InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS reaches $4.5 million settlement over cybersecurity violations
On October 18, NYDFS announced a $4.5 million settlement with a licensed health insurance company for alleged violations of the Department’s Cybersecurity Regulation (23 NYCRR Part 500), which contributed to the exposure of consumers’ sensitive non-public information (NPI). According to NYDFS, a bad actor gained access to a shared email mailbox in 2020 via a phishing attack. This mailbox, NYDFS said, allegedly contained more than six years’ worth of consumer NPI. An NYDFS investigation found that the company allegedly, among other things, failed to implement multi-factor authentication throughout its email environment, did not limit user access privileges (thus allowing nine employees to share login credentials to the compromised mailbox), and failed to implement sufficient data retention and disposal procedures. NYDFS asserted that the cybersecurity event may have been avoided or limited in scope if these security controls had been implemented. Furthermore, the company’s alleged failure to conduct an adequate risk assessment as required by 23 NYCRR Part 500, prevented it from being able to identify the user access privilege and data disposal risks associated with the mailbox that was impacted by the phishing attack. Consequently, the company’s cybersecurity certifications for calendar years 2018 - 2021 were improper, NYDFS said.
Under the terms of the consent order, the company is required to pay a $4.5 million civil money penalty and must conduct a comprehensive cybersecurity risk assessment of its information systems. NYDFS recognized the company’s cooperation throughout the investigation and commended its ongoing and completed remediation efforts, including “devoting significant financial and other resources to enhance its cybersecurity program” and making “changes to its policies, procedures, systems, and governance structures.”
Republicans seek answers from OCC on bank-fintech partnerships
On October 11, House Financial Services Committee Ranking Member Patrick McHenry (R-NC), joined by Republican members of the Task Force on Financial Technology, sent a letter to acting Comptroller of the Currency Michael J. Hsu asking for clarification on the OCC’s position regarding bank-fintech partnerships. The lawmakers asserted that the OCC previously “worked to provide banks and their customers with a clear understanding of the regulatory and supervisory expectations surrounding emerging products and services,” as well as how to properly assess risk, but contended that leadership under the current administration has not continued to do so. Citing the importance of innovation to the U.S. economy and the impact new financial products and services can have on costs, inclusion, and competition, the letter expressed concerns related to the potential for further uncertainty surrounding these partnerships and the resulting consequences for consumers. “Technological innovation fostered by fintech partnerships has enabled banks to reach segments of the population that may have been left behind and increase customer engagement,” the lawmakers wrote, expressing their belief that the benefits from these partnerships far outweigh the risks. “Much of this innovation has been driven by industry newcomers that have developed a novel product or business model. When properly regulated, these partnerships can provide greater financial inclusion, spur technological innovation, and foster competition that ultimately benefits consumers.”
Referring to an action taken by President Biden in June 2021, which repealed the OCC’s “true lender” rule pursuant to the Congressional Review Act (covered by InfoBytes here), the lawmakers asked the OCC whether it anticipates fintech partnerships ending as a result of potential regulatory changes, and questioned how the agency plans to “ensure that examiners do not discourage innovation through fintech partnerships” or “impose unreasonable burdens on banks and fintechs.” The letter also asked the OCC to respond to a series of questions, including, among other things, how it plans to determine the acceptable terms for bank-fintech partnerships, how it intends to analyze fintechs that are helping to bring the banking business into the digital era, and how examiners will evaluate a bank’s assessments of third parties’ cybersecurity risk management and resilience capabilities and whether such evaluations will “be carefully tailored to the actual risk posed by the particular bank-fintech partnership.”
Biden outlines aggressive approach for strengthening U.S. cybersecurity
On October 11, President Biden outlined actions for strengthening and safeguarding the nation’s cybersecurity. In addition to stressing the importance of improving cybersecurity and resilience measures for critical infrastructure owners and operators, the Biden administration outlined additional priorities that focus on (i) strengthening the federal government’s cybersecurity requirements; (ii) countering ransomware attacks, including by making it more difficult for criminals to move illicit money; (iii) collaborating with allies and partners to build collective cybersecurity, develop coordinated responses, and develop cyber deterrence; (iv) imposing costs on and sanctioning malicious cyber actors; (v) implementing internationally-accepted cyber “rules of the road”; (vi) strengthening cyber-education efforts; (vii) developing quantum-resistant encryption algorithms to protect privacy in digital systems such as online banking; and (viii) establishing research centers and workforce development programs under the National Quantum Initiative to protect investments, companies, and intellectual property and prevent harm as technology in this space continues to develop.
Treasury requests feedback on cyberinsurance
On October 7, the U.S. Treasury Department published its Annual Report on the Insurance Industry, as required by the Dodd-Frank Act. The report discussed the U.S. insurance industry’s financial performance and its financial condition for the year ending December 31, 2021, and provided a domestic outlook for the industry for 2022. The report also summarized the Federal Insurance Office’s (FIO) activities and addressed certain matters affecting the domestic and international insurance industry.
Earlier, Treasury issued a request for input in the Federal Register on a potential federal insurance response to catastrophic cyber incidents. According to Treasury, “the comments will inform FIO’s work in responding to a recommendation by the U.S. Government Accountability Office that FIO and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency jointly assess the extent to which the risks to U.S. critical infrastructure from catastrophic cyberattacks warrant a federal insurance response.” The request stated that cyber insurance is a significant risk transfer mechanism, and that the insurance industry has an important role to play in strengthening cyber hygiene and building resiliency. Comments are due November 14.
OCC announces updated FFIEC cyber resource guide
On October 6, the OCC announced that the Federal Financial Institutions Examination Council (FFIEC) issued an update to the FFIEC Cybersecurity Resource Guide for Financial Institutions. According to the OCC, the 2022 FFIEC Cybersecurity Resource Guide for Financial Institutions provides a list of voluntary programs and actionable initiatives that are intended to help financial institutions meet their security control objectives and respond to cyber incidents. The 2022 guide rescinds and replaces the 2018 guide, and applies to a wide range of financial institutions including community banks. Highlights of the guidance include: (i) updated resource links for the Assessment, Exercise, Information Sharing, and Response and Reporting categories; and (ii) new ransomware specific resources.
Seven largest U.S. banks answer committee questions on overdraft fees and P2P fraud
On September 22, the Senate Banking Committee held a hearing entitled “Annual Oversight of the Nation’s Largest Banks” where chief executive officers from the seven largest U.S. retail banks testified on bank activities related to topics including peer-to-peer (P2P) payment networks; mortgage practices; overdraft fees; forced arbitration; and environmental, social, and governance agendas. Among other things, senators pushed the CEOs to take more aggressive action to eliminate overdraft fees and compensate P2P payment fraud victims.
- Overdraft fees. Democratic senators stressed that charges still fall too heavily on low-income and minority customers, with Senator Bob Menendez (D-NJ) saying that there is “no reasonable explanation to continue to charge overdraft fees on working families.” The CEOs discussed their respective efforts to relax overdraft policies to reduce fees, with one CEO noting that “there are a lot of occasions where if [overdraft protection] is not used, [customers] would be charged a higher fee on the other side.” These fees, he noted, “can often reduce the cost on the other side and stop them from going to payday lenders.” Another CEO added that he believes “giving people a choice and letting them opt in or out is the proper thing to do.” One bank CEO noted that his bank offers two accounts with no fees and provides customers the opportunity to choose in the moment if they want to return or pay for an item.
- P2P platforms. Senators Sherrod Brown (D-OH) and Elizabeth Warren (D-MA) asked the CEOs if they would give customers their money back if they are defrauded on a certain P2P platform and complain to the bank. The CEOs emphasized that their banks currently reimburse customers for fraud and “unauthorized transactions” and are taking measures to reduce the incidence of fraud, including educating consumers on how to detect scams. “There’s a tremendous amount that we can do as owners of the network to drive down the ability for thieves to take advantage of the network,” one CEO said when asked if banks believe it is their responsibility to make a consumer whole again. “That is what we're working on. That’s what we have to do.” Another CEO pointed out that other P2P platforms have “15 times the number of disputes” coming into the bank than the highlighted platform. One CEO also stressed that banks need to work through partnerships with law enforcement and regulatory agencies “to actually catch the criminals who are perpetuating this fraud against our customers.”
The previous day, the same CEOs discussed similar topics during the House Financial Services Committee’s hearing entitled “Holding Megabanks Accountable: Oversight of America’s Largest Consumer Facing Banks.” Several proposed bills containing provisions that would impact the banks if enacted were also discussed, including those that would (i) improve dispute procedures and disclosures related to reinvestigations of consumer reports (see H.R. 4120); (ii) amend and modernize bank merger laws (see H.R. 5419); and (iii) amend Community Reinvestment Act provisions to improve the assessment process for financial institutions (see H.R. 8833).
During the hearing (see committee memorandum here), committee members questioned the CEOs on a broad range of topics related to consumer protection compliance, enforcement, diversity initiatives, capital standards, emerging technologies and cybersecurity, merchant category codes for firearm purchases, and banking deserts. The CEOs addressed ways their banks have engaged in “responsible growth” and spoke on measures they have taken to bolster customer relations, including modifying overdraft practices. They also noted they are working on improving data protection and cybersecurity. In discussing P2P digital payment services, one CEO emphasized that “scams are growing daily” and regulators and legislators need to respond. He added that “[i]t’s not enough that we apportion blame after the fact. We need to stop fraud and scams before they occur. Secure [P2P] networks, real-time payments, and potentially FedNow allow for direct authentication with a host bank. They also allow members of the network to identify [] and police against scam accounts. This is not the case with nonbank networks. These networks are not held to the same security standards as banks.” He stated that banks “have zero visibility into where the money went, zero capability to recover the money, and zero capability to close the bad account.”
CISA urges companies to take action to combat malicious cyber activity
On September 14, the Cybersecurity and Infrastructure Security Agency, along with several other federal agencies and international partners, released a joint cybersecurity advisory (CSA) highlighting continued malicious cyber activity taken by advanced persistent threat actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). The CSA recommended that companies continually test their security programs to protect against longstanding online threats that may arise from IRGC-affiliated actors known for exploiting vulnerabilities for ransom operations. “Our unified purpose is to drive timely and prioritized adoption of mitigations and controls that are most effective to reducing risk to all cyber threats,” CISA said in its announcement. Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson added that the U.S. Treasury Department “is dedicated to collaborating with other U.S. government agencies, allies, and partners to combat and deter malicious cyber-enabled actors and their activities, especially ransomware and cybercrime that targets economic infrastructure.” He noted that the CSA provides information on specific tactics, techniques, and procedures used by IRGC-affiliated actors, and advised both the public and private sector to use the information to strengthen cybersecurity resilience and reduce the risk of ransomware incidents. Organizations are encouraged to review a 2021 Treasury advisory, which highlights the sanctions risks associated with ransomware payments and provides steps for companies to take to mitigate the risk of being a victim of ransomware (covered by InfoBytes here).
District Court grants final approval in data breach suit
On September 13, the U.S. District Court for the Eastern District of Virginia granted final approval of a class action settlement in a data breach suit. As previously covered by InfoBytes, in July 2019, a national bank (defendant) announced that an unauthorized individual had obtained the personal information of credit card customers and applicants. In May 2020, a magistrate judge ordered the defendant to produce to plaintiffs in litigation a forensic analysis performed by a cybersecurity consulting firm regarding the defendant’s 2019 data breach, concluding the report was not entitled to work product protection. According to the final settlement, members of the settlement class, which includes approximately 98 million U.S. residents whose information was compromised in the breach disclosed in July 2019, will receive cash compensation for out-of-pocket losses traceable to the data breach, cash compensation for time spent addressing with issues related to the breach, and at least three years of identity theft defense and resolution services. Counsel can seek fees and court costs of 35 percent of the settlement fund. Additionally, each of the eight settlement class representatives could receive $5,000 in service awards, and the other plaintiffs who were deposed by the defendant will receive service awards.
OFAC sanctions individuals and entities connected to IRGC-QF
On September 14, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions as part of a joint action with the DOJ, Department of State, FBI, U.S. Cyber Command, National Security Agency, and Cybersecurity and Infrastructure Security Agency, against ten individuals and two entities for their roles in conducting malicious cyber acts, including ransomware activity. The individuals and entities designated are affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), which “is known to exploit software vulnerabilities in order to carry out their ransomware activities, as well as engage in unauthorized computer access, data exfiltration, and other malicious cyber activities.” OFAC also noted that a joint cyber security advisory was published to highlight continued malicious cyber activity by advanced persistent threat actors that the authoring agencies assess are affiliated with IRGC. As a result of the sanctions, all property, and interests in property of the designated individuals and entities, “and of any entities that are owned, directly or indirectly, 50 percent or more by them, individually, or with other blocked persons, that are in the United States or in the possession or control of U.S. persons, must be blocked and reported to OFAC.” U.S. persons are generally prohibited from engaging in transactions with the designated persons. OFAC further warned that engaging in certain transactions with the individuals and entities designated today entails risk of additional sanctions.
CISA issues RFI on new cyber incident reporting requirements
On September 9, the Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information (RFI) from critical infrastructure owners and operators on how to develop new data breach reporting regulations related to ransomware and other malicious attacks. The RFI will inform CISA’s promulgation of proposed regulations as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Specifically, the agency is requesting feedback on definitions and terminology for the proposed rules, the form and content of reports, incident reporting requirements, enforcement procedures, and information protection policies. Once the final regulation is published, CISA will use information obtained from cyber-incident reports submitted by covered entities to “deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends and understand how malicious cyber actors are perpetrating their attacks, and quickly share that information with network defenders to warn other potential victims,” the RFI explained. CISA will also host a series of public listening sessions across the country to receive additional input as it develops the proposed regulations. Comments on the RFI are due November 14.