Navigating in a Mangled Web of Cyber Compliance

By Brad Agee and Charles Duckett | August 30 2018

In Europe, compliance is straightforward about the degree to which cybersecurity should be considered and to whom it applies to. Their all-encompassing regulations, such as the GDPR, apply to all citizens of the EU, no exception, and are much more specific than their American counterparts. Here, in the United States, there is a mangled web of regulations state-by-state with vague but broad federal regulations in the mix. Failure to comply with this complex mess can result in unexpected penalties or lawsuits by disgruntled customers, strong state attorney generals, or zealous federal commissions. There are measures to become a model for consumer information protection and measures to avoid becoming prey due to negligence in up-keeping security in real time. The cost is exponential and can range in fines from $5,000 to possibly millions of dollars. Unexpected consequences of neglect can result in leaks that damage brand reputation or the assets of the company, which could possibly cascade into stock performance.

The Federal Trade Commission (FTC) is the federal regulatory body that oversees the protection of consumers and their data. They implement regulations and use them to respond to consumer complaints. They use regulations and various statutes as their justification and jurisdiction for cases they see fit. Typically, the FTC uses the FTC Act to respond to a complaint when a consumer's information is violated. When it is a financial institution under scrutiny, the FTC will also use the Gramm-Leach-Bliley Act (GLBA) and its constituent Safeguards rule as its argument for cases. The complaint is only sent to the FTC after an incident occurs. To avoid such incidents, it is imperative for financial institutions to be proactive about their cybersecurity programs. Possessing a proactive cybersecurity program is the simple commitment to averting carelessness. Mothballing a cybersecurity program is the first step in a long line of unforeseen litigation and losses.

The FTC has set the precedent that it will respond to complaints far more likely if there is evidence of careless behavior towards insider threats, 3rd-party vendor risks, obvious cloud or network weaknesses, etc. even though the regulations they impose don’t say a single word pertaining to these aspects of cybersecurity. The integrity of the consumer is their paramount ideal, and they consider these aspects worthy of intense scrutiny in pursuit of that ideal.

Averting carelessness is the essential nature of compliance. The regulations demanding compliance for financial institutions are the GLBA and the Consumer Financial Protection Bureau (CFPB) Regulation Y. For instance, the Privacy Rule under the GLBA demand that there must be "clear and conspicuous" privacy notifications for consumers. This regulation typically refers to "opt-out" clauses. This isn't so much a security issue but configuration. Per the Safeguards Rule under the GLBA there must also be protections against risks to security, confidentiality, and integrity of consumer information. This demands a reasonable degree of cybersecurity measures including risk assessments, supply-chain assessments, network integrity, insider threat prevention, and others.

As for financial institutions that commit to averting carelessness, there is an inherent responsibility regarding the relationship with the Securities and Exchange Commission (SEC) and its concurrent regulations . Because the nature of exchanging securities on a worldwide market is extremely fast, the SEC demands real-time disclosures of "material" risk to potential investors if there is a possible impact on business operations or reputational risk. This requirement for disclosure is extremely vague, but it could possibly be an advantage if a well-developed cybersecurity plan is implemented. 

"Material" can extend to virtually any risk or incident in the cybersecurity domain. If the SEC finds the reported risk to be too high for potential investors they have the authority to halt any securities being traded for any time. To avoid that dreaded halt, a well-developed cybersecurity program can streamline potential auditing by organizing information properly and decrease the amount of times that risks to "material" occur. Auditing can also help avoid arduous investigations by the  Financial Industry Regulatory Authority (FINRA), which aims to prevent information altering or destruction in the interests of consumers. Ironing out cybersecurity deficiencies can cut the amount of potential risk exponentially through consolidation of the network and appropriate policy and procedures. These policies and procedures could entail a multifactor-authentication process for the network or possibly encryption of all consumer data. The list is endless but extends as far as the financial institutions desires and to an appropriate return on investment (ROI).

States have recently ushered in a new wave of their own cybersecurity laws with California leading the charge. California aside, these laws aren't that expansive or altogether comprehensive, but they do demand some attention. Most, if not all, states demand a data breach notification although it varies state-by-state on how much time is given to report a data breach. There are also variations between states with respect to data disposal and security freezes.

About Domain5:

Domain5 is committed to providing holistic support to any size institution at an effective return on investment capital (ROIC). This support entails deploying every possible resource from a wide range of sources for the explicit benefit of our clients. Our support extends to risk assessments of current networks, information security, a dynamic CISO-as-a-Service programand thorough compliance advice. Domain5 recognizes the absolute necessity of maintaining proper cybersecurity awareness while simultaneously compensating for effective allocation of resources. 

Recent Posts