InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Comptroller Highlights Emerging Cybersecurity Risks, Discusses OCC and Financial Institution Responses
On September 18, in remarks before the Exchequer Club, Comptroller of the Currency Thomas Curry highlighted the emerging operational risks for financial institutions posed by cyberattacks, one of several risk areas identified by the OCC in its recent semiannual report. Comptroller Curry bank cyberattacks have lead to only minor disruptions so far, but are evolving and growing with the development and implementation of new technologies. The Comptroller identified the OCC’s and other federal banking agencies’ attempts to address these risks, including through an FFIEC working group created earlier this year. The Comptroller hopes the working group will address cyber issues through changes to examination policy and by supporting increased information sharing and communication between regulated institutions and their regulators, as well as among regulators and other government entities. According to the Comptroller, the OCC currently is engaged in outreach on this issue to all of its regulated institutions, but is especially focused on assisting community banks and thrifts. The Comptroller urged financial institutions, their boards, and senior level management to be aware of and engaged on the risks posed by cyber threats, including, for example, by considering the potential for new products or strategic business decisions to create new vulnerabilities. He also implored institutions and their leaders to effectively share information, such as through industry cyber threat sharing organizations.
OECD Revises Privacy Guidelines
Recently, the Organization for Economic Cooperation and Development (OECD) released updates to its privacy guidelines, with a focus on (i) practical implementation of privacy protection through risk management, and (ii) addressing the global dimension of privacy through improved interoperability. The revised guidelines, which the OECD describes as the first update of the original 1980 version that served as the first internationally agreed upon set of privacy principles, incorporate new concepts related to (i) national privacy strategies, (ii) privacy management programs, and (iii) data security breach notification. The new guidelines also reflect the organization’s modern views with regard to trans-border data flows, organizational accountability, and privacy enforcement.
FTC Announces First "Internet of Things" Settlement
On September 4, the FTC announced its first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices – what the FTC refers to as the “Internet of Things.” The company, which markets video cameras designed to allow consumers to monitor their homes remotely, agreed to settle the FTC’s allegation that its security practices exposed the private lives of hundreds of consumers to public viewing on the Internet. The FTC claimed that the company marketed its products as “secure” when, according to the FTC, they had faulty software that potentially allowed for online viewing and listening. The company resolved the complaint without paying a penalty, but agreed to establish a comprehensive information security program designed to address security risks that could result in unauthorized access to or use of the company’s devices, and to protect the security, confidentiality, and integrity of information that is stored, captured, accessed, or transmitted by its devices. The agreement also requires the company to obtain third-party assessments of its security programs every two years for the next 20 years, and prohibits the company from (i) misrepresenting the security of its cameras or the security, privacy, confidentiality, or integrity of the information that its cameras or other devices transmit and (ii) misrepresenting the extent to which a consumer can control the security of information the cameras or other devices store, capture, access, or transmit. The FTC is planning an “Internet of Things” workshop for later this year.
NIST Releases Draft Cybersecurity Framework
Recently, the National Institute of Standards and Technology (NIST) released a discussion draft of its preliminary cybersecurity framework. Under an Executive Order issued earlier this year, NIST is tasked with developing standards, methodologies, procedures, and processes that will form a voluntary best practices framework to address cyber risks. The discussion draft framework provides a uniform guide for developing robust cybersecurity programs for organizations. It provides a common structure for managing cybersecurity risk, is intended to help organizations identify and understand their dependencies on business partners, vendors, and suppliers, and is designed to facilitate coordination of cybersecurity risk within industries. The Framework places cybersecurity activities into five functions – identify, protect, detect, respond, and recover – and urges organizations to implement capabilities in each area. NIST released the draft in advance of the Fourth Cybersecurity Framework workshop on September 11-13, 2013, at the University of Texas at Dallas. It also is accepting comments via email.