On December 29, 2016 the White House released a statement from the President of the United States that formally accused Russia of interfering with the US elections, amongst other activities. This statement laid out the beginning of the US’ response including sanctions against Russian military and intelligence community members. These recent developments underline the importance of the critical measures that financial institutions must implement to secure their data and networks.
All financial institutions keep sensitive personal information in their files (names, Social Security numbers, credit card, or other account data) that identifies customers or employees. This information is necessary to comply with regulatory requirements, fill orders, meet payroll, or perform other necessary business functions. However, if sensitive data falls into the wrong hands, it can lead to fraud, identity theft, or similar harms. With the growing volume and sophistication of cyber-attacks, ongoing attention is required to protect sensitive business and personal information, as well as safeguard national security. Given the cost of a security breach, like losing your customers’ trust and perhaps even defending yourself against a lawsuit, safeguarding personal information is just plain good business.
The federal government’s approach on this matter has been to require businesses to implement reasonable and appropriate data security measures in light of the sensitivity and amount of consumer information the company has; the size and complexity of the business, and the availability and cost of tools to improve security and reduce vulnerabilities. For example, during 2015 the Federal Trade Commission brought over fifty data security enforcement actions against companies. The Federal Trade Commission and other federal agencies have multiple resources available online to assist businesses with these measures.
Federal Actions for Financial Institutions
The proliferation of cyber-events and cyber-enabled crime represents a significant threat to consumers and the U.S. financial system. Cybercriminals target the financial system to defraud financial institutions and their customers and to further other illegal activities. Financial institutions can play an important role in protecting the U.S. financial system from these threats.
On October 25, 2016, the Financial Crimes Enforcement Network (FinCEN) issued an advisory to assist financial institutions in understanding their Bank Secrecy Act (BSA) obligations regarding cyber-events and cyber-enabled crime. This advisory also highlighted how BSA reporting helps U.S. authorities combat cyber-events and cyber-enabled crime. Through this advisory FinCEN advised financial institutions on (a) reporting cyber-enabled crime and cyber-events through Suspicious Activity Reports (SARs); (b) including relevant and available cyber-related information (e.g., Internet Protocol (IP) addresses with timestamps, virtual-wallet information, device identifiers) in SARs; (c) collaborating between BSA/Anti-Money Laundering (AML) units and in-house cybersecurity units to identify suspicious activity; and (d) sharing information, including cyber-related information, among financial institutions to guard against and report money laundering, terrorism financing, and cyber-enabled crime.
This advisory did not change existing BSA requirements or other regulatory obligations for financial institutions. FinCEN indicated that financial institutions should continue to follow federal and state requirements and guidance on cyber-related reporting and compliance obligations.
FinCEN had also issued previous guidance regarding cyber-related suspicious activity reporting indicating that financial institutions may generally refer to the Suspicious Activity Report Instructions issued on June 2000, July 2003, and March 2011 (in particular, instructions for when to make a report for unauthorized electronic intrusions a.k.a. computer intrusions); SAR Activity Review Trends, Tips, and Issues: Issue 3 (October 2001); FinCEN Advisory FIN-2011-A006 “Account Takeover Activity” (December 2011); and Frequently Asked Questions Regarding the FinCEN SAR (May 2013).
The federal banking agencies have also issued additional guidance on this matter such as the Federal Financial Institutions Examination Council (FFIEC) Joint Statement on Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources (April 2014); FFIEC Joint Statements on Destructive Malware and Compromised Credentials (March 2015); FFIEC Joint Statement on Cyber Attacks Involving Extortion (November 2015); and the FFIEC IT Examination Handbook. Financial institutions should also be familiar with any other cyber-related SAR filing obligations required by their functional regulator. For instance, the Office of the Comptroller of the Currency (OCC) requires national banks to file SARs to report unauthorized electronic intrusions. The Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) issued guidance concerning the filing of SARs to report certain computer-related crimes.
Financial institutions should also note that filing a SAR does not relieve them from any other applicable requirements to timely notify appropriate regulatory agencies of events concerning critical systems and information or of disruptions in their ability to operate. In addition, the recently enacted Cybersecurity Act of 2015, also known as the Cybersecurity Information Sharing Act (CISA) (Pub. L. No. 114-113), does not change any SAR-reporting requirements under the BSA, SAR confidentiality rules, or the safe harbor protections under section 314 of the USA PATRIOT Act. CISA authorizes, among other things, non-federal entities to voluntarily share specifically defined cyber-threat indicators and defensive measures for cybersecurity purposes. Section 105(a)(4) of the Act directed the Attorney General and the Secretary of the Department of Homeland Security (DHS) to jointly develop guidance to promote sharing of cyber threat indicators with federal entities pursuant to CISA no later than 60 days after CISA was enacted. That guidance was published on February 16, 2016, as required by statute. (Please refer to “Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015”).
FinCEN encourages, but does not require, financial institutions to report egregious, significant, or damaging cyber-events and cyber-enabled crime when such events and crime do not otherwise require the filing of a SAR.
State Actions for Financial Institutions
On December 28, 2016 the New York State Department of Financial Services (DFS) announced that it has updated its proposed first-in-the-nation cybersecurity regulation to protect New York State from the ever-growing threat of cyber-attacks. The proposed regulation, which will be effective March 1, 2017, will require banks, insurance companies, and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.
DFS carefully considered all comments submitted regarding the proposed regulation during the 45-day comment period, which ended on November 14, 2016, and incorporated those suggestions that DFS deemed appropriate in an updated draft that will be subject to an additional final 30-day comment period. DFS will focus its final review on any new comments that were not previously raised in the original comment process.
The updated proposed regulation, which was submitted to the New York State Register on December 15, 2016 and published on December 28, 2016, will be finalized following a 30-day notice and public comment period.
Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards were considered to be warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. The regulation requires that each covered entity implement and maintain a written policy or policies, approved by a Senior Officer or the covered entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the covered entity’s policies and procedures for the protection of its information systems and nonpublic information stored on those information systems. The cybersecurity policy shall be based on the covered entity’s risk assessment and address fourteen areas to the extent applicable to the covered entity’s operations. The regulation also requires that each covered entity designate a qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy. The cybersecurity program for each covered entity should include monitoring and testing, developed in accordance with the covered entity’s risk assessment, designed to assess the effectiveness of the covered entity’s cybersecurity program. There are multiple other requirements, including an annual compliance certification to be submitted to DFS.
It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are critical.