The Evolving Landscape of Data Privacy and Cyber Security in the Financial Services Industry

• Publication year: 2017

The Evolving Landscape of Data Privacy and Cyber Security in the Financial Services Industry

Craig Nazarro

Matt White

Eric Setterlund

THE EVOLVING LANDSCAPE OF DATA PRIVACY AND CYBER SECURITY IN THE FINANCIAL SERVICES INDUSTRY

Craig Nazarro^* Matt White^** Eric Setterlund^***

Introduction

The regulation of data privacy and cyber security in the financial services sector is in its infancy. This is partly due to the fact that the regulation of financial services is fragmented with multiple regulators covering varying risks, across different entities, serving a variety customers. These regulators include the Federal Reserve Board of Governors (the "Federal Reserve" or "The Fed"), Federal Deposit Insurance Corporation ("FDIC"), Office of the Comptroller of the Currency ("OCC"), Securities and Exchange Commission ("SEC"), Financial Industry Regulatory Authority ("FINRA"), Consumer Financial Protection Bureau ("CFPB"), and the Financial Crimes Enforcement Network ("FinCEN"), among others, as well as additional state agencies covering traditional commercial banking, consumer lending, investment banking, and broker dealer activity. This article will review the standards that are currently being utilized by both the prudential regulators, the CFPB, as well as the New York Department of Financial Services, and the best practices that those in the commercial banking and consumer lending spaces should implement including review of the FFIEC's Cyber Security tool. This article will also address the same expectations in the regulation of the securities and investment space, with a discussion of examination trends and an overview of recent enforcement actions. Finally, following this article's discussion of compliance on the front end, it will conclude with best practices to implement

[Page 370]

in the event of a breach, and how implementing best practices prior to a breach will help in limiting regulatory, reputational, and litigation liability following a breach.

I. Regulation Priorities of the FFIEC

Within commercial banking data privacy and cybersecurity pose a risk to both an institution's consumers as well as the institution's safety and soundness. Given this fact, the CFPB, FDIC, The Fed and the OCC all have interests in promoting metrics, controls and standards to enhance the protection of information.

The Comptroller at the OCC has repeatedly highlighted the risk of cyber threats to financial institutions, going as far to call cyber threats the foremost risk facing banks today¹ while the FDIC has said Information Security is critical to their ability to carry out its mission of maintaining stability and public confidence in the nation's financial system.²

The FFIEC is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions.³ To this end they publish various resources to focus on. The FFIEC Information Security booklet is one of these resources. The booklet is part of many that comprise the FFIEC's "IT handbook". There are eleven (11) such booklets—booklets covering a variety of issues including: Audit functions, Business Continuity planning, Development and Acquisition, E-banking, Outsourcing technologies as well as other topics. However, the Information Security booklet speaks directly to the process by which a financial institution protects sensitive information.

Special focus should be paid to the updated Appendix A which was published as guidance for a regulator's field examiners to assess the level of

[Page 371]

security risks to an institution's information systems and the adequacy of its information security program's integration into overall risk management. The following 11 objectives are listed for said examiners within the appendix, but objectives 2-10 can be used as internal guidance to assess an institution's program:⁴

(1) Determine the appropriate scope and objectives for the examination.
(2) Determine whether management promotes effective governance of the information security program through a strong information security culture, defined information security responsibilities and accountability, and adequate resources to support the program.
(3) Determine whether management of the information security program is appropriate and supports the institution's ITRM process, integrates with lines of business and support functions, and integrates third-party service provider activities with the information security program.
(4) As part of the information security program, determine whether management has established risk identification processes.
(5) Determine whether management measures the risk to guide its recommendations for and use of mitigating controls.
(6) Determine whether management effectively implements controls to mitigate identified risk.
(7) Determine whether management has effective risk monitoring and reporting processes.
(8) Determine whether management has security operations that encompass necessary security-related functions, are guided by defined processes, are integrated with lines of business and activities outsourced to third-party service providers, and have adequate resources (e.g., staff and technology).
(9) Determine whether management has an effective information security program.
(10) Determine whether assurance activities provide sufficient confidence that the security program is operating as expected and reaching intended goals.
(11) Discuss corrective action and communicate findings.

In an effort to help institutions' management identify their risks and determine their preparedness, in 2015 the FFIEC released what is known as the

[Page 372]

'Cyber Security Basement Tool' which is comprised of a set of definable metrics that can provide a baseline as to where an institution sits. The assessment tool was designed to provide a measurable and repeatable process to assess an institution's level of cybersecurity risk and preparedness.⁵ It consist of two parts:

(1) Inherent Risk Profile
(2) Cybersecurity Maturity

To define an Inherent Risk Profile, an institution must incorporate the type, volume and complexity of their operations and threats directed at the institution without including any mitigating controls. From this, an institution is able to assign one of five risk levels (Least, Minimal, moderate, Significant, Most) to five different categories:⁶

• Technologies and connection types
• Delivery channels
• Online/mobile products and technology services
• Organizational characteristics
• External threats

After determining the Inherent Risk Profile, the institution transitions to the Cybersecurity Maturity part of the Assessment to determine the institution's maturity level within each of the following five domains⁷ :

• Domain 1: Cyber Risk Management and Oversight
• Domain 2: Threat Intelligence and Collaboration
• Domain 3: Cybersecurity Controls
• Domain 4: External Dependency Management
• Domain 5: Cyber Incident Management and Resilience

There are narratives which describe the controls within each of these domains that would place an organization in one of five statuses (Baseline, Evolving, Intermediate, Advanced or Innovative). Once completed, one can review an institution's Inherent Risk Profile in relation to its Cybersecurity Maturity results for each domain to determine whether they are aligned. If they

[Page 373]

are not aligned, an institution can then decide what actions are needed either to affect the inherent risk profile or to achieve a desired state of maturity.

An institution is not currently required to utilize the Cyber Security tool and, if it does utilize it, it is not required to report the results. However as with any self-assessment, if an institution does utilize it, it must provide the results if asked by its primary regulator. The use of this tool cannot only limit regulatory liability by showcasing that an institution is doing all that it can to implement a sound approach to data privacy and cyber security, but it also may have the effects of limiting litigation liability in the event of breach, as the institution will be able to show that it was prudent in its data privacy and cybersecurity practices which can limit damages in a lot of cases.

II. The CFPB Efforts to Regulate Through Enforcement

The CFPB began their regulation of the data protection space with an enforcement action. In a press release announcing the action, the CFPB cited its authority under UDAAP to bring a claim against an entity called Dwolla, Inc., explaining, "rather than setting 'a new precedent for the payments industry' as asserted, Dwolla's data security practices in fact fell far short of its claims. Such deception about security and security practices is illegal."⁸ Under the Dodd-Frank Wall Street Reform and Consumer Protection Act (DoddFrank Act), all covered persons or service providers are legally required to refrain from committing unfair, deceptive, or abusive acts or practices (collectively, UDAAPs) in violation of the Act.⁹ An act or practice is deceptive when:

(1) The act or practice misleads or is likely to mislead the consumer;
(2) The consumer's interpretation is reasonable under the circumstances; and
(3) The misleading act or practice is material.¹⁰

One would think that it was the statements that were illegal, not the practices, but when you review the consent order it becomes readily apparent the CFPB was focused on Dwolla's policies and procedures—not their marketing material.

[Page 374]

The consent order addresses the marketing violations by mentioning that Dwolla is enjoined from "misrepresenting, or...