NP Privacy Partner
Children’s Privacy & COPPA
Advertising and Marketing
Mobile Technology & Websites
Corporate & Board Governance
Enforcement & Litigation
Health Care & HIPAA
ABOUT NIXON PEABODY
Cybersecurity in Financial Services 2015
In 2014, the Securities & Exchange Commission (SEC), the Federal Financial Institutions Examinations Council (FFIEC), the Financial Industry Regulatory Authority (FINRA), and the New York Department of Financial Services (NYDFS) each engaged in cybersecurity information gathering from financial institutions and in roundtables and other public forums. In 2015, regulatory emphasis on cybersecurity is likely to shift to examinations and, with what are perceived as glaring failures, enforcement.
The NIST Framework
National Institute of Standards and Technology’s (NIST) Cybersecurity Framework
, a series of standards, guidelines and best practices, will be a focal point as financial institutions continually improve their cyber-readiness.
and FINRA’s forthcoming publication of what effective cybersecurity practices will also be carefully scrutinized.
Financial institutions will become accustomed to regulatory examinations and inquiries that include cybersecurity, and in some cases, will focus exclusively in that area. While regulatory examination teams will benefit from intensified cybersecurity training, those teams will include, or consult with, an internal IT specialist expert in cybsersecurity systems and issues.
In 2014, many investment advisers and broker-dealers made great strides in establishing and/or fortifying their cybersecurity procedures. In 2015, even as those procedures, as well as employee training and supervision becomes more rigorous and robust in an increasing number of firms, regulators will cite alleged gaps and failures to address and enforce those procedures. Whereas past regulatory actions as to data and information security have centered on failures to safeguard customer information under Regulation S-P, in 2015, risk assessments and planning, as well as the cybersecurity procedures themselves, will become points of emphasis.
Regulators will expect to see risk assessments include the use of mobile devices and third party access points. With BYOD, mobile device security and the integration of those devices into firms’ cybersecurity platforms will present challenges to many financial institutions.
Further, the security and integrity of firms’ electronic records and electronic recordkeeping will be a focal point. In compliance with SEC Rule 17a-4, firms are accustomed to acting to protect their electronic records from erasure and alteration. In the wake of the attack on Sony, firms should also expect to demonstrate that they have taken measures to protect their records from hackers, including Personally Identifiable Information (PII), account records, transaction and other records.
In examinations and enforcement, a key test and touchpoint is likely to be whether regulators are tempering their actions based on firm size, resources and business model. While no firm can be 100% secure 100% of the time from 100% of threats, small and medium-sized firms will object if regulators expect them to establish and maintain systems and practices equivalent to those implemented at the largest financial institutions.
Third Party Vendors
In 2014, numerous prominent companies were hacked due to alleged shortcomings in a third party vendor’s security systems. In 2015, in addition to examining third party access points, regulators are likely to probe financial institutions’ due diligence and supervision of their third party vendors with an intensified focus.
Fewer and fewer small and medium-sized businesses will be able to afford the technology, training, testing and time required to develop and maintain mature cybersecurity systems sufficient to meet the due diligence standards set by large financial institutions. Information security management sufficient to attain and maintain certifications such as ISO 27001 will become increasingly important for a wide array of third parties, from law firms and accounting firms to insurers, staffing companies, cloud computing platforms and social networks.
Internet of Things and Big Data
In 2015, the Internet of Things (IoT) will gain speed and acceptance, especially for large institutions. Interconnectivity will advance and information available to enterprises will become more decentralized (e.g. a higher volume of information created and uploaded to phones and other mobile devices). For those financial institutions implementing Big Data solutions, information will become more accessible and meaningful to decision-makers. With more information available for internal investigations and reviews from a greater variety of sources, data-driven decision-making for legal, compliance and C-suite executives should become more certain in 2015. However, enhanced accessibility of previously unstructured data from mobile devices and third party access points may bring increased cyber vulnerability, including greater opportunities for human error and hacking. Further, in some cases, regulatory expectations of what firms should be doing with a higher volume of accessible data will bring new risks to the process.
As of January 1, 2015, virtual currencies (also known as digital currencies and crypto-currencies) such as Bitcoin are considered to be the equivalent of “lawful money” in California and can now be used to buy goods and services in that state, as well as to transmit payments.
Regulation of those virtual currencies
has yet to follow in California, New York and other states. However, in 2015, BitLicenses will become a reality.
New York’s July 17, 2014, proposal
will be modified and the NYDFS’ modified Bitlicense framework announced, if not implemented. Other states are likely to follow or, more likely, pursue their own less rigorous requirements.
Among the most
challenging requirements for those financial institutions
handling transactions in virtual currencies is integrating acceptance into their Anti-Money Laundering Program. In 2015, this is likely to continue to be a serious obstacle to acceptance as is satisfaction of stringent BitLicense criteria. Financial institution regulatory requirements such as Know Your Customer (KYC), Suspicious Activity Reporting (SAR) and identifying the source of customer funds before accepting an account may change the anonymous nature of virtual currency transactions, making them less “crypto” and more like those from traditional money service businesses.
While virtual currencies hold great promise, adoption rates will depend on financial institutions’ ability to ensure that their acceptance will not engender unnecessary financial and regulatory risk.
Posted at 11:57 AM by King, Tasha | Category:
Mobile Technology and Websites
Corporate & Board Governance
Email this Post
Check Effective Permissions
There are no comments yet for this post.
Check Effective Permissions
Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights.
More information on content approval.
indicates a required field
Statement of Client Rights
This website contains attorney advertising. Prior results do not guarantee a similar outcome. © 2018 Nixon Peabody LLP