Federal and state legislation say surprisingly little about how ordinary American businesses should manage their cybersecurity. However, financial services and insurance firms are not ordinary businesses. Because of their tendency to deal with sensitive personal data such as social security numbers, bank accounts and tax records, financial services and insurance firms are subject to a handful of cybersecurity laws that other businesses are not.
A financial services business’s exact cybersecurity obligations may vary according to whether the firm is public or private and where it is based. The main laws, regulations, and recommendations to be aware of are:
- Sarbanes Oxley Act of 2002 (SOX)
- Gramm-Leach-Bliley Act of 1999 (GLBA)
- New York State Department of Financial Services Cybersecurity Regulation of 2017 (23 NYCRR 500)
- Laws in all states pertaining to notification of security breach
Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act of 2002 is a federal law that imposes a range of financial record keeping and reporting obligations on all publicly traded companies in the United States, including all publicly traded financial services and insurance firms. The law was implemented in response to the wave of corporate accounting scandals in the early 200s, including Enron and WorldCom.
Many experts have noted that the job of complying with sections 302 and 404, which require businesses to establish and maintain adequate internal control structures for financial reporting, falls on IT departments. Although SOX doesn’t prescribe specific methods or technologies for being compliant, it does imply that companies should have strong information security protocols in place to protect financial data.
In 2016 a bill was introduced to amend SOX “to apply to cybersecurity systems and cybersecurity systems officers the same requirements regarding corporate responsibility for financial reports and managements assessments of internal control structures and procedures for financial reporting as apply to public companies subject to oversight by the Securities and Exchange Commission (SEC).”
This bill didn’t pass. However, the SEC published interpretive guidance two years later on public company cybersecurity disclosures, in which it said that cybersecurity risk-management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with federal securities laws.
The SEC continued, “We encourage companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure. Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material non-public information about cybersecurity risks and incidents.”
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act, is a federal law that requires businesses that are “significantly engaged” in “financial activities” to explain their information-sharing practices to their customers and to safeguard non-public personal information (NPI) collected about individuals.
Financial activities may include:
- Lending, exchanging, transferring, investing for others, or safeguarding money or securities;
- Providing financial, investment, or economic advisory services;
- Brokering or servicing loans;
- Collecting debt;
- Providing real estate settlement services; or
- Career counseling of individuals seeking employment in the financial services industry.
The GLBA doesn’t prescribe how businesses should safeguard NPI. Rather, it requires businesses to provide a clear privacy notice providing an accurate description of their current policies and practices with respect to protecting the confidentiality and security of NPI. The privacy notice must also include categories of information collected, categories of information disclosed (e.g. name, social security number, account information), and categories of affiliates and non-affiliated third parties to whom the information may be disclosed.
NYDFS Cybersecurity Regulation (23 NYCRR 500)
Given that New York City is the financial capital of the United States and the world, it’s no surprise that New York State has passed the strictest (and one of the only) state-mandated financial services cybersecurity regulations in the U.S.
The NYDFS Cybersecurity Regulation applies to any business operating under or required to operate under a license, registration or similar authorization under New York State’s Banking Law, Insurance Law, or Financial Services Law. It does not apply to a business with a combined total (including affiliates and independent contractors) of nine or less employees.
Among other things, businesses covered by the regulation are required to:
- Maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of their information systems;
- Designate a qualified individual responsible for overseeing and implementing their cybersecurity program and enforcing their cybersecurity policy;
- Implement and maintain a written policy or policies, approved by a senior officer of their board of directors or equivalent governing body, setting forth their policies and procedures for the protection of their information systems and non-public information stored on those information systems;
- Conduct continuous monitoring or periodic penetration testing and vulnerability assessments, in order to assess the effectiveness of their cybersecurity program;
- Utilize qualified cybersecurity personnel, either internally or of an affiliate or third-party service provider, sufficient to manage their cybersecurity risks and to perform or oversee the performance of the core cybersecurity functions outlined by the regulation; and
- Notify the Superintendent of Financial Services “as promptly as possible but in no event later than 72 hours from a determination that a “cybersecurity event” (i.e. data breach) has occurred.
A handful of other states have passed or are in the process of debating cybersecurity legislation pertaining to financial services companies.
For example, Colorado’s Division of Securities adopted new rules in 2017 requiring investment advisers and broker-dealers to “establish and maintain written procedures reasonably designed to ensure cybersecurity.”
Massachusetts is currently considering a regulation that would require financial institutions to (1) identify reasonably foreseeable internal and external risks to the security of sensitive financial account information, and (2) design and implement safeguards to control these risks.
Notice of breach of security laws
All 50 states (and the District of Columbia) have laws requiring businesses of all types, including financial institutions and insurance companies, to notify users of security breaches.
The exact rules vary from state to state:
- Most states allow businesses to use forensic investigation to assess whether personal information has been compromised before triggering a notification to users. However, six states do not permit analysis, and require businesses to notify users even when it is not clear if personal information has been compromised.
- Most states do not require businesses to notify users if there has been a data breach but personal information has not been compromised. However, in five states, businesses are required to notify users even if no personal information has been compromised. (N.B. This is subtly different from risk of harm analysis – as always, check the statute in your state or consult a legal professional for more information).
- In 37 states and DC, businesses are required to notify state authorities and users when a notice of security breach is triggered. In the remaining 13 states, businesses only have to notify users.
See this recent CYREBRO blog post for a full state-by-state breakdown.
When it comes to upholding your financial services or insurance firm’s cybersecurity regulatory requirements, there are a couple of good places to start.
One is to look into getting certified for ISO 27001, as this covers compliance requirements laid down in SOX, the GLBA, and in PCI DSS, the information security standard for businesses that handle credit cards from the major card brands.
The other is to use the services of a managed Security Operation Center (SOC) platform, as this can provide the threat intelligence and incident response capabilities of a multi-billion dollar company at a price regular-sized financial services businesses can afford.