered broker-dealers, investment companies, and investment advisers to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” (Source: SEC)
The requirement that policies and procedures be in writing is crucial. They must give explicit instruction on the who, what, and how of safeguarding customer records and information and of ensuring proper disposal of consumer report information.
In addition, broker-dealers must provide notification to customers describing how personal information is used as well as provide customers the ability to opt out of such use.
SEC Registered Investment Advisor Requirements
Investment Company Act Rule 38-1 and Investment Advisers Act Rule 206(4)-7 both provide essential detail on compliance expectations, more broadly than on the topic of cybersecurity. What they mean, however, is that your cybersecurity and data protection compliance efforts must satisfy the following conditions:
- Written policies and procedures that you have reasonably designed to prevent violation
- Approval of the fund’s board of directors, including a majority of directors who are not interested persons of the fund/li>
- Training of employees in following the procedures/li>
- Annual review of the adequacy of cybersecurity policies and procedures
- Appointment of a Chief Compliance Officer responsible for overseeing and administering procedures
- Reporting on the operation of the policies and procedures, any material changes to policies, and reporting of any breaches or policy violations
- Proper record-keeping documenting annual reviews of cyber security policies and procedures
These requirements need a practiced hand to manage them effectively. Failing to meet them may even entail personal liability.
FTC Financial Privacy Rule Policy Requirements
Two key rules are worth noting for companies offering any kind of financial service, digital or otherwise:
- The Financial Privacy Rule governs how financial institutions can collect and disclose customers’ personal financial information.
- The Safeguards Rule requires all financial institutions to maintain safeguards to protect customer information.
Financial Privacy Rule. Companies covered by these rules must inform their customers about information-sharing practices and explain their right to ‘opt out’ if they d not want their information shared with certain third parties.”
Safeguards Rule. Companies must also develop a written information security plan that describes their program to protect customer information. This rule is comparable to SEC requirements described above: The plan must be appropriate to the company’s business, and companies must be able to demonstrate their compliance with information security provisions as part of their regular operations as well as in the case of a breach of any customer information.
As a result, FTC requirements also must be managed with a robust compliance program.
New York Department of Financial Services (NY DFS) Cybersecurity Regulation
New York State is a leader in establishing robust state-level regulatory regimes for financial services. In March 2017, the New York Department of Financial Services (NY DFS) issued 23 NYCRR Part 500. This regulation specifies minimum standards for regulated entities’ cybersecurity programs.
The New York Department of Financial Services cybersecurity regulations can have significant implications. In July of 2020, it filed the first enforcement action under its cybersecurity regulation against First American Title Insurance Co. Our intention here is not to evaluate the particular case, however. Instead, the nature of what NY DFS alleges in the charges offers an object lesson for any financial services company on what will be reviewed and what must be done properly.
The NY DFS charges focus on a few major themes that can apply to other contexts, too. The underlying data breach, disclosed in 2019, resulted in the exposure of more than 800 million documents over the course of many years, including sensitive and confidential data.
The ultimate cause of the data breach was a design flaw in a web-based system for document retrieval. The flaw remained in place from 2014 to 2018, when First American discovered the vulnerability.
In the complicated history of the discovery and attempts to remediate, a few elements are instructive.
- First American employees allegedly misclassified the risks and threats of the vulnerability in question. They did not understand that it resulted in exposing personal information and classified it as low risk. This situation highlights the importance of having the right mechanisms for evaluating and escalating issues when they are discovered.
- First American did not remediate the situation after it was discovered for over five months, per the NY DFS charges, despite a documented policy of addressing even low-risk issues. Initial employee testimony called out a lack of clearly assigned roles and responsibilities within clear processes and accountability. These elements make an enormous impact in getting issues resolved with appropriate urgency and speed.
- Finally, the charges allege that First American did not provide sufficiently qualified resources and adequate information and support to remediate the issue.
While First American intends to contest the charges, their very nature reveals the elements that regulators increasingly expect to see implemented in the face of rising cybersecurity threats.
Key Takeaways for Regulated Entities
- Regardless of their business model, companies offering financial services and products must comply with cybersecurity and data protection requirements from multiple regulatory agencies at the federal and state level.
- In the worst-case scenario of cybersecurity incident or data breach, designing and implementing policies and procedures mitigates the risk of regulatory penalties on top of the costs of a breach.
If you have questions about the adequacy of your cybersecurity policies or the ways in which you have implemented them, we’d be happy to discuss your situation. Contact us here.