Contact Us
Share This
Banner Image
January 20, 2016
Cyber Security Series Part 1: New Year, New Compliance Challenges

Reprinted from a white paper by: Christina Rea, Esq., Deputy Chief SME/Compliance – Regulatory


In the years since the recession, the heat has been on the financial industry to develop compliance regimes that protect consumers instead of circumventing regulations. Everyone is more than familiar with the news stories of fraud and crime: stolen consumer identities, banks failing to have sufficient regulations to investigate financial crimes, and Ponzi schemes. Less familiar are stories of a more nefarious type of financial crime: cyber crimes.

Pinpointing and reforming regulations with regards to cyber crimes and cyber fraud are challenging feats, not least of all because of the lack of black letter rules and regulations regarding criminal activity in the virtual world. One of the biggest problems with regulating cyber crime is the speed at which is evolves. As fast as controls can be put in place to block criminals (and often long before), new ways of circumventing these controls are being developed. Staying on top of virtual crime mandates new ways of problem solving, new regulations that target cyber security as a whole and how it ties into compliance, and constant diligence to stay one step ahead of criminals.

New York State—the Trailblazer

Regulators and key officials are fast recognizing the multitude of challenges with regards to cyber security and how to regulate it. In early November 2015, the New York State Department of Financial Services (NYSDFS) issued cyber security guidelines (PDF, 237KB) that will likely become the blueprint for both state and federal financial regulators.

After years of surveying the financial industry, the key issues identified are:

  • Speed of technological change and increasingly sophisticated nature of cyber threats
  • Third party service provider access to sensitive data and an institution’s information technology systems (creating an entry point for hackers if the SP has weak controls in place)
  • The sheer number of cyber security breaches illustrates the need for global attention, in every industry, at every level

The NYSDFS is proposing to implement the following regulations to address identified issues:

  • Policies & procedures addressing the following areas:
    • Information Security
    • Data Governance & Classification
    • Access Controls & Identity Management
    • Capacity & Performance Planning
    • Customer Data Privacy
    • Systems & Network Security
    • Vendor & Third-Party Service Provider Management (with provisions requiring the following):
      • Use of multi-factor authentication to limit access to sensitive data and systems
      • Use of encryption to protect sensitive data
      • Notice to be provided in the event of a cyber security incident
      • Ability of the entity to perform cyber security audits of third party vendors
  • The appointment of a Chief Information Security Officer
  • A program mandating policies, procedures and standards are in place to ensure security of all entity applications
  • The employment of adequate personnel to manage cyber security risks and perform the core cyber security functions of identify, protect, detect, respond and recover
  • Cyber security audits, including annual penetration testing and quarterly vulnerability assessments
  • Department wide notice of cyber security incidents

Cyber Security: A 2016 Regulator Priority

In addition to New York State, federal agencies like OFAC, FINRA and the SEC are issuing guidance with regards to cyber security.

In late December 2015, OFAC issued regulations implementing Executive Order 13694, “Blocking the Property of Certain Persons Engaged in Significant Malicious Cyber-Related Activities” (PDF, 207KB). Effective as of December 31, these regulations are considered to be the abbreviated version and will be supplemented with more in-depth details at a later date. According to Executive Order 13694, property and interests may be blocked for anyone found to have engaged in, directly or indirectly, cyber enabled activities that harm or compromise systems or services in critical infrastructure sectors, or cause misappropriation of funds or economic resources, within the United States.

A January 5, 2016 letter issued from FINRA (PDF, 122KB) states that one of their 2016 regulatory priorities is cyber security preparedness and firms’ ability to protect the confidentiality of customer information. Examinations will cover governance, risk assessment, technical controls, incident response, vendor management, data loss prevention, training, and ability to protect sensitive information while maintaining integrity. This falls in line with their 2015 Report on Cyber Security Practices (PDF, 615KB), which provides further guidance on what measures firms should take to bulk up cyber security compliance initiatives.

In September 2015, the SEC also issued a Cyber Security Examination Initiative (PDF, 182KB) similar to FINRA, with emphasis on financial firms’ ability to ensure the integrity of the market system and protect sensitive customer data. Like FINRA, the SEC will focus on data loss prevention, governance, vendor management, incident response and resource training.

Conclusion: Cyber Security & Financial Crimes Compliance

So what is the end result of all these new cyber security measures? In addition to preventing the leakage of confidential data and the compromise of critical systems, proper cyber security measures can help to prevent virtual financial crimes like money laundering, market manipulation, and even terrorism.

Hacking into a financial institution’s accounts can lead to schemes such as “pump and dump” whereby cyber criminals can buy equities and cause the hacked accounts to purchase the shares before selling them for profit. Cyber security breaches can also be indicative of other criminal activity within the bank and should be analyzed with regards to potentially suspicious activity in other departments within an institution, like AML. In addition, the technological developments of terrorists are rapidly growing. One such example is Kybernetiq, an ISIS-driven magazine that instructs its members on how to commit “cyber war.”

Now that regulators are beginning to make cyber security a top priority, financial institutions should start incorporating these regulations into current compliance. Policies and procedures need to be updated, audits need to be conducted, and compliance and IT departments must start working in tandem to ensure that every available measure is being taken to prevent financial crimes and terrorist financing.