Potential Cyber Security Regulation Could Require Big Changes for Financial Institutions
January 2016 • Lockton® Companies
L O C K T O N C O M P A N I E S
LAURIE SCHWARZ, CIPP/US, CIPM
Senior Vice PresidentCyber Technology Practice
The New York Department of Financial Services sent a
letter on November 10, 2015, to federal and state financial
regulators outlining the potential for new cyber security
regulation requirements for the financial services industry.
� How likely is it that these regulations will come to fruition?
� Will enforcement be a carrot, a stick, or a carrot-stick?
� Will the proposed regulations apply only to financial services organizations operating in New York or nationwide?
I predict it will be the latter, either by regulation, law, or de facto enforcement by state attorney generals or the plaintiffs’ bar.
As evidenced throughout the reports issued by the New York Department of Financial Services last year, the financial industry relies heavily on third-party service providers for critical banking and insurance functions.
The findings were drawn from several broad conclusions and concerns, and from the dozens of discussions that the Department has held with its regulated entities, cyber security experts, and other stakeholders. Even if a formal adoption or requirement for
Even if a formal adoption or
requirement for increased security
controls is not implemented, the
Department’s letter will become
the de facto regulation.”
2
increased security controls is not implemented, the Department’s letter will become the de facto regulation. It seems the cyber security regulation for financial services firms is inevitable, either explicitly (via regulation) or implicitly (part of a conduct exam).
The financial services sector has at least a decade head start over many other industry verticals when it comes to information security controls, including addressing their IT/information security vendor exposure.
It’s no coincidence that multifactor authentication is the first control on the list and will be a key item of interest when it comes to enforcement for regulators. Why? Is it because Amazon has introduced multifactor authentication to its e-commerce customers this holiday season? Nice, but no (multifactor authentication isn’t trendy; it’s necessary). Federal Financial Institutions Examinations Council (FFIEC) agencies issued guidance on implementing multifactor authentication back in 2001.
The New York Department of Financial Services conducted a survey in 2013 and 2014 on:
More than 150 of its regulated
banking organizations about their
cyber security programs, costs, and
future plans.
of its regulated insurers.
In May 2014 and February 2015, the New York Department of Financial Services published its findings, which led to:
Expanded information technology
(IT) examination procedures to focus
more attention on cyber security.
Additional risk assessments to
identify industrywide risks and
vulnerabilities.
Prioritized scheduling of
examinations.
The findings recommend
a detailed framework
to address third-party
service providers, the
policies and procedures
to include, and the
following provisions:
1. The use of multifactor authentication to limit access to sensitive data and systems.
2. The use of encryption to protect sensitive data in transit and at rest.
3. Notice to be provided in the event of a cyber security incident.
4. The indemnification of the entity in the event of a cyber security incident that results in loss.
5. The ability of the entity or its agents to perform cyber security audits of the third-party vendor.
6. Representations and warranties by the third-party vendors concerning information security.
“Multifactor authentication isn’t trendy, it’s necessary.”
WHERE DID THE CYBER SECURITY
REGULATION COME FROM AND
HOW DID WE GET HERE?
January 2016 • Lockton Companies
3
A carrot-stick
approach is
being sued by
customers, third
parties, or the
plaintiffs’ bar, and
being able to successfully defend yourself
against negligence or a breach of contracts
claim that is based on the organization’s
information security controls.
Regulator Action
Stick Carrot Carrot-Stick
Multifactor authentication X
Encryption X X
Notice of an “incident” X X
Indemnification X
Audits of third-party vendors X X
Reps and warranties by third-party vendors regarding their information security
X
State attorney generals are not part of this discussion, but they have already inserted themselves. A week after notice was sent to the financial services regulators from the New York Department of Financial Services, nine state attorney generals sent their own letters. Addressed to the CEOs of Bank of America, JP Morgan Chase, Citigroup, Capital One, and the other major payment card brands, they increased pressure for mandated use of PINs with new chip-based payment cards. The attorney generals were from Connecticut, Illinois, Maine, Mississippi, New York, Rhode Island, Vermont, Washington, and Washington, DC.
Summary
Keep an eye on the New York Department of Financial Services. It has established itself as the front-runner when it comes to cyber security regulation for financial institutions. Third-party vendors have played a large role in the major cyber breaches of the past two years. As a result, we anticipate third-party vendor management to
be a primary area of focus for politicians and regulators.
Finally, anticipate the foregoing to work its way into discussion with underwriters. Similar to what we are seeing with payment card data, organizations no longer “have” the various controls. Expect the focus to shift to “how” you are identifying, understanding, and assuring performance against these controls for your organization and key third-party service providers when it comes to your network, software, and “data.”
A stick approach
is being fined
by a regulator
for not being in
compliance.
STICK APPROACH CARROT APPROACH CARROT-STICK APPROACH
A carrot approach means
there is a “safe harbor”
provision written into the
regulation. If an organization
can demonstrate compliance,
there’s a limitation or
immunity from liability from a
regulatory perspective.
“Third-party vendors include payment processors,
payment gateway providers that store card data
and issue tokens, and co-location facility providers.
Engagement of third-party vendors has dramatically
increased in the past three to five years.”
© 2016 Lockton, Inc. All rights reserved. g\white paper\schwarz, laurie\2015\schwarz-potential cyber security regulations.indd\#14105
Our Mission
To be the worldwide value and service leader in insurance brokerage, risk management, employee benefits, and retirement services
Our Goal
To be the best place to do business and to work
RISK MANAGEMENT | EMPLOYEE BENEFITS | RETIREMENT SERVICES
www.lockton.com