Cybersecurity experts have labeled 2019 “the worst year on record” for data breaches. According to a Bitglass report, financial institutions contributed 62% of the data exposed to cybercriminals in 2019. But by any measure, 2020 clearly surpassed 2019, making it likely the “worst year on record” for cyber-attacks. By December of 2020, COVID-19 had accelerated cybercrimes by 300% according to the FBI. Complicating matters, these cybercriminals are introducing an average of 82,000 new malware threats every single day.
It is no secret that this influx in cybercrime is yet another side effect of COVID-19. As companies shift toward virtual office environments, they consequently rely on employees’ use of personal devices and networks that have not undergone third-party security inspections and scrutiny. It is uncertain how far this problem extends – for example, how much confidential and private business data is flowing from employer emails and virtual desktops to personal phones or laptops? Assuming the employee is trustworthy with such data, what other apps or networks on their personal devices expose that data to outside sources?
What’s more – the overwhelming majority of today’s cyber-attacks target one common victim: financial institutions.
In an attempt to address these outbreaks, many expect the current administration to emphasize data protection policies through proposed rulemaking. The legislature is also expected to reform the Gramm-Leach-Bliley Act (GLBA) for tighter data management requirements on financial institutions.
Combined, financial institutions face extreme pressures from clients, insurers, and regulators to diligently manage consumer data and personal information. Additionally, technology and the law are organic and highly specialized disciplines that cannot be easily monitored while growing a financial institution in 2021.
Below is a snapshot of the current cybersecurity discussion in financial markets around the country that can assist financial institutions as they manage and evolve their cybersecurity strategy in 2021.
Regulatory Forecast
The Biden administration has emphasized a renewed focus on consumer protection. Consequently, many expect increased activity at various agencies, including the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC).
The Consumer Financial Protection Bureau (CFPB)
In general, financial institutions should expect increased CFBP activity in 2021. After the financial crisis of 2008-2009, President Obama established the CFPB to protect consumers from perceived corruption in banking practices. CFPB activity decreased in the following administration, but the current administration has already demonstrated a desire to return to Obama-level activity by replacing CFPB leadership with prior leadership.
Specifically, financial institutions will likely incur greater CFPB scrutiny for compliance with the CARES Act and its provisions for small-business loans. The CFPB is also expected to restore Obama-era priorities (e.g. discriminatory lending practices against minority borrowers, pay-day lending, etc.), with an eye toward strengthening federal-state partnerships to enhance performance.
By returning executive attention to the CFPB during a period of increased cyber-attacks on community banks, it stands to reason that the CFPB will be a pivotal tool in the federal arsenal against cybercrime. How financial institutions store and protect their CFPB data will likely become an increasing area of interest for regulators.
Proposed Reporting Requirements
The Office of the Comptroller of the Currency (OCC), the Federal Reserve Board, and the Federal Deposit Insurance Company have proposed rulemaking that would require financial institutions to notify their federal regulator of any “computer-security incident” that rises to the level of a “notification incident” no later than 36 hours after learning of the event. Additionally, under the proposed legislation, financial institutions would be required to notify their customers immediately upon learning of the incident.
The proposal defines “notification incident” as including cybersecurity incidents that could materially disrupt, impair, or degrade the financial institution’s operation or threaten U.S. financial stability. While the proposed rule anticipates de minimis impact on financial institutions, that impact assumes a certain level of automated customer communication and reporting procedures that some institutions may not have developed yet.
Legislative Forecast
In 2019, the Federal Trade Commission (FTC) proposed amendments to the Gramm-Leach-Bliley Act (GLBA), which is the seminal piece of legislation governing cybersecurity for financial institutions. Under the current Safeguard Rule that was enacted in 2003, the GLBA mandates that all financial institutions subject to the GLBA maintain a set of procedures for managing non-public consumer information. Additionally, the Safeguard Rule requires all financial institutions to take steps to ensure their affiliates and service providers protect sensitive consumer data.
The FTC’s proposed amendments relate to the Safeguard Rule. As one cybersecurity analyst summarized, the amendments:
- Expand the definition of a security event to preclude harm as an element. This means that any unauthorized access of customer information would constitute a security event;
- Restrict access controls on information systems to authorized individuals only;
- Require audit trails with time-stamped logs of user access and activities to timely detect and respond to security events;
- Require real-time monitoring of user activity to detect abnormal activity from authorized users
- Limit retention of customer data that no longer serves a business purpose;
- Test the effectiveness of access controls with periodic vulnerability assessments;
- Take inventory of where customer information is saved.
It is unclear whether these amendments will pass in 2021. COVID-19 has certainly slowed their momentum. However, 2020’s increased cyber-attacks may renew Congressional interest in putting them into effect.
General Considerations
Apart from expected regulatory and legislative action in 2021, financial institutions still retain a fiduciary obligation to diligently manage consumer data in the face of growing attacks. To that end, financial institutions should continue to develop best practices to protect consumer information.
Vendor Management
Vendor management will be a priority. For example, a well-known commercial software vendor that sells commercial software to help organizations monitor their networks was recently the victim of an attack. In 2020, a Russian-attributed attack resulted in 18,000 of the vendor’s customers installing malware on their systems. While the current administration has not yet proposed a specific response, it has made clear that vendor management will be crucial in the fight against cybercrime.
Effective vendor management (for both compliance and certainty) requires more than a sales demonstration. It requires a thorough analysis of vendor financials, SOC reports, security, and confidentiality. Having legal counsel review vendor contracts for regulatory compliance and effective security can provide significant assurances that the chosen vendors are protecting customer assets and minimizing legal exposure.
Privacy Policies
It is similarly important to have cybersecurity privacy policies in place and to ensure that employees are adequately trained on those policies. The GLBA’s privacy procedures are complex and can be difficult to navigate, but experienced counsel can simplify the process by understanding what language needs to be included in a financial institution’s privacy policies, and to provide guidance on where those policies need to be posted, and to whom those policies should be submitted.
Furthermore, with GLBA’s potential amendments, those policy procedures will also need to be amended. Having cyber-conscious counsel review and assist in drafting these policies will remain crucial for ongoing compliance and protection.
Work From Home (“WFH”) Policies and Procedures
As stated at the beginning of this article, employers are attempting to navigate a possibly permanent change in the office environment. With virtual banking replacing the retail branch, financial institutions are not immune from this phenomenon, despite the sensitivity of data under their management. They are faced with the challenge of finding a WFH environment that is as safe and secure as an in-office environment.
To reach that goal, financial institutions will need to revisit, update and implement stronger technology policies into their employee handbooks. Those policies should incorporate not only cyber protection but also institutional protection for potential employee breaches. Having an employment and cyber attorney review existing policies and employee handbooks for best practices can better define, and better guide, employees in meeting the increasing future responsibilities in an ever-changing cybertechnology world.
Incident Response
In 2019, Capital One incurred a class action after disclosing a massive breach impacting over 100 million customers. Not only did these customers suffer the risk of identity theft, but the bank itself saw a 5.9% decline in stock value upon announcing the breach. The bank received significant scrutiny from the press for this security incident and incurred over $100 million in direct loss to the bottom line.
The community bank is not immune to these security, legal, or public relations risks when a breach does occur. This is particularly true where the community bank is just that – its community’s hometown bank – entrenched in decades of service to local businesses, families, and farms.
Financial institutions should always have an incident response plan that anticipates and addresses the potential security concern, preserves institutional trust, and protects them from liability (from consumers and regulators). Further, it is not advisable to wait to seek that protection on the day of the breach. Banks should develop, with the assistance of outside counsel, a systematic plan that, at a minimum, anticipates and assures consumers, insurers, and regulators that sufficient protective measures are in place if and when an incident occurs.
To emphasize a previous point, regulators and the legislature will likely increase reporting requirements for cyber breaches. Should these provisions pass, it will be important to review the existing incident response plan to ensure that it incorporates timely reporting processes.
Conclusion
The ever-changing regulatory and technology environments of our world demand constant attention to the seen and unseen vulnerabilities in a financial institution’s operations. Storms occur regardless of how bright the sun shines today. And while that message may, unfortunately, sound ominous, the reality is that your financial institution, and the customers it serves, deserve your utmost attention to impending storms. Cybercriminals are getting more sophisticated and they are adapting in order to overcome existing protection efforts.
To summarize, it is important to take inventory of (1) vendor agreements, (2) privacy policies, (3) employee technology policies, and (4) incident response plans. Analyze those relative to regulatory and insurance requirements and determine what steps need to be made for maximum protection.
FMJ attorneys are here to help. If you have questions about the above information and are interested in learning more, please contact Jim Seifert at james.seifert@fmjlaw.com.
If you have questions about our Banking & Financial Institutions practice group, please contact David Runck at david.runck@fmjlaw.com.
Related Attorneys
