With only three official days left of the current Congress, conversations Wednesday turned towards cybersecurity in the financial sector. The Commodity Futures Trading Commission, Office of the Comptroller of the Currency, and the Securities Exchange Commission all discussed planned or ongoing strategies to prepare for future cyber-attacks, highlighting such methods as compliance examinations of firms’ cybersecurity measures. These organizations’ efforts emphasize the substantial scrutiny on the effects that cyber-attacks can have on both financial institutions and the myriad organizations connected to those institutions.
The Securities Industry and Markets Assocation (“SIFMA”) added its voice in support of more definite and increased regulations in the area of cybersecurity. Of particular note, SIFMA encouraged Congress to pass the Cybersecurity Information Sharing Act, which would, among other effects, provide guidance on the protections available to private firms that release information to government cybersecurity regulators. Moreover, SIFMA supported the implementation of Soltra Edge—a program for collecting and sharing cyber threat information—as an industry standard, and joined the United States Treasury in pointing to the NIST Cybersecurity Framework as the potential starting point for building a cybersecurity infrastructure in financial firms.
Despite SIFMA’s encouragement, the Cybersecurity Information Sharing Act has yet to be passed. However, the outlook appears to be positive: the Senate passed the National Cybersecurity Protection Act, which, as one Senator stated, could lead to future legislation that includes SIFMA’s desired guidance on protections. Indeed, such a result seems like a natural outcome, given that the Senate’s bill authorized the Department of Homeland Security’s cybersecurity information sharing hub. Ensuring protections for financial firms participating with the Department of Homeland Security would seem to be a necessary component of any effective information-sharing network.
The relationship between the strengthened push for cybersecurity and previous determinations of liability is of specific interest. One of the most discussed cases in this area is Patco Construction Co. v. People’s United Bank, 684 F.3d 197 (1st Cir. 2012), in which a bank’s cybersecurity features were deemed to be commercially unreasonable under Article 4A of the Uniform Commercial Code (“UCC”). In particular, even though the bank in that case had features like security questions and dollar-threshold triggers, the bank’s implementation of those features was deemed commercially unreasonable. Central to the Court’s holding in Patco was that the bank knew of substantial increases in cyber-fraud through its affiliation with the financial industry as a whole, and thus the bank acted commercially unreasonably in part by failing to react to those industry cues. Although the provision at issue in Patco concerned unauthorized wire transfers, new legislation and support for new industry standards could affect the concept of commercial reasonableness in other arenas in the future. These industry- and government-spearheaded trends, and the outcomes they produce, should be monitored closely by all financial firms in formulating proactive solutions.
Finally, the strengthened cybersecurity concerns echo much of the financial industry’s concerns over the Financial Industry Regulatory Authority’s (“FINRA”) most recent Comprehensive Automated Risk Data System (“CARDS”) proposal. That proposal, which is the subject of a prior blog post, seeks to require brokerages to submit large amounts of customer data to FINRA so that FINRA can more quickly detect and prevent large-scale fraud. One of the chief concerns related to the proposal, as stated by SIFMA, is that the data could easily be reverse-engineered to determine certain investors’ identities. As a result, SIFMA voiced strong concerns that the data’s concentration in one location and the data’s resultant vulnerability to a cyber-attack were strong reasons for opposing the CARDS proposal. In the long run, it is unclear whether the continued push over cybersecurity concerns will bolster or hurt the CARDS proposal. Indeed, while firms and legislators are clearly concerned over the risks associated with attacks on financial institutions, information-sharing initiatives may temper some of the concerns related to CARDS. In any event, these recent statements and actions by government and industry regulators will almost certainly factor into FINRA’s calculus in determining the future of the CARDS proposal.