Tag Archives: Cybersecurity

NYDFS Cybersecurity Regulation Enters New Transitional Phase

Beginning on September 4, 2018, banks, insurance companies, and other financial services institutions regulated by NYDFS are required to comply with several additional requirements of the NYDFS cybersecurity regulation.

After September 4th, companies will be required to:

  • report annually to the board concerning critical aspects of the cybersecurity program;
  • have an audit trail that reconstructs material financial transactions to support normal operations in the event of a breach;
  • implement policies and procedures to ensure the use of secure development practices for in-house developed applications;
  • implement encryption to protect nonpublic information;
  • develop policies and procedures to ensure secure disposal of information not necessary for business operations; and
  • implement a monitoring system that includes risk-based monitoring of all persons who access or use any of the company’s information systems or nonpublic information.

Continue reading NYDFS Cybersecurity Regulation Enters New Transitional Phase

NIST Releases Version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity

On April 17th, just over four years after the initial development was released, the National Institute of Standards and Technology (NIST) has released an updated version (1.1) of the Framework for Improving Critical Infrastructure Cybersecurity. The framework, developed under the Obama administration, was to be a voluntary, risk-based guide for improving cybersecurity infrastructure in the United States.

Framework Updates & Goals

Then-President Obama’s executive order pushed for the development of standards and practices to assist organizations within the financial, health care and energy fields, among others, to protect their data from a cyber-attack.

The Cybersecurity Framework has 3 components: Continue reading NIST Releases Version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity

Save the Date! Cybersecurity Awareness Month Topics and Tips

October is National Cybersecurity Awareness Month (NCSAM), a joint effort involving the U.S. Department of Homeland Security and its partners, including the National Cyber Security Alliance. The cybersecurity awareness campaign spans an entire month because real concerns require extensive attention.

The Mission: Raise awareness and promote good cyber hygiene (consistent habits will improve your personal cyber health).

Every week, a different theme will be explored. Whether you participate in one event or all of them, you’ll gain valuable insight and tips that you can apply immediately.

Here’s the schedule:

Date Theme Overview
10/2–10/6 Simple Steps to Online Safety Learn more about the top consumer cybersecurity concerns, how to address them, and tips for helping public victims of cybercrimes.
10/9–10/13 Cybersecurity in the Workplace Is Everyone’s Business Discover how your organization can protect itself against cyber threats and how to empower employees to participate in safeguarding the company.
10/16–10/20 Today’s Predictions for Tomorrow’s Internet Learn how sensitive, personal information powers smart cities, connected devices, digitized records, smart cars, and homes…and what you can do to use these innovations securely.
10/23–10/27 The Internet Wants You: Careers in Cybersecurity By 2022, the cybersecurity sector will be short nearly 2 million information security workers. Learn how to encourage students and job seekers to explore cybersecurity careers.
10/30-­10/31 Protecting Critical Infrastructure from Cyber Threats Our infrastructure–traffic lights, running water, phone service, etc.– depends on the Internet. Learn why building resilience in this infrastructure is crucial to our national security.

Reasons to Engage Every Week

Cybersecurity should always be a priority, and NCSAM reminds us that it’s a shared responsibility. Businesses, governments, and individuals must make cybersecurity awareness part of their culture, and ePlace Solutions’ training and awareness materials can help you and your organization decide the best ways to remain secure.

Stay tuned for our updates next month on NCSAM’s themes!

FINRA Highlights Common Cybersecurity Issues for Broker-Dealers

The Financial Industry Regulation Authority (FINRA) published a series of three videos to highlight and provide guidance on common cybersecurity issues facing broker-dealers and investment advisors.

FINRA compiled the video series in response to cybersecurity deficiencies noted during examinations of member firms. The videos also offer several mitigation measures to help address these cybersecurity issues.

FINRA Cybersecurity Videos

Cybersecurity – Part I: In the first part of a three-part series, the speakers discuss common deficiencies seen during examinations of firms’ cybersecurity programs.

Cybersecurity – Part II: In the second part, the speakers discuss formalizing the oversight of cyber programs and strengthening controls around access to data and systems.

Cybersecurity – Part III: In the final part, the speakers discuss vendor management, branch controls and data protection.

Firms regulated by FINRA should review the videos and recommended security measures to know what to expect when the examiners come knocking at the door.

CFPB Inks First Cybersecurity Enforcement Action

The Consumer Financial Protection Bureau (CFPB) put on its gloves and stepped into the cybersecurity ring with a consent order with payment processor Dwolla. At first glance, the thought was, “Oh great, another agency with another enforcement action. Nothing new here.” But a closer look shows a few interesting things starting to appear.

Dwolla Consent Order

Let’s start with a look at the consent order. It gives some facts about Dwolla:

  • The company offers a payment processing platform.
  • Customers make payments via the web browser or mobile app.
  • The company has about 650,000 customers.
  • They transfer up to $5 million a day.

Setting up an account and using the service requires customers to provide Dwolla with several pieces of information, some of which customers probably want to be kept confidential. The information includes:

  • Name
  • Address
  • Date of Birth
  • Social Security Number
  • Phone Number
  • Bank Account Number
  • Routing Number
  • Username
  • Password
  • 4-Digit PIN

Sensitive information to say the least. But Dwolla understands this, and they reassure customers that their information issafe. Specifically, Dwolla boasts that its data security practices: “exceeds industry standards” and “sets a new precedent for the industry for safety and security.” On top of that, Dwolla says they encrypt data “utilizing the same standards required by the federal government.” Page 6 of the consent order has more quotes from Dwolla about their top notch data security measures.

To a normal customer, that kind of protection sounds pretty good, right? Those are solid reasons to become a Dwolla user. However, the CFPB found these claims to be false and deceptive. Specifically, the CFPB alleges that Dwolla failed to:

  • Adopt and implement reasonable data security policies and procedures,
  • Reasonably identify potential security risks,
  • Provide adequate training to employees handling customer information,
  • Use encryption to protect customer information, and
  • Deploy secure software for customer-facing applications.
Key Takeaway

A few issues became apparent after the Dwolla enforcement action:

More Cybersecurity Enforcement: Ok, this one is easy. Again, the first thought was, “Here we go again. Yet another regulatory agency is joining the mix in cybersecurity.” If your company is regulated by the CFPB, you have another watchdog to worry about.

Pre-Breach Enforcement: The next thought reading this story was, “Where is the breach?”There is no news of Dwolla suffering a security breach. Are we seeing a change of focus from post-breach to pre-breach enforcement? It feels like a trend might be starting. The FTC brought an enforcement action against ASUS for their poor cybersecurity practices rather than a breach actually occurring. The takeaway here may be that big, headline-grabbing breaches are no longer the prerequisite for enforcement actions.

Enforcement Targets: So, if there was no breach, how did Dwolla become a target for investigation and enforcement? Did the CFPB receive an insider tip? Did they get a customer complaint? Was it a simple review of Dwolla’s privacy claims? With no clarity here, companies under CFPB regulation should review their privacy and data security practices.

The biggest takeaway is that cybersecurity enforcement can come from anywhere and at any time. It would behoove all companies to proactively address their privacy and data security practices by implementing reasonable data security policies, training their employees, and adopting best practices for protecting customer data (i.e. encrypting sensitive customer information).

How to Participate in Cybersecurity Information Sharing

At the end of 2015, the Cybersecurity Information Sharing Act of 2015 (CISA) was passed – as we reported here.

As mandated by the CISA, the Department of Homeland Security (DHS) released guidance to assist private sector and federal entities in sharing cyber threat indicators with the Federal Government. DHS also released interim policies and procedures relating to the receipt and use of cyber threat indicators by federal entities, interim guidelines relating to privacy and civil liberties in connection with the exchange of those indicators, and guidance to federal agencies on sharing information in the government’s possession.

Cybersecurity Information Sharing Act Passes Senate

The U.S. Senate passed the Cybersecurity Information Sharing Act (CISA), in response to the increasing number of cyber attacks recently. CISA is designed to promote and incentivize information sharing of Internet threats between organizations and the government with the intent of preventing cyber attacks.

The incentive for private organizations to participate and share threat information is legal immunity from privacy and antitrust lawsuits. And sharing information with the U.S. government will only be voluntary.

The agencies in support of the law include the Department of Defense, the White House, the Chamber of Commerce, and several financial industry groups. President Obama has offered support for the proposed legislation and is expected to sign the bill.

SEC Settlement: Cybersecurity Policies

The Securities and Exchange Commission announced a settlement agreement with investment advisor R.T. Jones Capital Equities Management including a $75,000 penalty.

The SEC found the firm failed to establish required cybersecurity policies and procedures prior to a data breach in 2013. The firm suffered a data breach in 2013 when attackers gained access to data on one of their servers, compromising the personally identifiable information of about 100,000 individuals.

In the aftermath, R.T. Jones brought in a forensics team to analyze the attack and provided notice and identity theft monitoring to the potentially affected individuals.

What They Did Wrong

R.T. Jones didn’t adopt the required written policies and procedures under the safeguards rule with the intent to protect customer information.

More specifically, R.T. Jones failed to conduct a risk assessment, implement a firewall, encrypt PII stored on its server, or have a response plan in place for cybersecurity incidents.

Remedial Efforts

R.T. Jones took several actions in an attempt to mitigate against the risks of a future attack. These include:

  • Appointing an information security manager to oversee data security
  • Adopting and implementing a written information security policy
  • No longer storing PII on its webserver
  • Encrypting PII stored on its internal network
  • Installing a firewall and logging system to prevent and detect malicious intrusion
  • Retaining a cybersecurity firm to provide continuous reports on the firm’s IT security

SEC Comment

“As we see an increasing barrage of cyber-attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” said Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit.  “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”

The SEC also released an Investor Alert to provide guidance on what steps to take if investors are victims of identity theft or a data breach.

SEC Cybersecurity Examinations: What You Need To Know

The Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) released a Risk Alert to announce the second round of cybersecurity examinations as a part of its 2015 Examination Priorities.

These examinations follow up a previous round in which 100 broker-dealers and investment advisers were interviewed and documents reviewed. Observations from those examinations were published in February 2015. This subsequent round of examinations will focus more on testing broker-dealers’ and investment advisers’ implementation of firm procedures and controls.

While the examiners might include additional areas of risk, the upcoming round of OCIE examinations will focus and review the following areas:

Governance and Risk Assessment

  • Whether firms are evaluating cybersecurity risks
  • Whether firms’ controls and risk assessment processes are tailored to their business
  • The level of communication and involvement of senior management / board of directors

Access Rights and Controls

  • How firms control access to systems and data using credentials, authentication, and authorization

Data Loss Prevention

  • How firms monitor the content transferred outside the firm through email or uploads
  • How firms monitor for potentially unauthorized data transfers
  • How firms verify the authenticity of a customer request to transfer funds

Vendor Management

  • Vendor management controls and practices with due diligence, oversight of vendors, and contract terms
  • How vendor relationships are viewed as a part of the risk assessment process
  • How firms determine the appropriate level of due diligence to conduct on a vendor

Training

  • How training is tailored to specific job functions
  • How training is designed to promote responsible employee and vendor behavior
  • How procedures for responding to cyber incidents are integrated into personnel and vendor training

Incident Response

  • Whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible incidents