Navigating Cybersecurity on a Stretch of Regulatory Rapids
By Joanna Fields
As global cybersecurity regulatory trends becomes increasingly more complex, navigating legal exposure and reputational risk has become more akin to white water rafting the Taos Box section of the Rio Grande. In order to successfully steer, one must have the ability to quickly identify obstacles or threats; and then leverage the tools at your disposal; such as “eddy cushions”, (water that flows in the opposite direction from the rest of the river that enables rafters to slow down) to identify, detect, protect, respond and recover. As global capital markets have increased dependency on complex technology networks, and have seemingly embraced the arms race for speed; firms appear less apt to employ tools to force systems to slow down, which is in part forcing “High Side” global legislation and regulatory requirements.
On May 25th 2018, the EU will enact the Global Data Protection Regulation (GDPR), a set of rules addressing privacy and information-sharing that could profoundly affect US firms transacting with EU clients. GDPR standardizes and replaces existing and disparate cyber privacy and protection requirements that have been in place for years to protect EU citizens. Not unlike NY state requirements, under GDPR there is a 72-hour window to notify a client if there is a breach of data. If we take a moment to consider the recent Equifax breach, which took approximately two months to disclose, a 72-hour notification window is an important consideration for the development of external communication policies and procedures.
EU and US Conflux
All firms that store or carry EU client data will fall under the jurisdiction of GDPR. Computer IP address information, email, and other relevant client data should be scrutinized with regard to the sharing of personal information and whether EU client consent is required.
As financial firms strive to develop forward thinking global cybersecurity frameworks to address the increasing risks of electronic trading, it is not uncommon to encounter a “sleeper” or two (submerged rock or bolder without surface disturbance). Due to the complexities of interacting regulatory forces, the lack of standardized global privacy requirements, and design requirements that require agile, and flexible detection and response programs to react to highly sophisticated industry threats.
Moreover, regulatory reporting, data retrieval for liquidity risk assessment, capital calculations, and simply the ability to identify every location client data is used and stored within a firm is not as easy as it may seem. This issue is only amplified for global firms that may outsource business support to affiliated entities, use third party vendors or transfer client data across borders. With regards to GDPR, it is important to note that data processors are governed by the new requirements; so, wherever cloud technology is utilized, it will fall under the jurisdiction of this mandate.
US federal and a state regulation vary on notification requirements, and policies on data sharing. Without a clear trip leader taking the helm to disseminate guidance on how best to steer and plot a course that clearly identifies and articulates what hazards are ahead; how can firms expect a smooth, safe trip?
While GDPR may be seemingly inconvenient, it is a necessary step to consolidate a wide variety of differing standards and practices in Europe. Though some consider it “watered-down” regulation because of the necessity of agreement amongst several parties, and across varying jurisdictions, it sets a clear framework for acceptable standards for use of personal data.
GDPR is not the only set of global privacy and control requirements that needs to be examined yet it should be high on the priority list for 2018. In the US, financial firms are still getting their arms around federal and state requirements as well as, SEC, CFTC and FINRAs cybersecurity exam priorities.
Firms could breach or upset in heavy water caused by a compounding effect from exposure to regulatory penalties. For instance, a US firm could be fined under GDPR, and while these fines are knowable and would be capped to 20mm Euro or 4% of global turnover, these firms could be additionally fined for the similar notification infractions by US regulators. Fines could be levied from multiple States and five different Federal agencies, including, SEC, the Fed, OCC, CFTC, and FINRA, just to name a few.
Generally, with any cross-border requirement, it is difficult to build a viable solution or set of controls in a vacuum. There are also a number of recent competing US regulatory requirements that include cybersecurity considerations that will also require focus from US firms. These include the updated Customer Due Diligence (CDD) Anti Money Laundering (AML) requirements and Consolidated Audit Trail (CAT) regulatory reporting requirements, which will both go into effect in 2018. If firms do not approach these regulatory requirements and governance process in a holistic manner taking cybersecurity and privacy into account, problems will arise.
When considering a firm’s governance structure, a holistic approach makes the most sense. Creating an entire program for GDPR, or any other single regulation, would be like patching a hole in the raft while approaching a pitch. A program that takes into account global requirements and onboards technology experts at the board level to provide a top down culture of best practice technology requirements is the recommended approach. Identifying key stakeholders, assigning ownership and accountability are paramount. After all, every trip needs a knowledgeable guide that is able to articulate commands and train everyone in the raft to work in unity to ensure the ability for the raft to maneuver safely downstream at a quick pace with precision.
GDPR Considerations Checklist
- Do you have EU customers?
- Do you have full visibility over personal data loss incidents?
- Can you report a breach within 72 hours of awareness?
- What is required for consent for data processing?
- How do your vendors manage, host and secure data for processing?
- What systems are in place to safely handle the transfer of data across borders?
- How is your Information Security Officer overseeing GDPR compliance?
Source Aplomb Strategies
Remote working has increased the attack surface for cyber criminals.
DTCC prescribes a systems-based approach to recovery, intra-firm collaboration, and regulatory coordination.
Exchanges and CCPs have successfully moved to operate remotely.
Financial infrastructures, Europol and the European Union Agency for Cybersecurity will share information.
There is also a material increase in concern over cyber-risk.