New Year, New Scrutiny: Financial Institutions To Face Increased Cyber Regulation in 2016
If you’re a financial institution (FI) executive worried that your cybersecurity measures aren’t as robust as they should be, it turns out that industry regulators might share your concern.
Financial services was one of the top three industries impacted by cyber breaches in 2015.* While major incidents at several major financial institutions garnered the biggest headlines, hundreds more incidents have occurred across the industry in the past few years, at institutions ranging from banks to insurers to mutual funds to brokerage houses.
Regulatory and watchdog agencies have taken note, and are now turning up the heat on FIs’ cybersecurity practices. American Banker reports that “regulators are planning to make cyber defense a higher priority during…exams as early as the second quarter of .”
Guiding those agencies is the Federal Financial Institutions Examination Council (FFIEC), which provides specific cybersecurity guidance to prudential regulators and the institutions they regulate. Last summer, the council released on behalf of its member organizations a highly anticipated — and well received — Cyber Security Assessment tool to help FIs identify risk and assess preparedness.
While not compulsory, the tool is particularly significant because it may affect how courts hearing civil lawsuits in 2016 will assess an institution’s preparedness — and how directors and officers met their responsibilities to create and maintain cybersecurity. Directors and officers at FIs would do well to heed its content.
State agencies are also stepping up the cybersecurity drumbeat. In September, for example, the Texas Department of Banking began “requiring that all banks measure their inherent cyber risks and cybersecurity maturity by December 31, 2015,” adding that the department’s examination staff “will begin reviewing completed cybersecurity assessments starting January 1, 2016.”
Meanwhile, New York’s Department of Financial Services’cybersecurity requirements are already so stringent and sophisticated that they are expected to be applied nationwide this year. They include:
- Multi-factor authorization for customers, employees, and service providers.
- Regular audits and penetration tests.
- Strict new policies for third-party providers.
For financial institutions, the increased regulatory scrutiny should serve as a reminder of the critical importance of shoring up cyber defenses. The harm caused by online intrusions can extend well beyond fraud issues. They can also increase litigation exposure and, perhaps even more concerning, they can damage an institution’s reputation and brand — and with it, customer confidence and trust. That is a wound from which it can be difficult to recover. And that is why diligence is so critical.
* Source: Verizon, 2015 Data Breach Investigations Report