Regulatory Focus on Cyber-readiness is Expanding
Regulators at the federal and state levels are paying close attention to non-banks' cyber-readiness. In August 2022, the Consumer Financial Protection Bureau (CFPB) released its circular 2022-04. The circular confirmed that a company's failure to safeguard consumer information, even if unintentional, could count as an "unfair act or practice." Consumer Financial Protection Circular 2022-04: Insufficient data protection or security for sensitive consumer information | Consumer Financial Protection Bureau (consumerfinance.gov)
The CFPB announcement is the third major regulatory development tied to non-banks' cybersecurity programs. It also confirms the Bureau's support for how the Federal Trade Commission (FTC) has viewed these failures for the past two decades. The FTC treats a company's failure to keep its privacy promises as an unfair act or practice. Eli Lilly Settles FTC Charges Concerning Security Breach | Federal Trade Commission
The FTC has also finalized and published a new and improved Safeguards Rule. Its effective date is roughly 100 days out, on December 9, 2022. FTC Strengthens Security Safeguards for Consumer Financial Information Following Widespread Data Breaches | Federal Trade Commission. The updated rule spells out features the FTC expects in a company's information security program.
State regulators are active too. They have released data security tools and inspection protocols for overseeing nonbanks. Earlier last month, the Conference of State Bank Supervisors (CSBS) released detailed tools for state examiners nationwide to assess the cyber-preparedness of nonbank entities. CSBS Releases Nonbank Cybersecurity Examination Tools | Orrick InfoBytes
This summer, the New York Department of Financial Services (NYDFS) released draft amendments to its Part 500 Cybersecurity Rules, with only a brief month-long comment period. The amendments would add a mandatory 24-hour notification for cyber ransom payments, annual independent cyber audits for larger entities, and other stronger expectations for board oversight. The comment period ended August 18, 2022, and we await the NYDFS next steps. NYDFS Proposes Significant Changes to Its Cybersecurity Rules | Debevoise & Plimpton
How to Prepare?
So what can a company do now to prepare for this heightened regulatory interest? The CFPB stressed the importance of "common data security practices." Start with the basics.
Make sure your organization has run a recent, up-to-date data security gap assessment. Make sure your written information security program is current, comprehensive, and well-known to your workforce.
The CFPB also called out three specific practices:
- Use the security enhancement known as multi-factor authentication (MFA) for both employees and consumers who access systems or accounts that hold consumers' non-public information.
- Strengthen password management. Put processes in place for security incidents that may compromise passwords, so employees and consumers are notified immediately to reset passwords when an incident or breach may have put their access controls at risk.
- Keep a software update and maintenance program in place. Apply all updates, enhancements, and security patches promptly so systems, software, and code stay current.
The CFPB has reminded the public that the 2017 Equifax incident came from a failure to patch a known vulnerability. That gap gave hackers access to nearly 150 million consumers' information within Equifax's systems.
Where to Start?
If you are unsure where to start, check with an information security expert. You can also review the written information security program tools recently published by CSBS CSBS Releases Nonbank Cybersecurity Examination Tools | Orrick InfoBytes or the HIPAA data security tool recently updated by NIST SP 800-66 Rev. 2 (Draft), Implementing the HIPAA Security Rule | CSRC (nist.gov). The Commonwealth of Massachusetts also publishes a sample "written information security program" among its public materials, right here WISP sample template (Community InRoads).
Found This Useful? Let's Get You Set Up.
Start an application and an expert will tailor the next steps to your situation.