Cybersecurity – Overview of Financial Services Initiatives

Margaret Williams
Associate Editor
Loyola University Chicago School of Law, JD 2020

The disclosures of major security breaches in 2017 such as Verizon, Equifax, Uber, the National Security Agency and the Transportation Safety Administration increased consumer concern about the safety of their personal and financial data. These disclosures also contributed to renewed Congressional analysis of data security standards in the financial services sector and review of current federal and state regulatory regimes. Insider cyber threats have become security remains a threat as well. In August 2017, the Securities and Exchange Commission (“SEC”) announced insider trading charges against seven individuals who gained access to confidential merger and acquisition data through a technology consultant’s misuse of an investment bank’s new computer system. State actions, governmental agencies and the financial services industry are actively combatting the growth of cyber-security threats.

State Regulatory Initiatives

States have stepped in to patch the lack of a comprehensive federal cybersecurity policy for financial institutions. In March 2017, New York State promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies, a “first-in-the-nation” cybersecurity regulation. This regulation establishes risk-based minimum standards for cybersecurity programs and requires training and controls to protect data and information systems. As of the first compliance date, August 28, 2017, banks, insurance companies, and other financial services institutions regulated by the New York State Department of Financial Services are required to have a cybersecurity program meeting new requirements, written policies approved by the board or senior officer, a Chief Information Security Officer to help protect data and systems, and controls in place to help ensure the soundness of New York’s financial services industry. Covered organizations are also subject to central reporting requirements for cybersecurity events. A frequently asked questions document addresses issues of affiliates, availability of exemptions, application to New York branches of out of state-domestic banks, among other things.

The SEC’s Enforcement Initiatives

In September 2017, the Securities and Exchange Commission announced two enforcement initiatives to combat cyber-based threats and protect retail investors. First, the SEC created a Cyber Unit that will target cyber-related misconduct such as:

  • Market manipulation schemes involving false information spread through electronic or social media;
  • Hacking to obtain material nonpublic information;
  • Misconduct involving the dark web;
  • Intrusions into retain brokerage accounts;
  • Cyber-threats to trading platforms and other critical infrastructure.

Second, the SEC launched a Retail Strategy Task Force to identify large-scale misconduct impacting retail investors. This task force includes SEC enforcement staff from around the country, the SEC’s National Exam Program, and the SEC’s Office of Investor Education and Advocacy.

The Securities Industry and Financial Markets Association (“SIFMA”) Initiatives

In November 2017, SIFMA testified before the House Financial Services Committee Subcommittee on Financial Institutions and Consumer Credit during a hearing titled “Data Security: Vulnerabilities and Opportunities for Improvement.” The SIFMA testimony touched on industry concern over the lack of harmonized regulatory and supervisory requirements for cyber-security, which burden financial institution resources. SIFMA also spoke to the need for a robust partnership between industry and government to effectively protect markets from cyber-threats. SIFMA’s testified with respect to its recognition of best practices for data protection, developed from the collaborative work of its members and related trade associations as well as the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (the NIST Framework”). SIFMA and its non-U.S. affiliate, the Global Financial Markets Association (“GFMA”), advocate for the global use of the NIST Framework and are working on adoption of a financial sector version to encourage global adoption.

SIFMA testified about its efforts to develop practices and controls too strengthen risk-management of industry relationships with third-party vendors and the security environments involved at the third-parties. SIFMA engages in ongoing dialogue with its government relationships to address its concerns for protection of client and financial institution sensitive information. SIFMA also testified about the collaborative industry efforts undertaken to improve cyber defenses, resiliency and recovery. These efforts include the best practices benchmarking and guidance and dialogue designed to assist firms to build robust insider threat management programs.

SIFMA’s testimony encouraged the importance of penetration testing by financial institutions to evaluate the firm’s system and controls in order to identify and remediate vulnerabilities. In December 2017, the GFMA published key principles for a commonly accepted penetration testing framework with the goal to develop a multi-regulator endorsed framework to enable regulators and firms to maximize the utility and insights of penetration testing and to engage regulators in the process of defining an effective approach.

Finally, SIFMA summarized the sector-wide cyber-exercises that it has organized since 2011 (“Quantum Dawn”). Quantum Dawn is run as a simulated ‘real-time’ cyber incident coordinated across regulators, exchanges, financial utilities, and financial firms. The November 2017 exercise focused on the industry’s ability to respond and recover from targeted systemic cyberattacks affecting multiple financial institutions. The 2017 exercise included approximately 60 financial services firms, exchanges and utilities. SIFMA’s testimony also discussed the public-private “Hamilton Series” exercises which were coordinated on 13 occasions between 2014 – 2016. These exercises ranged from regionally focused events among small and medium sized companies to exercises at the U.S. Treasury Department and Federal Reserve Bank of New York involving large, systemically important financial sector companies. Additionally, these scenarios examined impacts to different segments of the financial sector, including impacts to equities markets, large, regional, and medium-sized depository institutions, payments systems and liquidity, and futures exchanges. From the Hamilton series, the financial services organized Sheltered Harbor, a program designed to enhance resiliency and provide enhanced protections for financial institutions’ customer accounts and data. For participating firms, Sheltered Harbor enables financial institutions to securely store and rapidly reconstitute account information, making it available to customers, whether through a service provider or another financial institution, if an institution appears unable to recover from a cyber incident in a timely fashion.

 

While effective cybersecurity will remain a topic of news and continued development, the financial services industry is doing its best to remain prepared.