Potential Cyber Security Regulation Could Require Big Changes for Financial Institutions

January 2016 • Lockton® Companies

L O C K T O N C O M P A N I E S

LAURIE SCHWARZ, CIPP/US, CIPM

Senior Vice PresidentCyber Technology Practice

415.568.4189lschwarz@lockton.com

The New York Department of Financial Services sent a

letter on November 10, 2015, to federal and state financial

regulators outlining the potential for new cyber security

regulation requirements for the financial services industry.

� How likely is it that these regulations will come to fruition?

� Will enforcement be a carrot, a stick, or a carrot-stick?

� Will the proposed regulations apply only to financial services organizations operating in New York or nationwide?

I predict it will be the latter, either by regulation, law, or de facto enforcement by state attorney generals or the plaintiffs’ bar.

As evidenced throughout the reports issued by the New York Department of Financial Services last year, the financial industry relies heavily on third-party service providers for critical banking and insurance functions.

The findings were drawn from several broad conclusions and concerns, and from the dozens of discussions that the Department has held with its regulated entities, cyber security experts, and other stakeholders. Even if a formal adoption or requirement for

Even if a formal adoption or

requirement for increased security

controls is not implemented, the

Department’s letter will become

the de facto regulation.”

2

increased security controls is not implemented, the Department’s letter will become the de facto regulation. It seems the cyber security regulation for financial services firms is inevitable, either explicitly (via regulation) or implicitly (part of a conduct exam).

The financial services sector has at least a decade head start over many other industry verticals when it comes to information security controls, including addressing their IT/information security vendor exposure.

It’s no coincidence that multifactor authentication is the first control on the list and will be a key item of interest when it comes to enforcement for regulators. Why? Is it because Amazon has introduced multifactor authentication to its e-commerce customers this holiday season? Nice, but no (multifactor authentication isn’t trendy; it’s necessary). Federal Financial Institutions Examinations Council (FFIEC) agencies issued guidance on implementing multifactor authentication back in 2001.

The New York Department of Financial Services conducted a survey in 2013 and 2014 on:

More than 150 of its regulated

banking organizations about their

cyber security programs, costs, and

future plans.

of its regulated insurers.

In May 2014 and February 2015, the New York Department of Financial Services published its findings, which led to:

Expanded information technology

(IT) examination procedures to focus

more attention on cyber security.

Additional risk assessments to

identify industrywide risks and

vulnerabilities.

Prioritized scheduling of

examinations.

The findings recommend

a detailed framework

to address third-party

service providers, the

policies and procedures

to include, and the

following provisions:

1. The use of multifactor authentication to limit access to sensitive data and systems.

2. The use of encryption to protect sensitive data in transit and at rest.

3. Notice to be provided in the event of a cyber security incident.

4. The indemnification of the entity in the event of a cyber security incident that results in loss.

5. The ability of the entity or its agents to perform cyber security audits of the third-party vendor.

6. Representations and warranties by the third-party vendors concerning information security.

“Multifactor authentication isn’t trendy, it’s necessary.”

WHERE DID THE CYBER SECURITY

REGULATION COME FROM AND

HOW DID WE GET HERE?

January 2016 • Lockton Companies

3

A carrot-stick

approach is

being sued by

customers, third

parties, or the

plaintiffs’ bar, and

being able to successfully defend yourself

against negligence or a breach of contracts

claim that is based on the organization’s

information security controls.

Regulator Action

Stick Carrot Carrot-Stick

Multifactor authentication X

Encryption X X

Notice of an “incident” X X

Indemnification X

Audits of third-party vendors X X

Reps and warranties by third-party vendors regarding their information security

X

State attorney generals are not part of this discussion, but they have already inserted themselves. A week after notice was sent to the financial services regulators from the New York Department of Financial Services, nine state attorney generals sent their own letters. Addressed to the CEOs of Bank of America, JP Morgan Chase, Citigroup, Capital One, and the other major payment card brands, they increased pressure for mandated use of PINs with new chip-based payment cards. The attorney generals were from Connecticut, Illinois, Maine, Mississippi, New York, Rhode Island, Vermont, Washington, and Washington, DC.

Summary

Keep an eye on the New York Department of Financial Services. It has established itself as the front-runner when it comes to cyber security regulation for financial institutions. Third-party vendors have played a large role in the major cyber breaches of the past two years. As a result, we anticipate third-party vendor management to

be a primary area of focus for politicians and regulators.

Finally, anticipate the foregoing to work its way into discussion with underwriters. Similar to what we are seeing with payment card data, organizations no longer “have” the various controls. Expect the focus to shift to “how” you are identifying, understanding, and assuring performance against these controls for your organization and key third-party service providers when it comes to your network, software, and “data.”

A stick approach

is being fined

by a regulator

for not being in

compliance.

STICK APPROACH CARROT APPROACH CARROT-STICK APPROACH

A carrot approach means

there is a “safe harbor”

provision written into the

regulation. If an organization

can demonstrate compliance,

there’s a limitation or

immunity from liability from a

regulatory perspective.

“Third-party vendors include payment processors,

payment gateway providers that store card data

and issue tokens, and co-location facility providers.

Engagement of third-party vendors has dramatically

increased in the past three to five years.”

© 2016 Lockton, Inc. All rights reserved. g\white paper\schwarz, laurie\2015\schwarz-potential cyber security regulations.indd\#14105

Our Mission

To be the worldwide value and service leader in insurance brokerage, risk management, employee benefits, and retirement services

Our Goal

To be the best place to do business and to work

RISK MANAGEMENT | EMPLOYEE BENEFITS | RETIREMENT SERVICES

www.lockton.com