Recently, the New York Department of Financial Services sent a letter to federal and state financial regulators outlining the potential for Financial Services Cyber Security Regulation requirements.
The intent is for the proposed cyber security regulation to apply to all types of financial institutions. However, the question is whether the proposed cyber security regulation will only apply to those financial services organizations operating in New York, or on a national basis. In my mind, it will be the latter, either by regulation, law, or de facto enforcement by state attorney generals or the plaintiffs’ bar.
Where did the cyber security regulation come from and how did we get here?
The New York Department of Financial Services conducted a survey in 2013 and 2014 on:
- More than 150 of its regulated banking organizations about their cyber security programs, costs and future plans.
- 43 of its regulated insurers.
In May 2014 and February 2015, the New York Department of Financial Services published its findings which lead to:
- Expanded information technology (IT) examination procedures to focus more attention on cyber security
- Additional risk assessments to identify industry-wide risks and vulnerabilities
- Prioritized scheduling of examinations
As evidenced throughout the reports, the financial industry relies heavily on third-party service providers for critical banking and insurance functions.
The findings were drawn from “several broad conclusions and concerns, and from the dozens of discussions that the Department has held with its regulated entities, cyber security experts, and other stakeholders.” Even if a formal adoption or requirement for increased security controls is not implemented, the New York Department of Financial Services’ letter will become the de facto regulation. It seems the cyber security regulation for financial services firms is inevitable, either explicitly (via regulation) or implicitly (part of a conduct exam). Either way, cue the cyber security regulation…
The findings recommend a detailed framework to address third-party service providers; the policies and procedures to include, and the following provisions:
It’s no coincidence that multi-factor authentication is the first control on the list, and will be a key item of interest when it comes to enforcement for regulators. Reason being, the FFIEC (Federal Financial Institutions Examinations Council) agencies issued guidance on implementing multi-factor authentication back in 2001.
To understand the provisions to be included when contracting third-party service providers, simply remember my ‘carrot stick approach,’ which outlines when to use a stick, a carrot, or a carrot-stick.
State attorney generals are not part of this current discussion, but they have already inserted themselves into this discussion. A week after notice was sent to the Financial Services regulators from the New York Department of Financial Services, nine state attorney generals (from CT, DC, IL ME, MS, NY, RI, VT and WA) sent letters to the CEOs of Bank of America, JP Morgan Chase, Citigroup, Capital One, Visa, MasterCard, American Express, and Discover to increase pressure for mandated use of PINs with new chip-based payment cards.
Keep an eye on the New York Department of Financial Services. They have established themselves as the front runner when it comes to cyber security regulation for financial institutions.
With election season upon us, don’t be surprised by activist attorney generals being more vocal on the regulatory front.
Considering the major breaches that have taken place in the past two years, and a third-party vendor being a big part of the story, we anticipate third-party vendor management to be the primary area of focus for politicians. Why? Use of third-party payment processors/payment gateway providers to store payment card data and issue tokens, or co-location facility providers, has dramatically increased in the last 3-5 years.
Finally, anticipate the foregoing to work its way into discussion with underwriters. Similar to what we are seeing with payment card data, organizations no longer “have” the various controls. Expect the focus to shift to “how” you are identifying, understanding, and assuring performance against these controls for your organization and key third-party service providers when it comes to your network, software, and/or “data.”