Why the Regulatory Focus on Cybersecurity?
Two separate, but related, forces are causing financial regulators to up the ante on cybersecurity.
First, and most long-standing, is a concern with consumer protection. For many years U.S. laws at both the federal and state levels addressed the need to protect information about individuals. These complex and non-uniform laws, at their most basic, may require reasonable procedures to prevent unauthorized access to, or use of, personal information. They may also require notice of a breach to be given, often within a short time frame, to multiple stakeholders (including, in some cases, state agencies and enforcement) and that steps be taken to provide credit protection. If you are not already familiar with these laws, you are likely to be in breach of them. Similar—and in some cases more onerous—laws can be found in other jurisdictions, including the Cayman Islands, the UK and the EU. Expect these types of laws to grow more arduous as consumers react to renewed incidents of lost data. Importantly, many of these laws are based on the residence of the individuals whose information you hold, not the location of your business activities, offices or jurisdiction of charter.
The second factor triggering a heightened interest in cybersecurity is the recognition that a large cyber-attack could damage the fabric of our economic system. Concern with this type of "systemic risk" is an evolving area. U.S. regulators do not have a magic bullet that will make it go away. The SEC, for example, is likely to simply say, "do the right thing for your business." What is the right thing? At the very least today doing right is likely to include base-lining your business to the NIST framework and developing a cyber-incident response plan.
Expect future requirements to include a mandate to disclose cyber-incidents more broadly than is currently the case. Also expect cybersecurity to remain a focus of regulators. The FSOC will continue to instruct all financial services regulators to make cybersecurity a top priority. As noted in its annual report: “The Council recommends that government agencies enhance information sharing between the public and private sectors …. Financial regulators should continue to … update their examination policies … in light of the evolving threat environment.” – FSOC Annual Report, page 15.