Financial services industry companies were involved in 18% of the over 300 data security incidents we helped manage in 2015, and reported in our 2016 BakerHostetler Data Security Incident Response Report (the “Report”). After healthcare, the financial services industry was the second most affected industry according to the data we reported.
It is not surprising that cyber criminals target financial services companies. They do so for the same reason that Willie Sutton robbed banks – the financial services industry is where the money is. But financial services companies should not be just looking at outside threats as they assess their risk profile. The majority of incidents we reported – nearly a third – were caused by employee negligence or malfeasance, with hacking and malware a close second.
The Report also reveals an uptick in regulatory scrutiny of incidents involving financial services companies. In nearly all of the reported incidents requiring regulator notification, state regulators made further inquiries. We also saw an increase in investigations into incidents by regulators, including regulators who have only in recent years become active in cyber security enforcement, such as the Security and Exchange Commission (SEC), National Credit Union Administration (NCUA), Financial Crimes Enforcement Network (FinCen), Financial Industry Regulatory Authority (FINRA). In some instances we are seeing detailed scrutiny by financial services regulators of incident involving small numbers of customers – approximately 500 or less – as regulators appear to be using incident investigations and a basis for developing a deeper understanding of the cyber-security practices of financial services companies.
The increased regulatory scrutiny of the financial services industry data shown by the report is not surprising in light of the significant pronouncements we have seen on cyber security from financial services regulators in 2015. For example, FINRA issued a report on cybersecurity practices and the New York Department of Financial Services (NYDFS) issued a letter setting forth an extensive cybersecurity regulatory framework proposal. The Federal Financial Institutions Examination Council (FFIEC) also created a Cybersecurity Assessment Tool to help institutions identify their risks and determine their cybersecurity preparedness. All three regulators have encouraged financial service organizations to have specific plans in place to prepare for a data security incident.
The 2015 FINRA Report on Cybersecurity Practices is representative of pronouncements we are seeing from many financial services regulators on cybersecurity. It encourages financial organizations to implement the following best practices:
- Create frameworks that involve senior management, incorporate the organization’s risk tolerance, and allow for risk assessments that help improve the framework over time.
- Identify the sources of potential cybersecurity threats and prioritize the areas in most need of improvement given the organization’s risk tolerance.
- Take specific actions to protect software and hardware that contain data, especially data subject to cybersecurity threats.
- Implement procedures for responding to cybersecurity incidents and define roles for individuals in charge of incident response.
- Take a risk-based approach to selecting, engaging, and monitoring third party service providers.
- Provide employees and other authorized users of the organization’s systems with training appropriate to their specific responsibilities and the types of data they may access.
- Create and deploy an effective cyber intelligence program using all resources available to the organization.
- Periodically review the adequacy of an organization’s cybersecurity coverage to determine if the policy aligns with threats identified by the organization’s risk assessment(s) and ability to bear losses. Organizations that do not have cyber insurance should evaluate the cyber insurance market to determine if coverage is available that would enhance the organization’s ability to manage the financial impact of a cybersecurity event.
On the enforcement side, in September 2015, the SEC reached a settlement with a St. Louis-based investment adviser on charges that it failed to establish required cybersecurity policies and procedures in advance of a breach affecting the personally identifiable information (PII) of 100,000 individuals. Notably, there was no evidence of any harm to clients as a result of the hack. Despite the lack of harm, the SEC announced its intention to enforce the Safeguards Rule “even when there is no apparent financial harm to clients.” It also cautioned financial firms to adopt written policies to protect customers’ private information and to “anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
Given the increased regulatory scrutiny facing financial services organizations, in preparing for the impact of a data security incident, organizations should consider the likelihood that a regulatory investigation will follow. Organizations would be wise to consider purchasing cyber-insurance or reevaluate existing policies to ensure that regulatory investigations are covered.