industryFinancial services industry companies were involved in 18% of the over 300 data security incidents we helped manage in 2015, and reported in our 2016 BakerHostetler Data Security Incident Response Report (the “Report”). After healthcare, the financial services industry was the second most affected industry according to the data we reported.

It is not surprising that cyber criminals target financial services companies. They do so for the same reason that Willie Sutton robbed banks – the financial services industry is where the money is.  But financial services companies should not be just looking at outside threats as they assess their risk profile.  The majority of incidents we reported – nearly a third – were caused by employee negligence or malfeasance, with hacking and malware a close second.

The Report also reveals an uptick in regulatory scrutiny of incidents involving financial services companies. In nearly all of the reported incidents requiring regulator notification, state regulators made further inquiries.  We also saw an increase in investigations into incidents by regulators, including regulators who have only in recent years become active in cyber security enforcement, such as the Security and Exchange Commission (SEC), National Credit Union Administration (NCUA), Financial Crimes Enforcement Network (FinCen), Financial Industry Regulatory Authority (FINRA). In some instances we are seeing detailed scrutiny by financial services regulators of incident involving small numbers of customers – approximately 500 or less – as regulators appear to be using incident investigations and a basis for developing a deeper understanding of the cyber-security practices of financial services companies.

The increased regulatory scrutiny of the financial services industry data shown by the report is not surprising in light of the significant pronouncements we have seen on cyber security from financial services regulators in 2015. For example, FINRA issued a report on cybersecurity practices and the New York Department of Financial Services (NYDFS) issued a letter setting forth an extensive cybersecurity regulatory framework proposal. The Federal Financial Institutions Examination Council (FFIEC) also created a Cybersecurity Assessment Tool to help institutions identify their risks and determine their cybersecurity preparedness.  All three regulators have encouraged financial service organizations to have specific plans in place to prepare for a data security incident.

The 2015 FINRA Report on Cybersecurity Practices is representative of pronouncements we are seeing from many financial services regulators on cybersecurity.  It encourages financial organizations to implement the following best practices:

  1. Create frameworks that involve senior management, incorporate the organization’s risk tolerance, and allow for risk assessments that help improve the framework over time.
  2. Identify the sources of potential cybersecurity threats and prioritize the areas in most need of improvement given the organization’s risk tolerance.
  3. Take specific actions to protect software and hardware that contain data, especially data subject to cybersecurity threats.
  4. Implement procedures for responding to cybersecurity incidents and define roles for individuals in charge of incident response.
  5. Take a risk-based approach to selecting, engaging, and monitoring third party service providers.
  6. Provide employees and other authorized users of the organization’s systems with training appropriate to their specific responsibilities and the types of data they may access.
  7. Create and deploy an effective cyber intelligence program using all resources available to the organization.
  8. Periodically review the adequacy of an organization’s cybersecurity coverage to determine if the policy aligns with threats identified by the organization’s risk assessment(s) and ability to bear losses. Organizations that do not have cyber insurance should evaluate the cyber insurance market to determine if coverage is available that would enhance the organization’s ability to manage the financial impact of a cybersecurity event.

On the enforcement side, in September 2015, the SEC reached a settlement with a St. Louis-based investment adviser on charges that it failed to establish required cybersecurity policies and procedures in advance of a breach affecting the personally identifiable information (PII) of 100,000 individuals. Notably, there was no evidence of any harm to clients as a result of the hack. Despite the lack of harm, the SEC announced its intention to enforce the Safeguards Rule “even when there is no apparent financial harm to clients.” It also cautioned financial firms to adopt written policies to protect customers’ private information and to “anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”

Given the increased regulatory scrutiny facing financial services organizations, in preparing for the impact of a data security incident, organizations should consider the likelihood that a regulatory investigation will follow. Organizations would be wise to consider purchasing cyber-insurance or reevaluate existing policies to ensure that regulatory investigations are covered.

Photo of Gerald J. Ferguson Gerald J. Ferguson

Gerald Ferguson currently serves as the Intellectual Property, Technology and Media Group Coordinator for the firm’s New York office. Mr. Ferguson also serves as the national leader of the firm’s Privacy and Information Security group. He has worked with companies to create national…

Gerald Ferguson currently serves as the Intellectual Property, Technology and Media Group Coordinator for the firm’s New York office. Mr. Ferguson also serves as the national leader of the firm’s Privacy and Information Security group. He has worked with companies to create national and global privacy policies. He has extensive experience advising companies regarding compliance with state breach notification laws. Mr. Ferguson is able to advise clients regarding notification obligations quickly and efficiently using a state-by-state survey of the 47 jurisdictions with breach notification laws that is regularly updated by Baker Hostetler’s Privacy and Information Security group. As part of his proactive approach to an incident response, he works with forensic consultants to develop the substantive opinions necessary to support a determination that disclosure of a breach is not required when possible. If disclosure is required, he uses a team approach to carefully manage the process in a cost-effective and efficient manner that focuses on minimizing reputational harm.

Mr. Ferguson is Chairman of the Intellectual Property Committee of the New York State Bar Association, International Law and Practice Section.