Cybersecurity continues to be “top-of-mind” for the Security and Exchange Commission (SEC). That point couldn’t be made more clear than in comments and remarks made during the annual “SEC Speaks” conference in Washington, D.C. on February 23 and 24. Read more for a full summary of the conference, including the SEC’s discussion of cybersecurity-related risk and incident disclosures, the Enforcement division’s formation of a Cyber Unit in the fall of 2017, and the SEC’s increased emphasis on the need for insider trading policies that address the impact of cyber events.
A recent skirmish about standing in data breach class actions (this time in the Eighth Circuit), involving securities and brokerage firm Scottrade, suggests that, even if plaintiffs win that limited question, there are other key battles that can win the war for defendants. As we reported with Neiman Marcus, P.F. Chang’s, Nationwide, and Barnes & Noble, the Eighth Circuit’s decision in Kuhn v. Scottrade offers important proactive steps that organizations should consider taking that can mitigate post-breach litigation exposure. READ MORE
Today, Orrick announced the launch of our automated General Data Protection Regulation (GDPR) Readiness Assessment Tool, which makes the EU’s new, complex, data privacy law, the GDPR, more accessible. The free tool is available to all organizations and allows businesses to stress test their compliance against the upcoming GDPR. It segments the GDPR into 14 workable themes and guides the user through a series of dynamic questions relating to each theme. Upon completion of the assessment, the tool provides a complimentary tailored report summarizing the likely key impacts of the GDPR for an organization. READ MORE
August 28, 2017 marks the end of the initial 180-day grace period for compliance under the New York Department of Financial Services’ “first-in-the-nation” cybersecurity regulations (the “Rules”). The initial regulations were proposed last year, but NY DFS received robust public comments that led to significant amendments. While the proposed regulations set out proscriptive, one-size-fits-all requirements, the final Rules align more closely to flexible federal, financial sector guidance, captured in the NIST cybersecurity framework and the FFIEC cybersecurity assessment tool. Accordingly, the final Rules require that cybersecurity programs be calibrated to periodic “risk assessments” that give entities discretion to specify the criteria used to identify, evaluate, and remediate risks, in the context of technological developments and corporate controls.
While covered entities are technically required to be in compliance with the Rules as of Monday, there are additional transitional periods for certain items (see below), and entities have until February 15, 2018 to submit their first certifications to NY DFS. For organizations still working through compliance requirements, the below steps may help to prioritize and implement a work plan. READ MORE
Last week, FinCEN (Financial Crimes Enforcement Network) issued a formal Advisory to Financial Institutions and published FAQs outlining specific cybersecurity events that should be reported through Suspicious Activity Reports (SARs). This Advisory follows former FinCEN Director Jennifer Shasky Calvery’s recent statements reminding “financial institutions to include cyber-derived information (such as IP addresses or bitcoin wallet addresses) in suspicious activity reports.” It also follows the launch of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT). Although the Advisory does not change existing Bank Secrecy Act (BSA) requirements or other regulatory obligations, the Advisory highlights a series of cybersecurity events–such as Distributed Denial of Service (DDoS) attacks and ransomware incidents–that should be reported on SARs filed with FinCEN, even though they often (but not always) fall outside the traditional notion of a data breach or a compromise of personal information.
In the 1969 film Butch Cassidy and the Sundance Kid, after Butch and Sundance rob Union Pacific Railroad (“Union Pacific”) the first time, Union Pacific employs a stronger safe. After Butch and Sundance rob Union Pacific a second time, Union Pacific forgoes the safe and hires a posse of unrelenting gunmen, hell bent on capturing and/or killing the duo. The posse ultimately forces Butch and Sundance to flee to Bolivia—where they resume their bank-robbing antics. Ultimately, it takes the Bolivian army to stop them. In their case, albeit fictional, the active deterrent (the posse) was more effective at protecting Union Pacific’s money than the passive deterrent (the safe), in part, because Butch and Sundance were highly-motivated actors.
Just as it promised a year ago, New York State proposed new proscriptive, minimum cybersecurity requirements for regulated financial services institutions. The regulations go final after a 45-day notice and public comment period. At that point, entities regulated by the NYDFS will be subject to the nation’s first proscriptive set of cybersecurity requirements in contrast to the usual risk-based cybersecurity programs mandated by other financial regulators to date. Thus, unlike previous guidance and reports issued by financial regulators such as FINRA and the SEC, New York’s rules are specific requirements that all regulated financial institutions must adopt.. In this Part I, we review the proposed requirements, and offer some specific steps that regulated financial services institutions should begin to consider for compliance readiness.
The Eighth Circuit’s decision last Friday in State Bank of Bellingham v. BancInsure, holding that computer systems fraud insurance indeed insures against such fraud, even where employee negligence was a contributing factor, was a positive development for financial institutions as well as any crime insurance policyholder. The Eighth Circuit agreed with the district court that under Minnesota’s concurrent-causation doctrine, the insured could recover under a standard Computer Systems Fraud insuring agreement regardless of whether any excluded peril, i.e., employee negligence, contributed to the loss because the covered peril of computer systems fraud was the “efficient and proximate cause” of the loss.
On May 10, 2016, the United States Department of Treasury (Treasury) became the latest federal agency to highlight the importance of cybersecurity in the financial services industry. In its white paper, which follows last year’s request for information to the online marketplace lending industry, Treasury addressed the opportunities and challenges of technological advancements and data availability that have driven change to the way in which consumers and businesses secure financing.
In a much anticipated move, on March 2, 2016, the Consumer Financial Protection Bureau (CFPB) entered the cybersecurity foray with its first enforcement action against Dwolla, Inc., an online payment processing start-up. Pursuant to its authority under Sections 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act of 2010, the CFPB fined Dwolla $100,000 and secured a five-year consent order imposing strict requirements on management and the Board of Directors. This CFPB enforcement action offers important insights into the contours of “reasonable cybersecurity” for certain financial services entities, and important lessons for conducting cybersecurity risk assessments. These issues dovetail with significant activity we recently reported on in the cybersecurity arena by the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), the Federal Trade Commission (FTC), the Department of Health and Human Services’ Office of Civil Rights (HHS-OCR), and a host of other state and federal regulators.