According to a 2015 report on threats to the financial services sector, 41% of financial services organizations polled had experienced a data breach or failed a compliance audit in the previous year, and 57% listed preventing a data breach as their top IT priority. Reflecting the ever-increasing awareness of threats to financial data security, 2015 also saw a number of regulatory enforcement actions and legislative efforts directed at financial institutions. Below we outline some of the most significant developments of the past year.
1. SEC Enforcement Action
In September 2015, the SEC reached a settlement with a St. Louis-based investment adviser on charges that it failed to establish required cybersecurity policies and procedures in advance of a breach affecting the personally identifiable information (“PII”) of 100,000 individuals.
The SEC has the power to bring enforcement actions against registered financial entities that fail to meet certain cybersecurity standards. Specifically, the SEC may bring enforcement actions for violations of SEC Regulation S-P (17 CFR § 248.30(a)) (commonly referred to as the “Safeguards Rule”). Under the Safeguards Rule, all registered entities must have written policies and procedures designed to:
- Insure the security and confidentiality of customer records and information;
- Protect against any anticipated threats to the security of customer information; and
- Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.
In this case, the investment adviser stored its clients’ sensitive PII on a third party-hosted web server that was attacked by hackers. The SEC found that the investment adviser violated the Safeguards Rule by failing to:
- adopt written policies and procedures reasonably designed to safeguard customer information;
- conduct periodic risk assessments;
- implement a firewall;
- encrypt PII stored on its server; and
- maintain a response plan for cybersecurity incidents.
Notably, there was no evidence of any harm to clients as a result of the hack. Despite the lack of harm, the SEC announced its intention to enforce the Safeguards Rule “even when there is no apparent financial harm to clients.” It also cautioned financial firms to adopt written policies to protect customers’ private information and to “anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
2. New York Department of Financial Services Cybersecurity Regulatory Framework Proposal
In November 2015, the New York Department of Financial Services (NYDFS) issued a letter setting forth an extensive cybersecurity regulatory framework proposal. Following its surveys of the cybersecurity programs of over 150 financial institutions in 2013 and 2014, the NYDFS announced that it is now considering new cybersecurity regulations for the industry. Under the potential new regulations, “covered entities”–financial institutions regulated by NYDFS–would be required to implement and maintain written cybersecurity policies and procedures that address:
- information security;
- data governance and classification;
- access controls and identity management;
- business continuity and disaster recovery planning and resources;
- capacity and performance planning;
- systems operations and availability concerns;
- systems and network security;
- systems and application development and quality assurance;
- physical security and environmental controls;
- customer data privacy;
- vendor and third-party service provider management; and
- incident response, including the delineation of clearly defined roles and decision making authority.
Additionally, covered financial entities would be required to implement policies and procedures to ensure the security of sensitive data held by third party service providers. At a minimum, contracts with third parties with access to sensitive customer information would need to include:
- the use of multi-factor authentication to limit access to sensitive data and systems;
- the use of encryption to protect sensitive data in transit and at rest;
- notice to be provided in the event of a cybersecurity incident;
- the indemnification of the entity in the event of a cybersecurity incident that results in loss;
- the ability of the entity or its agents to perform cybersecurity audits of the third party vendor; and
- representations and warranties by the third party vendor concerning information security.
Covered entities would also need to:
- use multi-factor authentication for databases containing sensitive customer information, as well as for access to internal systems and data from an external network;
- appoint a Chief Information Security Officer (CISO) to oversee and implement cybersecurity programs;
- employ data privacy and security personnel;
- conduct annual penetration testing and quarterly vulnerability assessments; and
- immediately notify the NYDFS of any cybersecurity incident with a reasonable likelihood of materially affecting the normal operations of the entity (e.g. health, credit card information, or biometric data).
NYDFS seeks input from a variety of stakeholders, including other regulatory agencies, prior to proposing final regulations for the financial industry. It is likely that NYDFS will promulgate rules in 2016. Accordingly, covered entities should continue to assess the state of their data privacy and security infrastructures to prepare for the heightened cybersecurity standards required by NYDFS and other state regulators.
3. FINRA Report on Cybersecurity Practices
In February 2015, the Financial Industry Regulatory Authority (FINRA) issued its Report on Cybersecurity Practices. The Report, which applies to financial advisers and broker dealers, focuses on eight key areas. According to the Report, organizations should:
- Create frameworks that involve senior management, incorporate the organization’s risk tolerance, and allow for risk assessments that help improve the framework over time.
- Identify the sources of potential cybersecurity threats and prioritize the areas in most need of improvement given the organization’s risk tolerance.
- Take specific actions to protect software and hardware that contain data, especially data subject to cybersecurity threats.
- Implement procedures for responding to cybersecurity incidents and define roles for individuals in charge of incident response.
- Take a risk-based approach to selecting, engaging, and monitoring third party service providers.
- Provide employees and other authorized users of the organization’s systems with training appropriate to their specific responsibilities and the types of data they may access.
- Create and deploy an effective cyber intelligence program using all resources available to the organization.
- Periodically review the adequacy of an organization’s cybersecurity coverage to determine if the policy aligns with threats identified by the organization’s risk assessment(s) and ability to bear losses. Organizations that do not have cyber insurance should evaluate the cyber insurance market to determine if coverage is available that would enhance the organization’s ability to manage the financial impact of a cybersecurity event.
FINRA has urged financial advisers and broker dealers to consider these principles as they develop or enhance their cybersecurity programs. While the guidance does not create any new legal or regulatory requirements, FINRA will assess the adequacy of firms’ cybersecurity programs in light of the risks they face.
4. New European Union Data Privacy and Security Regulations
2015 was a landmark year for data protection and privacy in Europe, with the approval of two new major regulations.
The first is the General Data Protection Regulation (GDPR), which is expected to replace the existing Data Protection Directive 95/46/EC. After nearly years of development and negotiation, the European Council and Parliament reached an agreement on the text of the GDPR in December 2015. It is expected to be formally adopted this spring and come into effect two years after its adoption. The GDPR will impose new obligations on companies in the areas of data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few.
Financial institutions should be aware of certain key provisions of the recently approved draft:
- The law applies to any controller or processor of EU citizen data, regardless of where the controller or processor is located. (Under the 1995 Directive, only controllers were directly liable.)
- EU Data Protection Authorities have been given new powers, including the ability to fine organizations up to 4% of their global turnover for violations of the new GDPR provisions.
- In the event of a data breach creating risk to the “rights and freedoms” of EU citizens, notification must be made to the relevant data protection authorities within 72 hours of discovery of the breach.
- Personal data of EU data subjects should only be collected for “specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.”
- Processing of EU citizens’ data will only be lawful if the processing is done in accordance with one of the following 6 grounds: (1) with explicit consent of the data subject, (2) to perform a contract, (3) to comply with a legal obligation, (4) to protect the vital interests of the data subject, (5) to perform a task in the public interest, or (6) where “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.”
- A data subject’s consent will be invalid if the controller requires consent for the provision of a service where the processing of personal data is not necessary to the actual performance of the service or contract.
- Data controllers must provide any information they hold about an EU citizen free of charge and within one month of request.
- EU citizens have a “right to erasure,” which requires data controllers to delete personal data if: (1) the data are no longer necessary in relation to the purposes for which they were collected or processed; (2) the data subject withdraws consent on which the processing was based and there is no other legal ground for processing the data; or (3) the data were unlawfully processed, among other grounds.
The 200 page text of the GDPR includes many other provisions, and financial institutions should closely monitor it as it moves towards formal adoption this spring.
European authorities also agreed on the text of another major data security initiative, the Network Information Security (NIS) Directive. After more than two years of negotiation, the European Council reached an informal agreement with the Parliament, and the text was approved by European Member States in December 2015. The text must now be formally approved by the European Council and Parliament, which is expected this spring. The Member States will then have 21 months to implement the NIS Directive.
The NIS Directive applies to operators of “essential services” in “critical sectors,” which the NIS Directive defines as (a) “essential for the maintenance of critical societal and/or economic activities,” (b) dependent on network and information systems and (c) would produce “significant disruptive effects” in the event of a breach on the provision of its service. Banks and financial market infrastructures fall under the purview of the NIS Directive.
The NIS Directive would require banks and financial market infrastructures–as operators of essential services in critical sectors–to implement “state of the art” network and information security systems appropriate to each organization’s risks. It also would require these entities to report to the appropriate data protection authority “without undue delay” any security incident to its systems that would create a “significant impact” on the continuity of its services. The significance of an incident would be determined by “(a) the number of users affected by the disruption of the essential service; (b) the duration of the incident; [and] (c) the geographical spread with regard to the area affected by the incident.” Member States are expected to provide more detail regarding definitions of these key terms when they pass country-specific legislation in accordance with the NIS Directive.
5. EMV Credit Card Payment Standard
EMV refers to a smart-chip technology for payment cards that creates a dynamic authentication code for each transaction. Its main benefit is the prevention of counterfeit card-present fraud (from a card-swipe in a store). If someone steals the data contained in the magnetic stripe of a payment card, that person can embed the stolen data in a different magnetic stripe, and create a counterfeit card to fraudulently use in an in-store purchase. The embedded EMV chip, however, creates a dynamic authorization code for each transaction that cannot be replicated, and therefore helps prevent fraudulent in-store purchases. The new EMV card system does not apply to e-commerce transactions, as the chip may only be read by a physical terminal.
Being ready to accept EMV transactions involves purchasing EMV-enabled terminals and obtaining certifications of the devices and payment applications through the merchant’s acquiring bank for each card network. While EMV card acceptance is not required, as of October 1, 2015, any merchant that cannot accept EMV cards faces the liability for chargebacks for card-present counterfeit fraud losses. Additionally, merchants that are EMV-compliant will enjoy a safe harbor from post-breach liability if the merchant meets certain criteria under certain card network programs.
What does this mean for credit card issuers? Prior to October 1, 2015, issuers were primarily responsible for card-present counterfeit fraud losses. Now, merchants that are not EMV-compliant will be responsible for all card-present counterfeit fraud losses.
For more information on EMV compliance, please see our previous post on this issue.