The financial services sector must already contend with a maze of regulations in a variety of areas, and 2023 is poised to usher in new cybersecurity regulations for the industry. Organizations should ensure their security programs are prepared to meet the coming wave of compliance requirements. Here is our take on four major legal developments that financial services companies should track this year.
Cyber Incident Reporting
A major U.S. regulatory trend in 2022 was the establishment of requirements to report cyber incidents to government agencies. This is an additional affirmative obligation on top of the traditional personal data breach notification requirements. Several cyber incident reporting rules for the financial services sector have recently become effective or will enter into force in 2023.
In general, these rules require financial institutions to submit a report to regulators after experiencing a significant service disruption, network intrusion, or unauthorized access to sensitive information. In some cases, such as under the New York Department of Financial Services (NYDFS) regulations, there is also an obligation to report to regulators if a ransom is paid. Here is high-level rundown of the rules:
Federal Deposit Insurance Corporation (FDIC), Federal Reserve, Office of the Comptroller of the Currency (OCC): Banking organizations
- Status - Entered into force in 2022
- Report actual compromise to information or systems reasonably likely to cause material disruption. Report as soon as possible, within 36 hours of determining a "notification event" occurred.
Federal Trade Commission (FTC): Non-banking financial institutions under the Gramm-Leach-Bliley Act
- Status - Proposed
- Report misuse of customer info if reasonably likely to affect more than 1,000 customers. Report as soon as possible, within 30 days of discovering the event.
Commodity Futures Trading Commission (CFTC): Derivatives clearing organization
- Status - Proposed
- Report any security incident, threat, or malfunction that could compromise automated systems, information, or services, including impairments of third-party-provided services. Report "promptly."
National Credit Union Administration (NCUA): Federally insured credit unions
- Status - Proposed
- Report actual or imminent compromise leading to disruption of operations, access to sensitive data, or supply chain compromise. Report within 72 hours.
NYDFS: NYDFS-regulated or licensed orgs
- Status - Proposed update
- Report extortion payments within 24 hours; report due diligence updates within 30 days after payment. Note: NYDFS already requires reporting of cyber incidents no later than 72 hours.
In addition, 2023 may see cyber incident reporting rules for critical infrastructure from the Cybersecurity and Infrastructure Security Agency (CISA), as well as for publicly traded companies under the Securities and Exchange Commission (SEC). There is very little reciprocity for these regulations, meaning financial services organizations subject to multiple regulations must likely submit multiple cyber incident reports. Organizations should analyze their regulators' reporting requirements and ensure they are capable of reporting on cybersecurity incidents in the formats and timelines required.
GLBA Safeguards Rule
The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule is getting a major overhaul this year. As a result, many non-banking financial institutions will need to implement new governance and security safeguard requirements for customer information by June 9. There is a lot in the new rule, but here are a few highlights.
- Governance: The updated rule will require that the security program be overseen by a qualified individual, who must report regularly, in writing, to the organization's board of directors on all material matters related to the information security program. [16 CFR 314.4(i)]
- Safeguards: When it comes to safeguards, the old rule required non-bank financial institutions to have safeguards to control any risks identified during a risk assessment. The new rule requires a more comprehensive risk assessment, as well as specific security safeguards in the areas of access controls, asset inventory, encryption, secure development, multifactor authentication, secure disposal, and user monitoring. [314.4(b)-(c)]
- Testing: The new rule also has new testing requirements. While the old rule required regular testing of security safeguards, the new rule now requires that the regular testing include continuous monitoring orregular penetration testing and vulnerability assessments. [314.4(d)]
Whether and how these requirements may apply to your organization may require a fact-specific analysis of particular services or business or operational functions. Moreover, several of these requirements do not apply to organizations that maintain information concerning fewer than 5,000 customers. [314.6] Non-banking financial institutions should reassess their organizational cybersecurity programs by June, in collaboration with legal counsel and security pros, to ensure they remain in compliance with the FTC's new requirements for protection of customer information.
NYDFS Cybersecurity Rule
The New York State Department of Financial Services (NYDFS) announced a significant update to its cybersecurity regulation for financial institutions licensed or chartered by NYDFS. The final rule is expected in 2023, with most of the new requirements entering into force 180 days after the final rule. As with the GLBA Safeguards Rule update, many of the changes can be broadly categorized as relating to governance, security safeguards, and testing. Here are some highlights.
- Governance: The proposed rule requires the Board and the CEO to be more involved in oversight of the organization's cybersecurity risk management. [23 NYCRR 500.4(d)] The Board must also annually approve organizational cybersecurity policies and review any noncompliance or material problems. [500.3, 500.17(b)]
- Safeguards: The proposed rule requires covered entities to implement additional safeguards beyond what the old rule required. While the current rule requires covered entities to limit user access privileges, the proposed rule would require limiting all access privileges only to what is necessary, reviewing access privileges annually, and removing unnecessary access. [500.7] Among other things, the new rule also requires business continuity and recovery plans [500.16], annual cybersecurity awareness training, and controls to block malicious code. [500.14]
- Testing: The proposed amendment upgrades requirements for testing the effectiveness of the cybersecurity program. The old rule requires either continuous monitoring or annual penetration testing and biannual vulnerability. The proposed rule requires both annual penetration scanning and automated vulnerability scans, as well as processes to identify and remediate new vulnerabilities. [500.5]
In addition, the proposed rule establishes new requirements for reporting cyber events and extortion payments [500.17(a)-(c)], as well as enhanced security safeguards for large companies (such as annual audits). [500.2(c)] As with the GBLA update, security and legal teams should partner to evaluate organizational processes to help ensure compliance with the final rule.
CPRA and State Privacy Law Applicability
The California Privacy Rights Act (CPRA) will be enforced starting July 1, 2023. Like many of the state privacy laws, CPRA largely exempts data subject to GLBA and FCRA [Cal. Civ. Code 1798145(e)], but there are notable exceptions financial institutions should be aware of.
CPRA provides consumers with a private right of action for breach of personal information that occurs due to failure to maintain reasonable security practices, and data subject to GLBA or FCRA are not exempt from this private right of action. [1798.150]
Moreover, CPRA continues to apply to personal data that is not subject to GLBA or FCRA. While the GLBA Safeguards Rule applies to personal information of customers with whom there is a financial services relationship [16 CFR 314.2(c)-(e)], CPRA applies to personal information of non-customers in California as well. This can include, for example, personnel information, business contacts, or personal data collected through marketing websites that relate to California residents. CPRA continues to require financial institutions to implement reasonable security procedures to protect such non-GLBA personal information—along with other CPRA requirements, such as providing rights to access, delete, and correct personal data.
In contrast, the Colorado Privacy Act exempts both data subject to GLBA and the financial institutions regulated under GLBA. [Colo. Rev. Stat. 6-1-1304(2)(j)(II)], 6-1-1304(2)(q)]
As state privacy laws—and perhaps federal legislation—are proposed and implemented over 2023, financial institutions will benefit from tracking the extent to which their activities, customer information, and institutional status are exempted or covered.
Keeping Pace with the Latest Developments
With the incoming changes to the cybersecurity regulatory landscape, financial services organizations should assess their internal security programs to ensure their governance, security safeguards, and testing processes are in compliance. In addition, financial services organizations should ensure they have an internal process for assessing and reporting cybersecurity incidents to multiple government bodies.
Venable has experienced attorneys and professionals working in financial services, payments, cybersecurity, privacy, and other related fields who can help you sort through these issues. Implementing these upcoming requirements will take time and resources, and it is essential for companies to be proactive in addressing them. We anticipate federal, state, and international cybersecurity regulations will continue to evolve in the coming years, and now is the best time to get ahead of the curve.
Contact Harley Geiger with any questions.
* * * * *
Consumer Financial Services Outlook 2023
Privacy Developments at the State and Federal Levels
CFPB Weighs in on Data Security; Will Firms with Poor Security Be in the Crosshairs?
Evaluating the Cybersecurity Risk of Mailing and Publishing Partners
What to Expect When You're Under a CFPB Investigation – Negotiating the Scope of the CID