The year 2021 saw a prioritized shift in the reinforcement of cybersecurity regulations. The Biden Administration, following the SolarWinds and the Colonial Pipeline cyberattacks, implemented new cybersecurity policies on regulated industries. The Federal Trade Commission (FTC), the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (FRB), and the Federal Deposit Insurance (FDIC) took the final call on cybersecurity regulations and ordinances for the financial services sector. The following are the changes that were implemented:
- The FTC amended the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. FTC-regulated financial institutions will now be required to develop and implement thorough cybersecurity policies and inculcate a comprehensive information security program.
- Furthermore, the OCC, FRB, and FDIC have put forth directives concerning regulated banking organizations and bank service providers. They will now be required to notify federal regulators and customers respectively of a “computer-security incident”. While the former will be given 36 hours to notify, the latter is required to do it as soon as possible.
- The FTC has called for a notification requirement over cybersecurity incidents.
- Moreover, the U.S. Securities and Exchange Commission (SEC) has also promulgated rules to enforce actions against a financial services company if it fails to disclose controls concerning cybersecurity risks.
- The New York Department of Financial Services (NYDFS) has followed suit in implementing enforcement actions against companies that provide financial services in case they fail to comply with its Cybersecurity Regulations.
It is believed that other financial services organizations and agencies will also follow in the government’s steps in mitigating cybersecurity attacks through regulations and ordinances. This will have a grand positive impact on the financial services industry in many ways.
- One will see the development and implementation of cybersecurity programs and an enhancement in cybersecurity standards within financial services companies. The GLBA will ensure that companies have established rules concerning their administrative, technical and physical safeguards.
- As a consequence, companies will employ designated personnel to overlook the security program, provide written risk assessments, perform risk assessments periodically, and review access controls to customer information.
- All customer information will be encrypted, multi-factor authentication will be implemented, user activities will be logged and employees will be trained in security awareness.
- Only qualified information security personnel will be employed, written incident response plans will be written and provided to a board of directors.
- This will be followed by a compulsory creation of a cybersecurity reporting system to ensure a quick response to notify regulators. Companies expect notifications to go out within hours of discovering an incident.
- One will also observe a widespread culture of professionals who will be compliant regarding cybersecurity matters. This will enable companies to stay prepared for potential enforcement investigations by financial regulators.
- Regulated financial institutions will have a short window to implement the cybersecurity requirements post-December 2022.
Not just the government, but several financial service organizations keep on establishing protocols for defense against cyberattacks. 2022 will see exponential growth in the rate of cyberattacks and the consequent security and enforcement actions. Implementation of comprehensive cybersecurity programs, internal controls for immediate disclosures of breaches and a culture of compliance towards cybersecurity protocols is the need of the hour.