No Surprises: Cyber and Data Privacy Threats Remain Top Risk for Financial Services Industry

By Cheryl Davis and Jim Rives, FTI Consulting

No surprises here: increasing operational risk introduced by cybersecurity threats and vulnerabilities will continue to be of primary concern for banks and other financial institutions, as well as institutions that are integral to financial intermediation. These include credit bureaus, brokers and dealers, money service businesses and the regulatory organizations that oversee these institutions.

In its annual report for the last five years, the Financial Stability Oversight Council has identified cybersecurity as a major threat to companies and governments around the world. Data and cybersecurity breach occurrences in the financial industry have been and are expected to remain amongst the most frequent when compared to other industries. Given the continued and fast-paced development of financial products and services that are heavily reliant on internet-based systems, the increased reliance on third-party providers, and the growing interconnectedness of disparate platforms, the operational risks associated with cybersecurity will require significant resources and oversight in 2018 and beyond.

International standard setting organizations, regulatory organizations, industry associations and legislators/policymakers as well as private sector participants provide tools and resources to consider in strengthening cybersecurity defenses. The following are top considerations.

International standard setting frameworks

• The new European Union General Data Protection Regulation, more commonly referred to as GDPR, harmonizes existing data privacy laws across Europe and becomes effective in May 2018. GDPR requires entities to implement an appropriate level of oversight, security and notification protocols in the event of data breaches and corrective actions thereafter (see GDPR Regulation).
• The Bank for International Settlements (BIS) recently published a paper analyzing the regulatory and supervisory frameworks for banks’ addressing cyber threats in certain jurisdictions. The paper provides a wealth of information relevant to recent supervisory efforts and regulations over cybersecurity. One of our favorite observations is:

Views differ on the need to specifically regulate cyber-risk. One view is that the evolving nature of cyber-risk is not amenable to specific regulation and that cyber issues can be handled with existing regulation relating to technology and/or operational risk. The other view is that regulatory structure is needed to deal with the unique nature of cyber-risk, and given the growing threats resulting from an increasingly digitized financial sector.

The paper further notes that only a handful of jurisdictions currently have specific regulatory and supervisory initiatives that address cyber risk; however, some common regulatory requirements and supervisory approaches to assessing banks’ cyber-risk vulnerability and resilience seem to be converging towards a “threat-informed” or “intelligence-led” framework (see FSI Insights-Cybersecurity).

• The BIS Committee on Payments and Market Infrastructures and the Board of the International Organization of Securities Commissions issued guidance on cyber resilience for financial market infrastructures (FMIs) in June 2016 which are highly relevant today (see BIS FMI Cyber Resilience Guidance).

Regulatory organizations

Financial services regulators continue to prioritize cybersecurity requirements for their regulated entities, which are often adopted by industry organizations and even private sector participants.Regulatory organizations’ focus in 2018 will likely include:

• Large banks and financial service providers will be subject to examinations on an interagency basis with participation by the Office of the Comptroller of the Currency (OCC), Federal Reserve, and the Federal Deposit Insurance Corporation (FDIC). Examinations will focus on cybersecurity and resilience which includes:
  • Assessing specific cybersecurity controls relative to information security, cybersecurity risk management, control structures, and level of cyber resilience.
  • Evaluation of service providers’ completion of the Federal Financial Institutions Examination Council’s Technology Service Provider Cybersecurity Assessment Tool which may include reviews of cloud computing, skimming technology, chip technology, and threats from other non-product/service systems (see FFIEC Cyber Assessment Tool).
• For financial service companies subject to the New York State Department of Financial Services (NYDFS), comprehensive cybersecurity regulations became effective in 2017 with other provisions being phased in 2018 and 2019. These regulations will require highly prescriptive measures including access controls, encryption to data disposal, employee training, identification of a Chief Information Security Officer, annual reporting, and attestations/certifications (see NYDFS Cyber Reg FAQs).
• The Securities and Exchange Commission (SEC), recognizing the grave threats that cybersecurity risks pose and the increasing significance of cybersecurity incidents, approved a statement and interpretive guidance to assist public companies in preparing disclosures about cybersecurity risk and incidents. They expand on the 2011 guidance by incorporating the importance of cybersecurity policies and procedures, and making clear the applicability of insider trading prohibitions as information about a company’s cybersecurity risks and incidents may be material nonpublic information. The SEC established a “Cyber Unit” within its existing Enforcement Division to address cyber-based threats and target cyber-related misconduct in the securities markets (see SEC Cybersecurity).

What do you do with this now?

To assist your organizations’ cybersecurity practices, procedures and controls, and to identify and assess areas for potential improvement, consider a recurring evaluation focusing on: cybersecurity network defense and internal controls, vulnerability assessments, cybersecurity incident response and preparedness planning and training.

Consider conducting such a review to gain a better understanding of your organization’s cybersecurity resilience in the face of the multitude of cybersecurity threats and vulnerabilities. It will also provide insight into staff perception of cyber risks and their awareness of their important role in the organization’s cybersecurity.Based on the findings of this review, you can then modify your policies, processes, and technological solutions to enhance preparedness against cybersecurity threats and vulnerabilities.

By Cheryl Davis and Jim Rives, FTI Consulting

No surprises here: increasing operational risk introduced by cybersecurity threats and vulnerabilities will continue to be of primary concern for banks and other financial institutions, as well as institutions that are integral to financial intermediation. These include credit bureaus, brokers and dealers, money service businesses and the regulatory organizations that oversee these institutions.

In its annual report for the last five years, the Financial Stability Oversight Council has identified cybersecurity as a major threat to companies and governments around the world. Data and cybersecurity breach occurrences in the financial industry have been and are expected to remain amongst the most frequent when compared to other industries. Given the continued and fast-paced development of financial products and services that are heavily reliant on internet-based systems, the increased reliance on third-party providers, and the growing interconnectedness of disparate platforms, the operational risks associated with cybersecurity will require significant resources and oversight in 2018 and beyond.

International standard setting organizations, regulatory organizations, industry associations and legislators/policymakers as well as private sector participants provide tools and resources to consider in strengthening cybersecurity defenses. The following are top considerations.

International standard setting frameworks

• The new European Union General Data Protection Regulation, more commonly referred to as GDPR, harmonizes existing data privacy laws across Europe and becomes effective in May 2018. GDPR requires entities to implement an appropriate level of oversight, security and notification protocols in the event of data breaches and corrective actions thereafter (see GDPR Regulation).
• The Bank for International Settlements (BIS) recently published a paper analyzing the regulatory and supervisory frameworks for banks’ addressing cyber threats in certain jurisdictions. The paper provides a wealth of information relevant to recent supervisory efforts and regulations over cybersecurity. One of our favorite observations is:

Views differ on the need to specifically regulate cyber-risk. One view is that the evolving nature of cyber-risk is not amenable to specific regulation and that cyber issues can be handled with existing regulation relating to technology and/or operational risk. The other view is that regulatory structure is needed to deal with the unique nature of cyber-risk, and given the growing threats resulting from an increasingly digitized financial sector.

The paper further notes that only a handful of jurisdictions currently have specific regulatory and supervisory initiatives that address cyber risk; however, some common regulatory requirements and supervisory approaches to assessing banks’ cyber-risk vulnerability and resilience seem to be converging towards a “threat-informed” or “intelligence-led” framework (see FSI Insights-Cybersecurity).

• The BIS Committee on Payments and Market Infrastructures and the Board of the International Organization of Securities Commissions issued guidance on cyber resilience for financial market infrastructures (FMIs) in June 2016 which are highly relevant today (see BIS FMI Cyber Resilience Guidance).

Regulatory organizations

Financial services regulators continue to prioritize cybersecurity requirements for their regulated entities, which are often adopted by industry organizations and even private sector participants.Regulatory organizations’ focus in 2018 will likely include:

• Large banks and financial service providers will be subject to examinations on an interagency basis with participation by the Office of the Comptroller of the Currency (OCC), Federal Reserve, and the Federal Deposit Insurance Corporation (FDIC). Examinations will focus on cybersecurity and resilience which includes:
  • Assessing specific cybersecurity controls relative to information security, cybersecurity risk management, control structures, and level of cyber resilience.
  • Evaluation of service providers’ completion of the Federal Financial Institutions Examination Council’s Technology Service Provider Cybersecurity Assessment Tool which may include reviews of cloud computing, skimming technology, chip technology, and threats from other non-product/service systems (see FFIEC Cyber Assessment Tool).
• For financial service companies subject to the New York State Department of Financial Services (NYDFS), comprehensive cybersecurity regulations became effective in 2017 with other provisions being phased in 2018 and 2019. These regulations will require highly prescriptive measures including access controls, encryption to data disposal, employee training, identification of a Chief Information Security Officer, annual reporting, and attestations/certifications (see NYDFS Cyber Reg FAQs).
• The Securities and Exchange Commission (SEC), recognizing the grave threats that cybersecurity risks pose and the increasing significance of cybersecurity incidents, approved a statement and interpretive guidance to assist public companies in preparing disclosures about cybersecurity risk and incidents. They expand on the 2011 guidance by incorporating the importance of cybersecurity policies and procedures, and making clear the applicability of insider trading prohibitions as information about a company’s cybersecurity risks and incidents may be material nonpublic information. The SEC established a “Cyber Unit” within its existing Enforcement Division to address cyber-based threats and target cyber-related misconduct in the securities markets (see SEC Cybersecurity).

What do you do with this now?

To assist your organizations’ cybersecurity practices, procedures and controls, and to identify and assess areas for potential improvement, consider a recurring evaluation focusing on: cybersecurity network defense and internal controls, vulnerability assessments, cybersecurity incident response and preparedness planning and training.

Consider conducting such a review to gain a better understanding of your organization’s cybersecurity resilience in the face of the multitude of cybersecurity threats and vulnerabilities. It will also provide insight into staff perception of cyber risks and their awareness of their important role in the organization’s cybersecurity.Based on the findings of this review, you can then modify your policies, processes, and technological solutions to enhance preparedness against cybersecurity threats and vulnerabilities.