Regulatory Focus on Cyber-readiness is Expanding
Much regulatory attention at both the federal and state levels is focused on non-banks’ cyber-readiness. In August, 2022, the Consumer Financial Protection Bureau (CFPB) released its circular 2022-04 confirming that a company’s failures to safeguard consumer information entrusted to its care, even if unintentional, could be viewed as an “unfair act or practice.” Consumer Financial Protection Circular 2022-04: Insufficient data protection or security for sensitive consumer information | Consumer Financial Protection Bureau (consumerfinance.gov)
The CFPB’s announcement signals the third major regulatory development related to non-banks’ cybersecurity programs and confirms the Bureau’s support for the way the Federal Trade Commission (FTC) has viewed companies’ failures to keep the privacy promises they make to consumers over the past two decades: as an unfair act or practice. Eli Lilly Settles FTC Charges Concerning Security Breach | Federal Trade Commission Meanwhile, the FTC itself has finalized and published a new and improved Safeguards Rule which has an effective date in roughly 100 days (on December 9, 2022), FTC Strengthens Security Safeguards for Consumer Financial Information Following Widespread Data Breaches | Federal Trade Commission. The updated FTC Safeguards Rule spells out some features the FTC expects company’s information security programs to include. In addition, state regulators have released data security tools and inspection protocols for use in overseeing the activities of nonbanks. Earlier last month the Conference of State Bank Supervisors (CSBS) released detailed tools to be used by state examiners nationwide to assess the cyber-preparedness of nonbank entities. CSBS Releases Nonbank Cybersecurity Exam Procedures | CSBS This summer the New York Department of Financial Services (NYDFS) released draft amendments to its Part 500 Cybersecurity Rules with only a brief month-long comment period, which would add a mandatory 24-hour notification for cyber ransom payments, annual independent cyber audits for larger entities, as well as some other beefed-up expectations for board oversight. The proposed comment period ended August 18, 2022, and we await the NYDFS next steps. NYDFS proposes significant cybersecurity regulation amendments | Data Protection Report
How to Prepare?
What are some practical things a company can and should do now to be prepared for this heightened regulatory interest in data security? The CFPB emphasized the importance of implementing “common data security practices.” In addition to assuring your organization has performed a recent and up-to-date data security gap assessment and that your organization’s written information security program is current, comprehensive, and well-known to your workforce – here are three additional data security specifics called out by the CFPB: (1) using the security enhancement known as “multi-factor authorization” or MFA for both employees and consumers accessing systems or accounts that contain consumers’ non-public information; (2) beef up all password management programs such as assuring that there are processes in place for security incidents that may compromise passwords so that employees and consumers alike are notified immediately that they must reset passwords and that an incident or breach has potentially put their access controls at risk; and (3) have a software update and maintenance program in place that assures that all updates, enhancements, security patches, and other means for updating systems, software, and code promptly. The CFPB has reminded the public that the Equifax 2017 data security incident related to a failure to patch a known vulnerability, giving hackers access to nearly 150 million consumers’ information within Equifax’s systems.
Where to Start?
If you are unsure where to start, check with an information security expert or take a look at the written information security program tools recently published by CSBS CSBS Releases Nonbank Cybersecurity Exam Procedures | CSBS or the HIPAA data security tool recently updated by NIST SP 800-66 Rev. 2 (Draft), Implementing the HIPAA Security Rule | CSRC (nist.gov). In addition, the Commonwealth of Massachusetts publishes a sample “written information security program” among the materials it makes available for public use right here https://www.mass.gov/files/documents/2016/08/rg/wisp.pdf