Cybersecurity has been growing in importance for more than a decade and regulators are introducing new cybersecurity regulation aimed at protecting customer data across the globe. Possibly the most prescriptive cyber regulation came in 2017 from New York's Department of Financial Services (DFS), which applies to banks, insurance companies, and other financial institutions regulated by the DFS. Other regulators are taking notice, which suggests it may be prudent for financial firms to consider whether their own policies stack up to DFS’s new requirements.
Meanwhile, the systemically important global financial messaging network, SWIFT, issued security standards of its own following a cyber related incident. And the US Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) both issued observations from their recent cyber examinations, which can be used by asset managers and brokers as guidelines for assessing their own programs.
Not to be outdone, in 2018 the European Union is implementing the General Data Protection Regulation (GDPR), which applies to any EU firm and certain non-EU firms that process or transmit personal information of EU clients. The EU also plans to implement the Directive on Security of Network and Information Systems (NIS Directive), raising the bar for cybersecurity across multiple industries, including banking and financial market infrastructures.
Regular review of the cyber-regulatory climate may help avoid potential problems. Here are five themes asset managers and financial institutions should have on their radar:
Given the volume of client data that exists in modern financial services companies, most, if not all, have some form of cyber-risk management programs in place. However, firms should consider upgrading policies and procedures to meet the heightened regulatory requirements, even if not directly affected by new regulations. DFS, for example, requires firms to carry out a cyber-risk assessment, appoint a chief information security officer, and make sure that all departments, senior management, and the board of directors are aware of the overall cybersecurity program and their role in it. It also requires firms to carry out penetration tests and make vulnerability assessments. Many firms even hire third-parties to attempt to hack their systems to test their vulnerability. The SEC requires firms which they regulate to put a comprehensive program in place that addresses several major areas of concern, from incident response to recovery and governance
Cyber Incident Response
Global regulators are placing increasing importance on ensuring firms deal with and report on cyber incidents swiftly and clearly. While historically, financial firms have dealt with breaches on their own schedule, new regulations change this. For example, both the GDPR and the DFS require cybersecurity related issues to be reported within 72 hours of detection. In Europe, upon the implementation of the NIS Directive, a breach in one country will be reported to a designated, single point of contact for each member state in the EU to help stop a hack from spreading from one country to another. Depending on the applicable regulation, firms may only need to alert regulators to hacks that meet certain criteria, such as having a reasonable likelihood of harming a material part of normal operations.
Regardless of which regulator a firm answers to, all firms are subject to reputational damage as a result of a breach, prompting many to document and test their cyber incident response program to ensure quick resolution.
Third-party delegates and vendors are another major focus of cybersecurity regulations. In 2013, hackers gained access to a major retail chain’s credit card processing system by entering a less secure vendor's computer system. Now, regulators require financial institutions to perform due diligence on all third-party vendors that have access to their data or systems. This often entails a questionnaire that details the vendor's security controls, access restrictions, and internal safeguards. Financial institutions need to know what data a third party holds, and obtain a degree of certainty that vendors have cybersecurity controls in place to protect that data. If a firm deems a vendor’s responses to cyber related questions inadequate, they may wish to reevaluate the relationship.
Financial institutions are also implementing their own stricter access limitations, moving toward the objective of least privileged access. Most firms perform at least annual attestations in which management reviews the appropriateness of employee access. Firms are also implementing multi-factor authentication, using either a soft or hard token in addition to passwords and usernames.
Finally, regulators are demanding that all data be encrypted, so that if a breach does take place, data is less likely to be compromised. This applies to customer emails as well as data stored on servers. Ensuring encryption of data in transit, in use, and at rest is a major undertaking for many firms.
Right of Erasure
There is growing conflict between strict EU rules granting customers the right to have data deleted and financial firms' legal requirements to maintain data for many years. We can expect a call for more global consistency in the type of client data firms maintain. If a client relationship is terminated, the service provider must have legal justification for retaining that client's personal information. GDPR requires every organization subject to the regulation to know exactly what data it holds and where it is stored.
Big Data is Precious Cargo
There is no question that data is a target for nefarious forces wishing to profit from stealing or exploiting it. Global regulators are setting strict parameters to ensure financial institutions recognize the real and present danger and adopt appropriate protocols to safeguard investors and other clients.
Digital data transfers underpin the global asset management industry at an ever-increasing pace and volume. Regulators will continue to focus on policing cyberspace as much as any activities conducted within office walls, in turn, making it a top priority for all firms in 2018 and beyond.
This article was originally published in the 2018 Regulatory Field Guide. The guide features insights from a number of our experts on key regulatory developments that will have the greatest impact for asset managers in the year ahead – and beyond. Visit bbh.com/regulatoryfieldguide to explore the guide.
This publication is provided by Brown Brothers Harriman & Co. and its subsidiaries (“BBH”) to recipients, who are classified as Professional Clients or Eligible Counterparties if in the European Economic Area (“EEA”), solely for informational purposes. This does not constitute legal, tax or investment advice and is not intended as an offer to sell or a solicitation to buy securities or investment products. Any reference to tax matters is not intended to be used, and may not be used, for purposes of avoiding penalties under the U.S. Internal Revenue Code or for promotion,marketing or recommendation to third parties. This information has been obtained from sources believed to be reliable that are available upon request. This material does not comprise an offer of services. Any opinions expressed are subject to change without notice. Unauthorized use or distribution without the prior written permission of BBH is prohibited. This publication is approved for distribution in member states of the EEA by Brown Brothers Harriman Investor Services Limited, authorized and regulated by the Financial Conduct Authority. BBH is a service mark of Brown Brothers Harriman & Co., registered in the United States and other countries. © Brown Brothers Harriman & Co. 2018. All rights reserved. 1/2018 IS-03631-2018-01-26 Expires 1/26/2020