Blog: The Impact of Cybersecurity Regulations on the Financial Services Industry in 2022 – JD Supra

Following the SolarWinds and the Colonial Pipeline cyberattacks, the Biden Administration emphasized a shift toward mandatory cybersecurity requirements. Throughout 2021, government agencies issued new cybersecurity guidance, directives and regulations on regulated industries.1 The financial sector was no exception.

In the waning weeks of 2021, the Federal Trade Commission (FTC), the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (FRB) and the Federal Deposit Insurance Corporation (FDIC) promulgated final rules concerning cybersecurity requirements for the financial services sector. The FTC amended its Gramm-Leach-Bliley Act (GLBA) Safeguards Rule to require FTC-regulated financial institutions to develop and implement detailed cybersecurity requirements as part of a comprehensive information security program.2 The OCC, FRB and FDIC promulgated rules requiring 1) regulated banking organizations to notify federal regulators of a “computer-security incident” within 36 hours and 2) bank service providers to notify banking organization customers of “computer-security incidents” as soon as possible.3 In 2022, these agencies will likely adopt similar regulations that their sister agencies promulgated last year. For instance, the FTC already has announced its intention to adopt a notification requirement for cybersecurity incidents.4

In addition, this past year, the U.S. Securities and Exchange Commission (SEC) announced its first-ever enforcement actions against a financial services company for deficient disclosure controls concerning cybersecurity risks.5 The New York Department of Financial Services (NYDFS) also started announcing enforcement actions against financial services companies for the alleged failure to comply with the NYDFS Cybersecurity Regulations, which became fully effective in March 2019.6

These developments will impact the financial services industries in three respects in 2022. First, to comply with these cybersecurity regulations, financial services companies should develop or update written information security/cybersecurity programs7 and implement robust cybersecurity standards. Second, financial services companies should design an internal cybersecurity reporting system to ensure timely notification to regulators within hours of discovering a cybersecurity incident. Finally, financial service companies should encourage a culture of compliance on cybersecurity matters to prepare for potential enforcement investigations by financial regulators.

Develop and Implement a Comprehensive Cybersecurity Program

Mandatory Cybersecurity Requirements

The GLBA requires financial institutions, which are institutions “significantly engaged” in financial activities or activities incidental to financial activities, to protect the security and confidentiality of their customers’ non-public “personally identifiable financial information.”8 The FTC has regulatory authority over financial institutions that are not subject to another agency’s regulatory authority, which includes, but is not limited to, mortgage lenders, “pay day” lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors, financial advisors, tax preparation firms, non-federally insured credit unions, personal property appraisers, certain investment advisors, certain travel agencies and certain automobile dealerships.9

The GLBA requires regulatory agencies to establish rules concerning the “administrative, technical, and physical safeguards” of personally identifiable financial information. The various federal financial regulatory agencies have promulgated Safeguards Rules to establish information security standards to protect customers’ personally identifiable financial infor”mation.10

On Oct. 27, 2021, the FTC amended its GLBA Safeguards Rule (FTC final rule) to require FTC-regulated financial institutions with 5,000 or more consumers to develop and implement specific cybersecurity requirements within their comprehensive information security program. Preliminarily, the FTC expanded the scope of its Safeguards Rule jurisdiction to include “finders,” which are companies that bring together buyers and sellers of a product or service for transactions that the parties themselves negotiate and consummate.11 The FTC final rule maintains the information security standards promulgated under the original FTC’s Safeguards Rule. However, the FTC final rule, which became effective on Jan. 10, 2022, and enforceable on Dec. 9, 2022, requires the following additions to those requirements:12

  • Designate a single qualified individual responsible for overseeing, implementing and enforcing the information security program
  • Develop written risk assessment that provides criteria for the evaluation of risks, the assessment of the company’s security and mitigation of identified risks
  • Perform risk assessments periodically
  • Review access controls to customer information periodically
  • Manage and inventory data, personnel, devices, systems and facilities
  • Encrypt all customer information in transit and at rest
  • Adopt secure software development practices for in-house developed applications and software testing of externally developed applications
  • Implement multi-factor authentication (MFA)
  • Develop, implement and maintain secure disposal procedures
  • Adopt change management procedures
  • Log activities of users and detect unauthorized users
  • Monitor continuously or test periodically through annual penetration testing and bi-annual vulnerability assessments
  • Implement employee security awareness training, employ qualified information security personnel and ensure necessary information is provided to information security personnel
  • Ensure service providers maintain appropriate safeguards
  • Establish written incident response plan
  • Provide, at least annually, written reports to the board of directors or equivalent governing body concerning the financial institution’s information security program

The FTC final rule is a significant and substantive departure from the previously required information security program. These new FTC requirements are similar to the NYDFS Cybersecurity Regulations,13 although the FTC final rule does not require senior leadership to certify the information security program.14 The OCC, FRB and FDIC already have some of these cybersecurity requirements within their Safeguards Rule. However, with both the NYDFS and FTC requiring financial services companies to implement detailed cybersecurity requirements, the OCC, FRB and FDIC likely will consider adopting similar requirements where they are currently lacking such regulation.

In the past year, we also witnessed the NYDFS pursuing enforcement actions against regulated financial service companies for the alleged failure to comply with NYDFS Cybersecurity Regulations.15 Similarly, although the FTC rule becomes enforceable on Dec. 9, 2022, regulated financial institutions have a short window to implement these substantive cybersecurity requirements before the FTC turns their attention to enforcement.

Key Takeaways for 2022

More regulators are moving towards the NYDFS model of requiring a comprehensive cybersecurity program. With the FTC’s adoption of a similar program in 2021, the OCC, FRB, FDIC and SEC may not be too far behind. Although FTC-regulated financial institutions have until Dec. 9, 2022, to comply with the FTC’s cybersecurity requirements, this may not be sufficient time to implement such requirements. These requirements may require a complete reassessment of an institution’s information technology (IT) environment and significant financial investment towards IT upgrades and projects. This may leave institutions scrambling towards compliance.

Institutions regulated by the FTC need to immediately assess their IT environments and develop a plan to ensure compliance with the FTC’s cybersecurity requirements. The NYDFS recently published guidance on MFA after witnessing repeated errors in MFA implementation.16 Thus, institutions should determine a method of ensuring these requirements are implemented effectively.

Institutions that are not subject to detailed cybersecurity standards should consider developing and implementing a written cybersecurity program similar to those required by the NYDFS Cybersecurity Regulations and the FTC cybersecurity requirements. Not only would such a program better protect institutions from potential cyberattacks, but such a requirement may be forthcoming.

Design an Internal Disclosure System for Cybersecurity Incident

Notification Regulations

On Nov. 18, 2021, the OCC, FRB and FDIC issued a joint final rule (joint Computer-Security Incident Notification rule) that requires banking organizations17 to notify their primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” within 36 hours of determining such an incident occurred.18 A computer-security incident is “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”19 Under the joint Computer-Security Incident Notification rule, not all computer-security incidents require notification; only those incidents that are notification incidents.

A notification incident “is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s 1) ability to carry out banking operations, activities or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business, 2) business line(s), including associated operation, services, functions and support, that upon failure would result in a material loss of revenue, profit or franchise value, or 3) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”20 System outages, successful ransomware attacks and successful distributed denial of service attacks are likely notification incidents.21 However, determining whether an incident is a notification incident is a fact-dependent analysis.

Notifications are not exempt from Freedom of Information Act (FOIA) requests. Although the agencies received a comment requesting such exemption, they rejected the suggestion in lieu of their confidentiality rules. The agencies noted that FOIA requests will be handled on a case-by-case basis.22 Additionally, banking organizations should be careful not to disclose, and thereby potentially waive, privileged information as part of their notification to regulators.

The joint Computer-Security Incident Notification rule also does not replace or eliminate financial institutions’ notification obligations under the agencies’ Safeguards Rules. Under the Safeguards Rules, covered entities are to notify their primary federal regulator as soon as possible when they become aware of an incident involving unauthorized access to or use of sensitive customer information.23 As a result, the joint Computer-Security Incident Notification rule creates bifurcated notification obligations for certain financial institutions.

In addition to these notification rules, other government agencies require regulator notification for cybersecurity events. The NYDFS Cybersecurity Regulations require cybersecurity events be reported to the NYDFS within 72 hours.24 The SEC requires public companies to disclose material cybersecurity incidents or risks, and it requires Systems Compliance and Integrity (SCI) entities to report an “SCI event.”25 The Commodity Futures Trading Commission (CFTC) requires derivative clearing organizations to report an “exceptional event.”26 Although the FTC currently does not require reporting, the agency announced its intention to adopt a notification requirement for cybersecurity incidents.27

The joint Computer-Security Incident Notification rule also requires bank service providers28 to notify banking organization customers as soon as possible of any “computer-security incident” that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a covered service for four hours or more.29 Banking organizations are required to assess these notifications to determine whether they are notification incidents that need to be reported to their primary federal regulator. The joint Computer-Security Incident Notification rule becomes effective April 1, 2022, and enforceable on May 1, 2022.30

These various cybersecurity notification obligations are summarized below:

Financial Sector Notification Obligations

Reportable Incident

Timing

To Whom

Notification incident

Within 36 hours

OCC, FRB, FDIC

Unauthorized access to or use of sensitive customer information

As soon as possible

OCC, FRB, FDIC

Computer-security incident and materially disrupt or degrade

As soon as possible

Banking organization customers

Cybersecurity event

Within 72 hours

NYDFS

Material cybersecurity risks or incidents

Timely fashion

SEC filing

SCI event

Within 24 hours

SEC

Exceptional event

Promptly

CFTC

In 2021, the SEC brought enforcement actions on companies that failed to internally report cybersecurity incidents or risks to corporate decision-makers in a timely manner. Such internal disclosure controls are critical to ensure timely notification of cyber incidents as required by regulations.

Key Takeaways for 2022

As evidenced above, regulators are requiring notification for cybersecurity incidents and data breaches. The fact that the joint Computer-Security Incident Notification rule creates bifurcated notification obligations highlights the regulatory convolution in this area. Moreover, the FTC has announced its intentions to join the fray. As such, financial services companies should prepare to notify one or more regulators when they experience a cybersecurity incident.

The joint Computer-Security Incident Notification rule’s 36-hour notification requirement creates a short window between the discovery of a cybersecurity incident and notification. The agencies recognize that the clock only starts upon a banking organization’s determination that the incident is a “notification incident,” and “the agencies anticipate that a banking organization would take a reasonable amount of time to determine that it has experienced a notification incident.”31 However, this “reasonable amount of time to determine” standard will be subject to agency interpretation and hindsight. Moreover, as the SEC’s recent enforcement actions concerning internal disclosure controls inform, regulators can be unforgiving to internal reporting delays.

Notifications to regulators potentially expose financial services companies to litigation and reputational risks. These notifications may be publicly discoverable through a FOIA request. In addition, statements made in these notifications could potentially impact any subsequent civil litigation against the financial services companies concerning the cybersecurity incidents, which are unlikely to be resolved at the time of the notification. Financial services companies also should be cautious not to include privileged communications or work product information in these notifications. Moreover, the determination that a cybersecurity incident requires notification often is a legal determination. As a result, financial services companies should consider including their counsel in assessing cybersecurity incidents and in notifying federal regulators of such incidents. The incident response plan also should identify the individual responsible for providing notification.

In addition, financial services companies should consider developing a robust internal disclosure system to ensure cybersecurity incidents are reported to corporate decision-makers and counsel almost immediately upon discovery. This is particularly necessary for banking organizations due to the 36-hour notification requirement. This internal disclosure system should be part of the written incident response plan. In addition, the financial services companies’ IT team should be trained on the use and importance of this internal disclosure system, and the internal disclosure system should be tested to ensure effectiveness.

Develop Culture of Cybersecurity Compliance

Culture of Compliance

In 2021, the SEC and NYDFS brought enforcement actions against financial services companies for allegedly failing to comply with the agency’s cybersecurity requirements. Moreover, Deputy Attorney General Lisa Monaco recently emphasized that the U.S. Department of Justice (DOJ) will evaluate a company’s history of compliance issues in future enforcement actions.32 As enforcement actions related to cybersecurity standards increase, regulators likely will consider a company’s compliance program and culture of compliance in their investigations and enforcement actions.

Key Takeaways for 2022

Cybercriminals are constantly evolving, and new, sophisticated cyberattacks will continue to occur in 2022. Because no IT system is impenetrable, some of these attacks will be successful. This past year, regulators have signaled their intentions to pursue enforcement actions against financial services companies for cybersecurity vulnerabilities. With mandatory notifications to government agencies, successful cyberattacks will bring regulatory scrutiny and investigations.

Companies should consider incorporating cybersecurity into their existing compliance programs, emphasizing and training IT professionals on cybersecurity compliance, developing robust internal controls for cybersecurity-related disclosures and developing effective methods to audit their cybersecurity compliance program. Fostering a culture of compliance and developing a cybersecurity compliance program is a highly effective way to avoid enforcement actions and to reduce potential penalties from such actions.

Conclusion

Both cyberattacks and regulators’ cybersecurity enforcement actions will continue to increase in 2022. Financial services companies that want to protect themselves from cyberattacks and regulatory investigations should develop and implement comprehensive cybersecurity programs, design internal controls for immediate disclosure of cybersecurity incidents and risks, and foster a culture of cybersecurity compliance.

Notes: 

1 See Executive Order on Improving the Nation’s Cybersecurity (May 12, 2021); National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (July 28, 2021); DOE 100-day Plan to Address Cybersecurity Risks to the U.S. Electric System (Apr. 20, 2021); TSA Pipeline Security Directives (July 20, 2021); TSA Enhancing Rail Cybersecurity Security Directive (Dec. 2, 2021); TSA Enhancing Public Transportation and Passenger Railroad Cybersecurity Directive (Dec. 2, 2021); DOL Cybersecurity Guidance (Apr. 14, 2021); DOJ Civil Cyber-Fraud Initiative (Oct. 6, 2021); OFAC Updated Advisory on Potential Sanctions Risk for Facilitating Ransomware Payments (Sept. 21, 2021); and DOD’s CMMC 2.0 (Nov. 17, 2021).

2 Federal Trade Commission, Standards for Safeguarding Customer Information Final Rule, 86 Fed. Reg. 70,272 (Dec. 9, 2021); FTC Press Release, “FTC Strengthens Security Safeguards for Consumer Financial Information Following Widespread Data Breaches,” (Oct. 27, 2021).

3 Computer-Security Incident Notification Requirement for Banking Organizations and their Bank Service Providers, 86 Fed. Reg. 66,424 (Nov. 23, 2021); Joint Release, “Agencies Approve Final Rule Requiring Computer-Security Incident Notification,” (Nov. 18, 2021).

4 Federal Trade Commission, Standards for Safeguarding Customer Information Final Rule, 86 Fed. Reg. 70,272, at 70,298 (Dec. 9, 2021).

5 Law360, Ira Rosner and Shardul Desai, “Managing Risk After SEC’s Cyber Enforcement Action.”

6 Id.

7 The FTC uses the term information security program because it encompasses information in both digital and physical forms. The FTC’s amended Safeguards Rules essentially requires a detailed cybersecurity program as part of this comprehensive information security program.

8 15 U.S.C. §§ 6801(a), 6809; 86 Fed. Reg. at 70,3045.

9 15 U.S.C. § 6805(a)(7); 86 Fed. Reg. at 70,3045.

10 See 12 CFR pt. 30, app’x B (OCC); 12 CFR part 208, app’x D-2 (FRB); 12 CFR part 225, app’x F (FRB); 12 CFR part 364, app’x B (FDIC); 16 CFR 314 (FTC); see also 17 CFR § 248.30 (SEC).

11 Standards for Safeguarding Customer Information Final Rule, 86 Fed. Reg. at 70306 (16 CFR § 314.2(h)(2)(xiii)).

12 Standards for Safeguarding Customer Information Final Rule, 86 Fed. Reg. at 70,307-08 (16 CFR § 314.4).

13 NYDFS, Cybersecurity Regulations, 23 CRR-NY 500, et. seq.

14 Standards for Safeguarding Customer Information Final Rule, 86 Fed. Reg. at 70299.

15 See, e.g., NYDFS, “DFS Superintendent Lacewell Announces Cybersecurity Settlement with First Unum and Paul Revere Life Insurance Companies” (May 13, 2021).

16 NYDFS, Guidance on Multi-Factor Authentication (Dec. 7, 2021).

17 Banking organizations is given the same definition as each agencies’ regulated entities. Under the OCC’s promulgated rules, banking organizations mean national banks, federal savings associations, and federal branches and agencies of foreign banks. Under the FRB’s promulgated rules, banking organizations means U.S. bank holding companies, U.S. savings and loan companies, state member banks, U.S. operations of foreign banking organizations, and Edge and agreement corporation. Under the FDIC’s promulgated rules, banking organizations means insured state nonmember banks, insured state-licensed branches of foreign banks, and insured State savings associations. The definition specifically excludes financial market utilities. See 15 U.S.C. § 6805(a); 12 U.S.C. § 1813 (q); Computer-Security Incident Notification Requirement for Banking Organizations and their Bank Service Providers, 86 Fed. Reg. 66,424 (Nov. 23, 2021).

18 Computer-Security Incident Notification Requirement for Banking Organizations and their Bank Service Providers, 86 Fed. Reg. 66,424 (Nov. 23, 2021).

19 Id. (to be codified at 12 CFR § 53.1; 12 CFR § 225.301, 12 CFR § 304.22).

20 Id.

21 86 Fed. Reg. at 66,431 (furnishing a list of example notification incidents).

22 86 Fed. Reg. at 66,437.

23 12 CFR pt. 30, app’x B, supp. A (OCC); 12 CFR part 208, app’x D-2 (FRB); 12 CFR part 225, app’x F (FRB); 12 CFR part 364, app’x B (FDIC);

24 23 CRR-NY 500.17.

25 See SEC, Commission Statement and Guidance on Public Company Cybersecurity Disclosures (Feb. 21, 2018); 17 CFR 242.1002.

26 17 CFR §§ 15.00, 39.18(g).

27 Federal Trade Commission, Standards for Safeguarding Customer Information Final Rule, 86 Fed. Reg. 70,272, at 70,298 (Dec. 9, 2021).

28 Bank service provider means a bank service company or other person that performs covered services. The rule specifically excludes financial market utilities from the definition. See Computer-Security Incident Notification Requirement for Banking Organizations and their Bank Service Providers, 86 Fed. Reg. 66,424 (Nov. 23, 2021) (definition to be codified at 12 CFR § 53.2(b)(2), 12 CFR § 225.301(b)(2), and 12 CFR § 304.22(b)(2).

29 Computer-Security Incident Notification Requirement for Banking Organizations and their Bank Service Providers, 86 Fed. Reg. 66,424 (Nov. 23, 2021).

30 Id.

31 Id. at 66432.

32DOJ Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA’s 36th National Institute on White Collar Crime” (Oct. 28, 2021).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s