InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NY DFS Reveals Final BitLicense Requirements for Digital Currency Firms
On June 3, New York’s departing superintendent of financial services, Benjamin Lawsky, revealed that the agency has adopted final regulations of the BitLicense, the regulatory framework in which digital currency firms operate within the state. In prepared remarks delivered at the BITS Emerging Payments Forum in Washington, D.C., Lawsky announced that the final BitLicense – which has undergone two previous updates – contains key consumer protection, AML compliance, and cybersecurity requirements. Moreover, Lawsky advised of the latest changes, and provided guidance clarifying that (i) firms that wish to obtain both a BitLicense and a money transmitter license will not have to submit separate applications, if they can satisfy the requirements for both; (ii) firms filing suspicious activity reports (SARS) with federal regulators, such as FinCEN, will not have to file a duplicate set of SARS with the state; (iii) firms must obtain prior approval for changes to their products or business models; (iv) firms will not require prior approval from the regulator for each round of venture capital funding, unless the investor seeks to oversee the company’s management and policies. Lawsky also clarified that the DFS intends to regulate only financial intermediaries who hold customer funds, rather than software developers who specifically focus on developing software, and do not hold customer funds.
SEC Publishes Cybersecurity Guidance for Registered Investment Companies and Advisers
On April 30, the SEC’s Division of Investment Management issued IM Guidance Update No. 2015-02 which highlights measures that investment companies and advisers may wish to consider in addressing cybersecurity risks. The guidance urges firms to adopt a three-pronged approach including, among other things: Conducting a periodic assessment of (1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems; (3) security controls and processes currently in place; (4) the impact should the information or technology systems become compromised; and (5) the effectiveness of the governance structure for the management of cybersecurity risk. Second, creating a strategy designed to prevent, detect, and respond to cybersecurity threats, and third, implementing the strategy through written policies and procedures. The Division’s guidance also warned investment companies and advisers about third-party vendor agreements that could potentially lead to unauthorized access of investors’ information.
Treasury Deputy Secretary Raskin Delivers Remarks On Cyber Security
On March 25, Department of the Treasury’s Deputy Secretary Raskin delivered remarks regarding the agency’s efforts to enhance cybersecurity as the number of cyber-attacks continue to increase. Raskin outlined three specific areas where financial institutions can better prepare for cyber threats and enhance “cyber resilience” in the event of a cyberattack: (i) increase information sharing among financial institutions, thereby making this a priority for the financial sector worldwide; (ii) ensure that safeguards are in place for all third-party vendors with access to the financial institution’s data and systems; and (iii) design a cyber-preparedness “playbook” that has a “detailed, documented plan so that the firm can react quickly to minimize internal and external damage, reduce recovery and time costs, and instill confidence in outside stakeholders and the public.”
FFIEC Provides Overview of Cybersecurity Priorities
On March 17, the FFIEC released a summary of its cybersecurity priorities for the remainder of 2015. The FFIEC intends to enhance its cybersecurity preparedness in seven main ways: (i) issuing a cybersecurity self-assessment tool that will help institutions to evaluate cybersecurity risk and risk management capabilities; (ii) improving council members’ process for “gathering, analyzing, and sharing information with each other during cyber incidents;” (iii) ensuring that test emergency protocols are set to respond to all cyber incidents in coordination with public-private partnerships; (iv) establishing training programs on developing cyber threats and vulnerabilities; (v) updating the Information Technology Examination Handbook; (vi) increasing focus on technology service providers’ ability to respond to cyber threats; and (vii) collaborating and sharing information with law enforcement and intelligence agencies. The seven action items derive from the FFIEC’s 2014 pilot assessment of cybersecurity readiness at over 500 financial institutions.
White House Releases Cyber Threat Intelligence Integration Center Fact Sheet
On February 25, the White House issued a fact sheet regarding the establishment of the Cyber Threat Intelligence Integration Center (CTIIC), which outlines the purpose, authority, organizational structure, and how the CTIIC will interact with other cybersecurity centers. According to the fact sheet, the CTIIC “will be a national intelligence center focused on “connecting the dots” regarding malicious foreign cyber threats to the nation and cyber incidents affecting U.S. national interests, and on providing all-source analysis of threats to U.S. policymakers.” The CTIIC will provide a “cross-agency view of foreign cyber threats, their severity, and potential attribution” by supporting the operations of other agencies like the National Cybersecurity and Communications Integration Center (NCCIC), the National Cyber Investigative Joint Task Force (NCIJTF), and US Cyber Command.
New York Bank Regulator Considering Cybersecurity Regulations, Random Audits of Banks
On February 25, New York DFS Superintendent Benjamin Lawsky delivered remarks at Columbia Law School focusing on how state bank regulators can better supervise financial institutions in a post-financial crisis era. In his remarks, Lawsky stated that “real deterrence” to future misconduct “means a focus not just on corporate accountability, but on individual accountability” at the senior executive level. Lawsky also highlighted measures that DFS is considering to prevent money laundering including conducting random audits of regulated firms’ “transaction monitoring and filtering systems” and making senior executives attest to the adequacy of the systems. Lastly, Lawsky outlined several cybersecurity initiatives and considerations that would require third-party vendors to have cybersecurity protections and regulations in place that would mandate the use of “multi-factor authentication” systems for DFS regulated firms.
White House Unveils New Federal Cybersecurity Agency
On February 10, the White House announced it will establish the Cyber Threat Intelligence Integration Center (CTIIC). In prepared remarks, Lisa Monaco, Assistant to the President for Homeland Security and Counterrorism, revealed that the CTIIC will be responsible for integrating intelligence about cyber threats, providing analysis to policymakers and operators, and support the work of existing Federal government Cyber Centers, network defenders, and local law enforcement agencies. The set-up of the agency will operate under the auspices of the Director of National Intelligence.
New York DFS Announces Targeted Cybersecurity Examinations, Releases Report on Insurance Companies
On February 8, New York DFS Superintendent Benjamin Lawsky announced that the DFS would begin (i) regularly examining insurance companies’ cyber security preparedness; (ii) enhancing regulations that will require insurance providers to meet higher standards of cyber security; and (iii) examining “stronger measures related to the representations and warranties insurance companies receive from third-party vendors.” Lawsky expects the targeted exams to begin in the “coming weeks and months.” The announcement was accompanied by the release of the state agency’s report on cybersecurity in the insurance industry.
SEC Publishes Industry Alert on Cybersecurity
On February 3, the SEC released a set of publications – a Risk Alert and an Investor Bulletin – assessing the level of cybersecurity at broker-dealers and advisory firms and highlighting best practices that allow investors to help protect their online accounts. The Risk Alert contains observations based on examinations of more than 100 broker-dealers and investment advisers. The examinations focused on how the firms (i) identify cybersecurity risks; (ii) establish cybersecurity policies, procedures, and oversight processes; (iii) protect their networks and information; (iv) identify and address risks associated with remote access to client information, funds transfer requests, and third-party vendors; and (v) detect unauthorized activity.
Digital Insights & Trends: What Keeps You Up At Night - Data INsecurity
We’re still wide awake, focusing on what keeps us (and our financial institution clients) up at night. Let’s pick up where we left off following our December webinar, but this time address data INsecurity from the perspective of its “other” victims, i.e., consumers. Last months’ webinar reviewed the benefits of risk-based approaches to organizational cybersecurity frameworks and identified potential obstacles to their achievement. Today, we’re thinking about another risk of cybersecurity breakdowns – the loss of consumer confidence. This risk threatens companies as surely as the regulatory, media and legal fallout.Despite the proliferation of data breach notification and consumer financial privacy laws, data-breach-fueled identity theft is increasing. A recent report of the National Consumers League & Javelin Strategy reveals that consumer fraud victims don’t discriminate between business organizations and financial institutions when assigning blame for data breaches. Rather, they avoid doing business with all organizations involved. Ironically, nearly one-third of fraud victims take no action to prevent further fraud, even when they’ve been notified that their data has been compromised. The majority of consumer victims, according to the NCL/Javelin report, say both businesses and FIs should be held accountable, and want to be able to sue the breached companies. An even greater majority think the federal government should protect them -- and lawmakers are listening. Senator Amy Klobuchar (D-MN), for example, favors a national security breach notification law.
Financial institutions are between a rock and the proverbial hard place. Compromised financial information results in greatly increased fraud against affected consumers. However, many consumers don’t take action to prevent a breach from escalating into further incidents of fraud. (Partly, this results from lack of faith in the effectiveness of solutions like credit monitoring, and partly, consumers don’t know where to go for help.) Some consumers contact law enforcement or government agencies, but many simply avoid patronizing the companies involved as a result of diminished trust. An overwhelming number of victims believe the right course is action against companies where their information was breached.
Trust lost is hard to regain. Data breach responses are key to effective enterprise risk management, not only because of legal and enforcement risk, but because consumer loyalty, and its loss, have real, tangible, operational and financial consequences. In an effort to bolster consumer trust, companies should: be transparent in communicating their practices and controls with respect to the management and use of data; and provide guidance to their customers on actions that can be taken to protect their own data.
Note: Information in this article is based in part on the “Consumer Data Insecurity Report” produced by Javelin Strategy & Research (2014).
