Cybersecurity and Data Protection Developments

Similar documents
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

NYDFS Cybersecurity Regulations

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

NY DFS Cybersecurity Regulations August 8, 2017

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

Bradford J. Willke. 19 September 2007

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Cybersecurity requirements for financial services companies

Emerging Issues: Cybersecurity. Directors College 2015

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

DHS Cybersecurity: Services for State and Local Officials. February 2017

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Headline Verdana Bold

Financial Regulations, Enforcement & Cybersecurity

FDIC InTREx What Documentation Are You Expected to Have?

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

New York DFS Cybersecurity Regulation:

National Policy and Guiding Principles

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

Cybersecurity in Higher Ed

Cybersecurity and the Board of Directors

Why you should adopt the NIST Cybersecurity Framework

SEC Issues Updated Guidance on Cybersecurity Disclosure

Post-Secondary Institution Data-Security Overview and Requirements

Digital Crime and Cybersecurity. Scott D. Ramsey, Managing Director May 2017

PIPELINE SECURITY An Overview of TSA Programs

Regulation P & GLBA Training

Cyber Risks, Coverage, and the Board of Directors.

Cybersecurity and Examinations

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Standing Together for Financial Industry Resilience Quantum Dawn 3 After-Action Report. November 19, 2015

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Critical Cyber Asset Identification

The NIS Directive and Cybersecurity in

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

U.S. Department of Homeland Security Office of Cybersecurity & Communications

Cybersecurity The Evolving Landscape

EU General Data Protection Regulation (GDPR) Achieving compliance

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

Regulating Cyber: the UK s plans for the NIS Directive

Cybersecurity Assessment Tool

Critical Information Infrastructure Protection Law

Business continuity management and cyber resiliency

Texas Department of Banking United States Secret Service January 25, 2012

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Package of initiatives on Cybersecurity

Development Authority of the North Country Governance Policies

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Cyber Risks in the Boardroom Conference

Cyber Risk and Networked Medical Devices

Global Statement of Business Continuity

Safeguarding company from cyber-crimes and other technology scams ASSOCHAM

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

The NIST Cybersecurity Framework

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release September 23, 2014 EXECUTIVE ORDER

Must Have Items for Your Cybersecurity or IT Budget in 2018

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

SECURITY & PRIVACY DOCUMENTATION

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

NW NATURAL CYBER SECURITY 2016.JUNE.16

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

SOC for cybersecurity

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

SFC strengthens internet trading regulatory controls

Checklist: Credit Union Information Security and Privacy Policies

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Business Continuity Planning

Updates to the NIST Cybersecurity Framework

Information Security Controls Policy

FRAMEWORKING COMPLIANCE. NYDFS Cyber Regs: BIG I. Longtime Moniker Becomes Official Name for N.Y. & N.J...PAGE 34 GUIDE TO PAID FAMILY LEAVE INSIDE!

The Evolving Threat to Corporate Cyber & Data Security

The Common Controls Framework BY ADOBE

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

Electricity Sub-Sector Coordinating Council Charter FINAL DISCUSSION DRAFT 7/9/2013

Tangible Measures to Prepare for Intensified Regulatory Oversight of Cybersecurity in 2016

Cybersecurity and Hospitals: A Board Perspective

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Security Management Models And Practices Feb 5, 2008

Transcription:

Cybersecurity and Data Protection Developments Nathan Taylor March 8, 2017 NY2 786488 MORRISON & FOERSTER LLP 2017 mofo.com

Regulatory Themes 2

A Developing Regulatory Environment 2016 2017 March CFPB issues final Dwolla order September FFIEC updates information security handbook October Banking agencies issue enhanced cyber standard ANPR October FinCEN issues cyber SAR advisory February NYDFS issues final cybersecurity rules 3

NYDFS Background on Cyber Regs NYDFS surveys financial institutions There is a demonstrated need for robust regulatory action in the cyber security space NYDFS sends letter to financial regulators A first proposal in September and a significantly reworked proposal in December NYDFS finalizes rules 2013 2014 2015 2016 2017 NYDFS issues report To spark additional dialogue, collaboration and, ultimately, regulatory convergence among regulators on new, strong cyber security standards for financial institutions NYDFS issues two proposed rules Effective March 1 Compliance generally required within 180 days, with phased-in compliance periods for certain requirements 4

NYDFS Scope Covered Entities Any person operating under a license, registration, charter, certificate, permit, accreditation or similar authorization under NY banking, insurance or financial services law Covered Information Business-related information that if compromised would cause a material adverse impact to the business, operations or security of the covered entity Information identifiable with consumers that includes certain sensitive data elements (e.g., SSNs) Certain medical information 5

NYDFS Requirements Administrative Requirements Maintain a cybersecurity program Implement and maintain written cybersecurity policies addressing, for example, data governance, asset management, business continuity, system and network security and physical security Conduct periodic risk assessments to inform the design of the cybersecurity program Implement policies and procedures to address application security, monitoring user activity, and data retention and deletion Maintain a written incident response plan Maintain written policies and procedures relating to third party service providers Ensure that a qualified individual is responsible for overseeing and implementing the program Annual reporting to the Board of Directors on the state of the program Ensure sufficient personnel in place to oversee cybersecurity functions Regular training for all personnel on cybersecurity awareness 6

Specific Controls Conduct penetration testing and vulnerability assessments Maintain audit trails Limit user access privileges Implement multifactor authentication, including for access to internal networks from external networks Encrypt nonpublic information in transit and at rest Notice 72-hour notice to DFS of certain types of security events Reporting Annual certification of compliance with the regulations Recordkeeping Maintain records supporting the annual certification Maintain systems that are designed to reconstruct material financial transactions sufficient to support normal operations 7 NYDFS Requirements, cont d.

NYDFS Considerations What does this mean? Implications for Large FIs How will NYDFS enforce? Like AML? What will the federal financial regulators do (e.g., the SEC)? What will other states do (e.g., Kentucky)? Subsidiaries operating pursuant to a license or registration with NYDFS? How will these rules impact transactions involving multiple FIs where one is regulated by NYDFS? 8

Banking Agencies Cyber ANPR Overview A framework for enhanced cyber risk management and resilience standards for certain large and interconnected financial institutions Covered Entities Focus on financial institutions that the agencies believe are most critical to the country s financial system and economy Where a cyber event could impact the safety and soundness of the entity, other financial entities and the U.S. financial sector E.g., holding companies and depository institutions with more than $50 billion in assets (and their subsidiaries) and financial market utilities (and their service providers) Tiered Standards Enhanced standards to apply to all covered entities Higher standards for those entities critical to the financial sector 9

5 Categories of Enhanced Standards To increase the covered entities operational resilience and reduce the potential impact on the financial system as a result of, for example, a cyber-attack: Cyber risk governance (e.g., enterprise-wide cyber risk management strategy) Cyber risk management (in business units, an independent risk management function and audit) Internal dependency management for workforce, data, technology and facilities External dependency management of relationships with outside vendors, suppliers, customers and other third parties Incident response, cyber resilience and situational awareness Sector-Critical Standards Require covered entities to substantially mitigate the risk of a disruption due to a cyber event to their sector-critical systems 10 Banking Agencies Cyber ANPR, cont d.

CFPB The Dwolla Consent Order Allegations Dwolla made false representations to consumers regarding its data security 100% of [customer] info is encrypted and stored securely All sensitive information that exists on its servers is encrypted Dwolla did not live up to its promises (e.g., Dwolla did not use encryption) Consent Order Based on UDAAP Dwolla deceived its customers because the representations that the company made were likely to mislead a reasonable consumer $100,000 civil money penalty Takeaways CFPB (finally) makes move into the data security space Concern over FinTech regulatory arbitrage Implications for big banks? No public data security action since 11

FFIEC Continuing Guidance Cyber Threat Sharing The sharing (and receipt) of cyber threat information between/among the private sector and the federal government critical to cybersecurity All financial institutions need appropriate methods to monitor, share and respond to cyber threat information Recommends that all financial institutions participate in the FS-ISAC Cybersecurity Assessment Tool Intended to help financial institutions identify cyber risks and assess cyber preparedness (and determine whether they are aligned) Two parts: (1) a measure of inherent risk profile; and (2) a measure of cybersecurity maturity IT Exam Handbook Revised in September 2016 to update examination expectations relating to an institution s culture, governance, information security program, security operations, and assurance processes 12

FinCEN Cyber Advisory The Advisory Mandatory Cyber events intended to conduct, facilitate or affect a transaction or a series that involves or aggregates to $5,000 or more in funds or other assets Voluntary Egregious, significant or damaging cyber-events and cyber-enabled crime when such events and crime do not otherwise require the filing of a SAR (e.g., a DDoS attach) Nothing new here FinCEN and the banking agencies have issued similar guidance in 1997, 2000 and 2005 Implications Push for cyber threat information (e.g., IP addresses, indicators of compromise and device identifers) Frustration with the amount of cyber threat and intelligence shared with the federal government? Reminder of the need for communication among BSA/AML, cybersecurity, and other units of financial institutions Another example of the regulatory trend 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback