Safe and Sound - Cyber-Insecurity: Will The Looming Regulatory Crackdown on Cybersecurity Practices Help Protect Financial Institutions From Attack?

Recent attacks on critical links in our technology, energy and financial services supply chains have exposed alarming vulnerabilities in our infrastructure and thrust cybersecurity concerns to new heights.

Sophisticated attackers, once focused on stealing personal and financial data, now appear determined to cause wide-spread disruption to operations and supply chains.

The number one issue worrying financial executives today is cybersecurity, according to Deputy Secretary for the US Treasury Wally Adeyemo, and particularly the risks posed by third-party service providers. And for good reason. For instance, Microsoft recently discovered that the SolarWinds attackers have been targeting technology companies, including those that manage or resell cloud-computing services. As financial firms increasingly pursue outsourcing arrangements and move operations to the cloud, these concerns will only intensify.

The new rules create additional obligations that will require even the most sophisticated firms to invest substantial resources on compliance

Financial regulators around the globe are reacting. During the past several months alone, a swath of new rules and regulations have been issued that will become effective in 2022. Although financial institutions are already required to have information security safeguards in place, the new rules create additional obligations that will require even the most sophisticated firms to invest substantial resources on compliance. The new rules, however, do not address all potential issues. For example, most successful cyber attacks, including those within the past year, began with a phishing email. Yet none of the new rules address specific ways to mitigate this risk.

Here are some highlights:

• Operational resilience rules adopted by the UK Prudential Regulation Authority and Financial Conduct Authority will take effect in March 2022. These require the largest financial services firms to identify their important business services, map the resources they need to deliver those services, and adopt sufficient processes, strategies and systems to support them. For each business service, firms are also required to set an impact tolerance, i.e., the maximum tolerable level of disruption, and regularly test their ability to function within those targets. Firms must self-assess their compliance with the rules and review their operational resilience programs each year. The deadline for full compliance is March 2025.
• U.S. banking regulators recently adopted rules, effective April 2022, requiring banks to provide notice within 36-hours after they experience a computer security incident that materially disrupts or degrades, or is reasonably likely to materially disrupt or degrade, the bank’s ability to operate. The new rules also require bank service providers to notify their bank customers “as soon as possible” if they experience a computer security incident that could impair their services for four hours or more. Currently, banks must notify their regulators “as soon as possible” but only if “sensitive customer information” has been accessed or used without authorization. The new rules require a completely different analysis in a very short timeframe.
• The Federal Trade Commission (FTC), which oversees non-bank financial institutions in the US, recently made extensive changes to its “Safeguards Rule.” These new rules, which will become effective in late 2022, require firms to implement a number of specific security measures, such as encryption, multi-factor authentication, and penetration testing. They also expand the definition of covered “financial institution” to include entities (including individuals) significantly engaged in activities “incidental to” activities deemed financial in nature. Although the FTC insists that this is not a major substantive change, many are skeptical about where it will lead.
• The FTC recently proposed another new rule, likely to be adopted in 2022, to facilitate its enforcement of the Safeguards Rule. It will require entities to provide 30 days’ notice of “security events” involving the actual or potential “misuse” of information concerning at least 1,000 customers. The FTC also proposes to incorporate the information it receives into a public database.
• The US Securities and Exchange Commission (SEC) is working on new rules that will govern public company disclosure of cybersecurity risks and incidents. In the meantime, the SEC stepped up enforcement of existing disclosure rules, including rules requiring companies to have adequate internal disclosure controls and procedures in place to ensure senior executives are informed about cyber risks and incidents. The SEC also commenced a sweeping investigation of the businesses allegedly affected by the SolarWinds attack. Among other things, the agency is reportedly seeking information concerning cybersecurity incidents these companies may have experienced, whether or not previously reported, including those unrelated to the SolarWinds event.

CONCLUSION

Rules have required financial institutions to protect their systems from cyber attacks for decades, so it is unclear whether the latest regulatory crackdown will markedly improve existing protections. The new rules focus on reporting requirements and developing operational resiliency and information security programs, but perhaps more focused guidance to address well-known attack vectors would do more to protect our financial system from threats.

MEET THE AUTHORS

LORI VAN AUKEN, BCLP Partner, Financial Services Disputes and Investigations, New York Read Lori's bio here >

ADAM JAMIESON, BCLP Partner, Financial Services Disputes and Investigations, London Read Adam's bio here >

This article was published as part of BCLP's Emerging Themes in Financial Regulation 2022. To read the full 2022 Horizon Report and more insight from the BCLP team?visit here