InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
President Obama Announces New Cybersecurity Proposals
On January 13, President Obama visited the National Cybersecurity and Communications Integration Center to announce a variety of legislative and administrative proposals, many of which were updates to his 2011 Cybersecurity Legislative Proposal, designed to confront cybersecurity threats. These updated proposals, he stated, would promote better cybersecurity information sharing between the government and the private sector and enhance collaboration and information sharing within the private sector. To encourage and facilitate such sharing, private companies that share cyber threat information while conforming to privacy protection requirements would receive liability protection. In addition, the President asked that law enforcement be given better tools and authority to fight cybercrime. These tools would include measures that criminalize the overseas sale of stolen financial information like credit card and bank account numbers, updates to the Racketeering Influenced Corrupt Organizations Act that would apply it to cybercrimes, and reforms to the Computer Fraud and Abuse Act to ensure that insignificant conduct does not fall within the scope of the statute, while making clear that it can be used to prosecute insiders who abuse their ability to access information by using it for their own purposes. In addition, the President announced a White House Summit on Cybersecurity and Consumer Protection, to be held at Stanford University on February 13, 2015.
SEC Announces 2015 Examination Priorities
On January 13, the SEC announced its Office of Compliance Inspections and Examinations’ examination priorities for 2015. The examination priorities cover a wide range of financial institutions and focus on three areas: (i) protecting retail investors, especially those saving for or in retirement; (ii) assessing market-wide risks, including cybersecurity compliance and controls; and, (iii) using data analytics to identify signals of potential illegal activity. As to the risks to retail investors, the SEC noted that such investors are being sold products and services that were formerly characterized as alternative or institutional, including private funds, illiquid investments, and structured products. In addition, financial services firms are offering information, advice, products, and services to help retail investors plan for retirement. The SEC intends to assess the risks to retail investors that can arise from these trends.
Special Alert: CSBS Issues Policy, Draft Model Regulatory Framework, and Request for Comment Regarding State Regulation of Virtual Currency
On December 16, 2014, the Conference of State Bank Supervisors (“CSBS”) issued a Policy on State Regulation of Virtual Currency (the “Policy”), Draft Model Regulatory Framework, and a request for public comment regarding the regulation of virtual currency. The Policy and Draft Model Regulatory Framework were issued through the work of the CSBS Emerging Payments Task Force (the “Task Force”). The Task Force was established to explore the nexus between state supervision and the development of payment systems and is seeking to identify where there are consistent regulatory approaches among states.
The Policy
As a result of its work to date, the Policy recommends that “activities involving third party control of virtual currency, including for the purposes of transmitting, exchanging, holding, or otherwise controlling virtual currency, should be subject to state licensure and supervision.” The Policy states that state regulators have determined certain activities involving virtual currency raise concerns in three areas: consumer protection, marketplace stability, and law enforcement.
The Task Force’s intentional technology-neutral approach targets “licensable activities” – activities performed by one party, in a position of trust, acting on behalf of another. It recommends that such licensable activities be regulated by amending current laws, or when necessary, enacting new legislation to cover the transmission, exchanging, and holding of value of currencies. The Policy recommends that those who service these transactions through mobile wallets, vaults, payment processors, and others should be appropriately licensed.
The Policy targets certain activities:
- Transmission
- Exchange (e.g., sovereign to virtual, virtual to sovereign, or virtual to virtual)
- Services that facilitate third-party exchange, storage, and/or transmission of virtual currency through any medium (e.g., wallets, vaults, kiosks, merchant-acquirers, and payment processors).
The Task Force notes that the Policy explicitly does not cover either merchants or consumers whose use of virtual currencies is solely to purchase goods or services; or for activities that utilize similar technologies, such as cryptography-based ledger systems, but are not financial in nature nor used for financial recordkeeping.
The Draft Model Regulatory Framework
The Draft Model Regulatory Framework proposes a system for state licensing and supervision of certain virtual currency activities. The Draft Model Regulatory Framework addresses the following areas of concern regarding businesses engaged in virtual currency activities: licensing requirements and systems, financial strength and stability, consumer protection issues, cybersecurity, compliance with Bank Secrecy Act and Anti-Money Laundering, recordkeeping, and regulatory supervision.
Request For Public Comment
The CSBS is looking for public comment on the Draft Model Regulatory Framework in two main areas:
- The Licensing Regime for the Virtual Currency Business. What should such a regime look like? How can states best streamline the process? How should laws that apply to regular money transmitters, such as escheatment or funds availability, be applied to the virtual currency business?
- Risk Management. What is an appropriate level of identification for customers? How should BSA/AML regulations change to address virtual currencies? What role should cyber risk insurance play? What sorts of consumer protections will be necessary?
The specific questions posed by the CSBS are found here. The creation of a new licensing regime, in addition to laws that will govern future litigation structure, will influence the direction states take in regulating virtual currencies.
Members of the industry have until February 16, 2015 to respond to the RFC.
Congress Passes Bill Clarifying Homeland Security's Role in Fighting Cyberthreats
On December 10, the U.S. Senate passed by voice vote S. 2519, the National Cybersecurity and Communications Integration Center Act of 2014. The bill would amend the Homeland Security Act of 2002 (12 U.S.C. § 121 et seq.) by codifying the current operations center in the Department of Homeland Security, which serves as a federal civilian information sharing interface for cybersecurity on behalf of the Homeland Security’s Under Secretary. The information center oversees cross-sector coordination of shared information related to cybersecurity risk and incidents that could adversely impact multiple private sectors. In addition, the bill prescribes the composition of the information center and requires it file yearly status reports. The bill will be submitted to the President for approval and signature.
NY DFS Advises Banks On New Cybersecurity Examination Process
On December 10, NY DFS Superintendent Benjamin Lawsky issued a bulletin to all New York state-chartered or licensed banking institutions regarding an updated IT examination process. Effective immediately, cybersecurity examinations will be included within the overall IT examination process. The DFS cybersecurity examinations will incorporate a number of new topics, including: (i) corporate governance; (ii) protections against intrusion, such as multi-factor or adaptive authentication, along with server and database configuration; (iii) information security testing and monitoring; and (iv) cybersecurity insurance coverage, along with other third-party protections. Ultimately, the new examination process will assess a bank’s cybersecurity protections, in addition to how it manages potential cyber risks and handles a cybersecurity attack.
Treasury Official Urges Banks to Consider Cyber Insurance, Assess Cybersecurity Readiness
On December 3, Deputy Secretary Raskin delivered remarks at the Texas Bankers’ Association Executive Leadership Cybersecurity Conference. During her prepared remarks, Raskin noted recent data security breaches across many business sectors, including financial services, and presented ten questions for bank CEOs to consider when assessing their institutions’ cybersecurity readiness. Notably, Raskin urged the bank executives to consider relatively new cyber risk insurance for the financial recovery it provides because the underwriting processes could enhance other cybersecurity controls and provide helpful information for assessing a bank’s risk level. Currently, over 50 insurance carriers offer some form of cyber insurance coverage. Raskin’s remarks come only weeks after Congressional leaders sent a letter to financial institutions requesting that they provide information about their ability to protect consumers and safeguard personal information in the event of a data breach or cyber-attack.
DOJ Announces Formation of Cybersecurity Unit In Efforts to Prevent Cybercrime
On December 4, Assistant AG Leslie Caldwell delivered remarks at the Cybercrime 2020 Symposium regarding the DOJ’s recent efforts to fight cybercrime. Specifically, Caldwell noted the DOJ’s Criminal Division is (i) increasing its international law enforcement operations; and (ii) creating a committed Cybersecurity Unit to address the growing threat of cybercrime. The Cybersecurity Unit will take on the responsibility of enhancing the DOJ’s public and private security efforts, most notably by working with law enforcement to ensure that “legislation is shaped to most effectively protect our nation’s computer networks and individual victims from cyber attacks.”
Trade Associations Submit Letter to Congress regarding Cybersecurity Information Sharing
On December 3, the Merchant and Financial Associations Cybersecurity Partnership (“Partnership”) submitted a letter to Congress requesting its consideration of adopting cybersecurity information sharing legislation. Created in February in response to high profile security breaches, the Partnership aims to protect retailers and financial institutions against cyber attacks. In its letter, the Partnership suggests that Congress adopt legislation that would “increase the current level of voluntary cybersecurity information sharing, while recognizing and responding to key privacy concerns.”
FFIEC Recommends Financial Institutions Join Information Sharing Forum to Mitigate Cyber Risks
On November 3, the FFIEC released its observations from a cybersecurity assessment of more than 500 institutions, and recommended that all regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC) as a medium to “identify, respond to, and mitigate cybersecurity threats and vulnerabilities.” The FS-ISAC is a non-profit information sharing forum created by industry participants to share physical and cybersecurity threat information within the public and private sector. The assessment supplemented regularly scheduled bank examinations and built upon supervisory expectations contained within existing FFIEC information technology guidance.
FFIEC Announces Cybersecurity Preparedness Efforts
The Federal Financial Institutions Examination Council (FFIEC) recently announced a series of initiatives aimed at promoting cybersecurity preparedness for community financial institutions throughout the country. One such initiative is the creation of the Cybersecurity and Critical Infrastructure Working Group, which was launched in June 2013 in order to enhance communication among the FFIEC member agencies and build on existing efforts to strengthen the activities of other interagency and private sector groups. This announcement follows the FFIEC’s May 2013 press release that highlighted an emphasis on cybersecurity awareness. The FFIEC press release described a webinar that the FFIEC provided to 5,000 chief executive officers and senior managers from community financial institutions to raise awareness about the pervasiveness of cyber threats, and introduce new vulnerability and risk-mitigation assessments and regulatory self-assessments of supervisory policies and processes.