Tag Archives: cybersecurity regulations

Canada’s Mandatory Breach Notification Takes Effect November 1

The Canadian government recently published a cabinet order laying out federal data breach reporting regulations through the Personal Information Protection and Electronic Documents Act (PIPEDA) and amendments. Similar to other breach notification requirements, these new regulations mandate that organizations that experience a “breach of security safeguards” notify all affected individuals, as well as the Privacy Commissioner and any other related organizations and governmental institutions. The order also includes fines of up to $100,000 (CAD) for noncompliance. These regulations will go into effect starting on November 1, 2018.

Continue reading Canada’s Mandatory Breach Notification Takes Effect November 1

Colorado Adopts Cybersecurity Regulations for Broker-Dealers and Investment Advisors

Broker-dealers and investment advisors are faced with increasing regulations regarding their cybersecurity practices. The Colorado Division of Securities recently adopted cybersecurity legislation for state-regulated financial institutions.

The regulations apply to broker-dealers purchasing securities and investment advisors conducting business in the state. Guidelines and a standard of reasonable cybersecurity practices have been established for covered entities to protect confidential personal information.

Confidential Personal Information: Colorado’s new regulations define it as first and last name in combination with any of these data elements:

  • Social Security number
  • Driver’s license number or ID card number
  • Account or credit card number with security code or password
  • Electronic signature
  • Username or email address with password or authentication information

Within these guidelines, Broker-dealers and investment advisors are required to address multiple security areas:

  • Reasonable Cybersecurity Practices: Establish and maintain written procedures reasonably designed to ensure cybersecurity.
  • Annual Assessment: Take cybersecurity into account in their risk assessments, along with conducting an annual assessment of cyber risk to Confidential Personal Information.
  • Email: Use secure email for messages sent containing Confidential Personal Information, including encryption and digital signatures.
  • Authentication: Incorporate authentication practices for employee access to electronic communications, data, and media. They must also implement authentication protocols for client instructions received via electronic communications.
  • Disclosure: Disclose to clients the risks of using electronic communications to send Confidential Personal Information.

Key Takeaways

The new regulations coming from Colorado’s new legislation aren’t too novel for the financial services industry. They follow the recently adopted New York Department of Financial Services cybersecurity rules but offer covered entities some flexibility in implementing cybersecurity practices and require them to be ‘reasonable.’

New York Department of Financial Services Revises Proposed Cybersecurity Regulations

As we previously noted, the New York Department of Financial Services (NYDFS) announced a slew of cybersecurity regulations for banks, insurance companies, and other regulated financial institutions. But due to many concerns raised during the comment period, NYDFS updated their proposed regulations. Here’s the gist:

Nonpublic Information

Originally, the definition for nonpublic information was broad and could be read to include any information maintained by a Financial Institution. The definition in the new proposal is more along the lines of those used in state breach notification laws.

This includes information relating to an individual, and information that can be used to identify an individual. Along with first and last name, other data elements could include Social Security number, driver’s license number, financial account number, biometric data, etc.

Cybersecurity Program

Financial Institutions are required to implement and maintain a cybersecurity program to protect the confidentiality, integrity, and availability of their information systems. This program should stem off the results of the organization’s risk assessment.

The revisions call for the organization’s required cybersecurity policy to be derived from the risk assessment as well. One notable change regarding risk assessments: the annual requirement was scaled back to a periodic basis instead.

Chief Information Security Officer (CISO)

The revised proposal no longer obligates organizations to appoint a CISO. However, the requirement has shifted to call for a qualified individual to oversee the aforementioned cybersecurity program and enforcement of the cybersecurity policy. The regulations still require this individual to provide a written report on the cybersecurity program to the board, but on an annual basis.

Compliance Timeframes

Financial Institutions regulated by the NYDFS should take note of the changes in the proposed cybersecurity regulations. The previous proposal was slated to go into effect at the turn of the new year. With the new revisions, NYDFS has pushed back the effective date to March 1, 2017.

Whereas the original proposal called for organizations to comply within 180 days, the revised regulations include different timeframes for compliance with different provisions. Details of the compliance time windows can be found in the text of the regulations.

New Cybersecurity Regulations for Financial Institutions

nydfsMore cybersecurity requirements are looming for financial services companies. New York’s Department of Financial Services released their anticipated cybersecurity regulations for a short comment period before going into effect January 1, 2017.

The NYDFS wants to minimize the chance of a cybersecurity incident impacting nonpublic information. The crux of the new regulations revolves around establishing and maintaining a robust cybersecurity program.

Scope

The proposed regulations will apply to companies in the banking, insurance, and financial services industries licensed in New York – or those regulated by NYDFS. For more information on who is covered by NYDFS regulations, visit their link “Who We Supervise.”

Smaller entities might be exempt from some of the regulations if they meet the following criteria:

  • Fewer than 1,000 customers in each of the last three calendar years
  • Less than $5,000,000 in gross annual revenue in each of the last three fiscal years
  • Less than $10,000,000 in year-end total assets

The scope of the regulations is also broad when it comes to defining nonpublic information. Basically, the regulations cover any information provided to the Financial Institution associated with obtaining a financial product or service.

Key Requirements

Establish a Cybersecurity Program. The main purpose is to ensure financial institutions have an active and effective cybersecurity program in place. A part of the cybersecurity program is developing a cybersecurity policy to address areas of information security, data classification, access controls, etc.

Assign a CISO. Financial Institutions will need to assign a Chief Information Security Officer to implement and oversee the cybersecurity program, as well as enforce the cybersecurity policy. CISOs will also be tasked with reviewing the policy annually and providing reports on the program to the company’s board.

Third-Party Oversight. All requirements will be pushed down to any third-parties with access to the Financial Institution’s nonpublic information. Vendor agreements will need to be reevaluated and modified based on the new regulations in place.

Other notable requirements include:

  • Multi-factor authentication for access to internal systems
  • Encryption for all nonpublic information
  • Destruction of nonpublic information no longer needed for providing products and services
  • Notification to NYDFS within 72 hours of cybersecurity incidents affecting nonpublic information
  • Regular cybersecurity training
  • Annual penetration testing
  • A written incident response plan

Key Takeaway

The new regulations specifically map out cybersecurity practices that financial institutions are expected to adopt. With the sensitivity of information that financial institutions hold, the strict cybersecurity requirements shouldn’t come as a surprise.

Financial institutions need to take a close look at the NYDFS regulations and analyze how their current cybersecurity practices stack up.