White Paper on Financial Industry Regulatory Climate

Transcription

1 White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during 2014, and cybersecurity was cited as the second largest economic criminal threat to financial institutions for that year. 1 Notwithstanding these figures, and the increasing prominence of cyber threats across the board, the report also found that there is a stark disconnect when it comes to how cybercrime risk is perceived by various stakeholders within financial institutions. In some cases, poll respondents significantly underestimated the likelihood their organization would fall victim to cybercrime. As financial services companies have worked to combat increasingly sophisticated data security threats, the industry has come under greater legislative and regulatory scrutiny. This paper provides an overview of various actions taken by regulatory authorities to help direct how financial institutions should approach cybersecurity threats and security compliance generally. I. Cybersecurity Vulnerabilities Banks, payment card providers, payment processors, and other financial services firms continue to be frequent targets of hacking attempts, an estimated 80% of which are linked to organized crime. 2 Hundreds of data security events are reported each year, and nearly a billion consumer records were impacted by data breaches in According to one publicly-available source, about 10% of the breaches listed for that time period were reported by financial institutions. 4 The relatively low percentage of data breaches affecting financial institutions may reflect a higher level of cybersecurity preparedness in light of the industry s elevated risk profile and the various regulatory requirements applicable to entities operating in the financial services sector. Although there is no question that cybersecurity is a critical issue for the financial industry, only a few of the most prominent data breach events on record affected financial services entities. A paper issued by the Securities and Exchange Commission noted that while almost 75% of advisers and 88% of broker-dealers examined had been the subject of a cyberrelated incident in 2014, the majority reported losses of no more than $5, The most highprofile data breach to hit the financial services industry in 2014 was the attack on JPMorgan Chase & Co., which is believed to have affected over 80 million households and businesses, making it one of the largest reported security incidents to date. 6 What surprised many was the 1 Threats to the Financial Services Sector: Financial Services sector analysis of PwC s 2014 Global Economic Crime Survey, PricewaterhouseCoopers, available at 2 The Top 8 Largest Data Breaches in the Financial Services Industry, ASSOCIATION OF CERTIFIED FINANCIAL CRIME SPECIALISTS, Aug. 28, 2014, available at 3 Penny Crosman, Eight Lessons for Banks from the Data Breaches of 2014, AMERICAN BANKER, Dec. 2, 2014, available at 4 Chronology of Data Breaches, PRIVACY RIGHTS CLEARINGHOUSE, available at 5 Cybersecurity Examination Sweep Summary, OFFICE OF COMPLIANCE INSPECTIONS AND EXAMINATIONS, Feb. 3, 2015, available at 6 JPMorgan hack exposed data of 83 million, among biggest breaches in history, REUTERS, Oct. 2, 2014, available at

2 low tech nature of the attack, which is believed to have begun after hackers stole the login credentials of a JPMorgan employee and used the credentials to access a server which was not protected by a double authentication scheme. It was later discovered that the hackers who attacked JPMorgan also had attempted to infiltrate other financial institutions, although federal officials believe the other attempts were unsuccessful. 7 Overall, hacking was the most common cause of security breaches reported by financial institutions in 2014, followed by employee malfeasance or negligence, vendor malfeasance or negligence, and theft of electronic storage devices. II. Regulatory Landscape Although regulators have not yet launched formal cybersecurity-related enforcement actions against financial institutions, banking authorities and other government agencies have strongly signaled that cybersecurity is a high-priority concern. In 2014, the Securities and Exchange Commission (SEC), the Federal Financial Institutions Examinations Council (FFIEC), the Financial Industry Regulatory Authority (FINRA), and the New York Department of Financial Services (NYDFS) engaged in a variety of cybersecurity information gathering efforts through examinations, roundtables, and other public forums with financial institutions. The resulting alerts and guidance summarized below highlight issues that regulators have identified as being critical to effective cybersecurity risk management. A. Office of Compliance Inspections and Examinations (OCIE) In April 2014, the Securities and Exchange Commission s Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert announcing that the Office would be examining fifty registered broker-dealers and investment advisers to assess cybersecurity preparedness in the securities industry. 8 The Risk Alert outlined certain factors for financial institutions to consider when assessing their cybersecurity risk management systems, but emphasized that the list of factors was not exhaustive, and that such an assessment would not create a safe harbor from potential liability. The OCIE s Risk Alert included a sample request for documents and information related to cybersecurity risks that compliance professionals may use to assess a financial institution s preparedness. The sample requests are divided into the following five categories: Identification of Risks/Cybersecurity Governance Protection of Firm Networks and Information Risks Associated with Remote Customer Access and Funds Transfer Requests Risks Associated with Vendors and Other Third Parties 7 Danny Yadron, J.P. Morgan Hackers Attempted to Infiltrate Other Financial Institutions, WALL STREET JOURNAL Oct. 6, 2014, available at 8 OCIE Cybersecurity Initiative, OFFICE OF COMPLIANCE INSPECTIONS AND EXAMINATIONS, Apr. 15, 2014, available at

3 Detection of Unauthorized Activity Each of these categories covers requests for various policies, procedures, and other materials evidencing the entity s data security practices. The issues addressed by the assessment range from the very broadest considerations, such as whether the entity has implemented a Written Information Security Policy, appointed a Chief Information Security Officer (CISO), and obtained cybersecurity insurance coverage, to specific inquiries regarding particular processes, such as how the entity secures removable and portable media devices or authenticates requests seeking to transfer funds from an account. The results of the Cybersecurity Examination Sweep were published in a summary released by the OCIE on February 3, 2015 (the Cybersecurity Summary ). 9 Generally, the Sweep revealed that the investment advisers from the sample were somewhat less likely to have implemented cybersecurity policies and practices than their counterpart regulated broker-dealers, though almost all examined broker-dealers (98%) and investment advisers (91%) make use of encryption in some form. The Cybersecurity Summary noted that the vast majority (80% or more) of examined firms conduct periodic risk assessments on a firm-wide basis to identify cybersecurity threats, vulnerabilities, and potential business consequences. However, while a majority of broker-dealers (84%) apply these requirements to their vendors, only 32% of the advisers had such vendor compliance obligations in place. The Cybersecurity Summary also noted that the designation of a CISO varied with the examined firms business models. Approximately two-thirds of the broker-dealers (68%) had an individual explicitly assigned as the firm s CISO. In contrast, less than one-third (30%) of the advisers had a designated CISO. And while over half (58%) of the broker-dealers maintained some form of cybersecurity insurance, the number was significantly lower (21%) for advisers. These findings are likely to influence future regulatory investigations and enforcement actions in this space. B. Financial Industry Regulatory Authority (FINRA) In January 2014, FINRA issued sweep letters to better understand the types of threats facing financial institutions and how institutions respond to those threats. 10 The letters addressed a number of areas related to cybersecurity, including examining the institutions : Approaches to information technology risk assessment; Business continuity plans in case of a cyber-attack; Organizational structures and reporting lines; Processes for sharing and obtaining information about cybersecurity threats; Understanding of concerns and threats faced by the industry; Assessment of the impact of cyber-attacks occurring over the previous twelve months; Approaches to handling distributed denial of service attacks; 9 Cybersecurity Examination Sweep Summary, OFFICE OF COMPLIANCE INSPECTIONS AND EXAMINATIONS, Feb. 3, 2015, available at 10 Targeted Examination Letters re: Cyber Security, FINANCIAL INDUSTRY REGULATORY AUTHORITY, Jan. 2014, available at

4 Training programs; Insurance coverage for cybersecurity-related events; and Contractual arrangements with third-party service providers. FINRA is expected to release an analysis of the results of the sweep letters in C. Federal Financial Institutions Examination Council (FFIEC) During the summer of 2014, the FFIEC piloted its own cybersecurity work program to evaluate cybersecurity risk preparedness at over 500 community financial institutions. 11 The evaluation focused on (1) risk management and oversight; (2) threat intelligence and collaboration; (3) cybersecurity controls; (4) external dependency management; and (5) cyber incident management and resilience. In its findings, the FFIEC emphasized the need for engagement on the part of the board of directors and senior management, including by routinely discussing cybersecurity issues in meetings; monitoring and maintaining sufficient awareness of threats and vulnerabilities; establishing and maintaining a dynamic control environment; managing connections to third parties; and developing and testing business continuity and disaster recovery plans that incorporate cyber incident scenarios. The FFIEC reported that it was updating its current guidance to align with the evolving cybersecurity risks identified over the course of the cybersecurity work program. D. New York Department of Financial Services At the end of 2014, the New York Department of Financial Services issued a letter to all New York State-chartered or licensed banking institutions indicating its plans to expand its information technology examination procedures to focus more attention on cybersecurity. 12 Going forward, the Department s pre-examination First Day Letters will include questions about: Management of cyber security issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks; Resources devoted to information security and overall risk management; Risks posed by shared infrastructure; Protections against intrusion, including multi-factor or adaptive authentication and server and database configurations; Information security testing and monitoring (including penetration testing); 11 FFIEC Cybersecurity Assessment General Observations, FEDERAL FINANCIAL INSTITUTIONS EXAMINATIONS COUNCIL, available at 12 NYDFS Issues Examination Guidance to Banks Outlining New Targeted Cyber Security Preparedness Assessments, NEW YORK DEPARTMENT OF FINANCIAL SERVICES, Dec. 10, 2014, available at

5 Incident detection and response processes (including monitoring); Training of information security professionals and other personnel; Management of third-party service providers; Integration of information security into business continuity and disaster recovery policies and procedures; and Cybersecurity insurance coverage and other third-party protections. E. The Obama Administration s Cybersecurity Framework In February 2014, the White House announced the launch of the Framework for Improving Critical Infrastructure Cybersecurity (the Framework ), developed by the National Institute of Standards and Technology (NIST) as required pursuant to Section 7 of the Obama Administration s February 2013 Executive Order on Cybersecurity. 13 Although the Framework is not focused on any particular industry sector, it provides helpful guidance on minimizing cybersecurity risk for all organizations, including financial institutions. The Framework focuses on many of the same issues examined by financial industry regulators (as described above), and emphasizes the importance of an organization s (1) strong governance with respect to cybersecurity risk; (2) approaches to identifying and authorizing individuals to access organizational access and systems; (3) awareness and training measures; (4) anomalous activity detection and system monitoring; and (5) response activities, including information sharing or other mitigation efforts. Additionally, on February 13, 2015, President Obama issued an Executive Order Promoting Private Sector Cybersecurity information Sharing. 14 The purpose of the Executive Order is to encourage the voluntary sharing of information related to cybersecurity risks and incidents between private companies, nonprofits, federal departments and agencies, and other entities, and to collaborate to respond to incidents in as close to real time as possible. The Executive Order requires the Secretary of the Department of Homeland Security (DHS) to strongly encourage the development of information sharing and analysis organizations (ISAOs). ISAOs are intended to be more flexible and broader in scope than existing Information Sharing and Analysis Centers (ISACs), which are limited by industry sector. The hope is that ISAOs will function as a community that shares information across a region or in response to a specific emerging cyber threat, potentially even at the level of individual companies sharing information among customers or business partners. 15 The February 2015 Executive Order requires the Secretary of the DHS to enter into an agreement with a non-governmental organization for the development of a common set of 13 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, Feb. 12, 2014, available at 14 Exec. Order Promoting Private Sector Cybersecurity Information Sharing, President Barack Obama, Feb. 13, 2015, available at 15 Fact Sheet: Executive Order Promoting Private Sector Cybersecurity Information Sharing, THE WHITE HOUSE OFFICE OF THE PRESS SECRETARY, Feb. 12, 2015, available at

6 voluntary standards and guidelines for ISAOs. These guidelines likely will focus on the methods and means by which participating ISAOs should communicate cybersecurity threat information with each other, while focusing on privacy protections for individual participating organizations. Under the Executive Order, the standards are meant to further the goal of creating robust information sharing related to cybersecurity risks and incidents with ISAOs and among ISAOs to create deeper and broader networks of information sharing nationally, and to foster the development and adoption of automated mechanisms for the sharing of information. III. Conclusion Financial institutions have long been prime targets for all types of criminal activity, and the rise of cybersecurity threats has only upped the ante for entities operating in this space. As outlined above, in the past few years there has been a significant increase in regulatory attention focused on cybersecurity issues, and financial industry regulators have clearly signaled that they expect regulated entities take the steps necessary to protect financial infrastructure from cyber attacks. Proactive risk assessments and careful attention to the ever-evolving regulatory landscape, including by reviewing guidance issued by financial regulators and other government authorities, will be key to ensuring a compliant security posture going forward.