Home – More State Cybersecurity Regulation Ahead for Financial Services Industry?

More State Cybersecurity Regulation Ahead for Financial Services Industry?

 Developments in 2017, including the highly publicized Equifax data breach and adoption of cybersecurity requirements for insurance companies, banks and other financial institutions by New York’s Department of Financial Services, have the financial services industry bracing for more state cybersecurity laws and regulations this year. Such action could impose significant new costs on an industry that already spends more than any other dealing with cyberattacks.


After Equifax broke the news of its massive data breach last September, SNCJ reported that the incident might “lead to a state regulatory crackdown on credit reporting agencies, which aren’t currently subject to some of the requirements imposed on other businesses that manage sensitive consumer data, and possibly to tighter state controls on that larger universe of businesses as well.”


One reason for that suspicion was that shortly after the Equifax breach was made public, New York Gov. Andrew Cuomo (D) directed his state’s Department of Financial Services (DFS) to draft new rules requiring credit reporting agencies to register with the state each year and giving the superintendent of the DFS the power to deny or revoke a credit bureau’s authorization to operate in the state.


“A person’s credit history affects virtually every part of their lives and we will not sit idle by while New Yorkers remain unprotected from cyberattacks due to lax security,” Cuomo said, according to a DFS press release. “Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world. The Equifax breach was a wakeup call, and with this action, New York is raising the bar for consumer protections that we hope will be replicated across the nation.”


Five states also introduced or prefiled legislation within a few weeks of the Equifax breach that appeared to have been motivated by the incident. The measures include New York SB 6879, which would require credit reporting agencies to automatically place a freeze on consumer credit files affected by a breach, and SB 6880, which would require any business that uses computerized data including private information to disclose breaches of its system within 15 days of discovering them unless directed otherwise by law enforcement, as well as measures providing for free credit freezes in Illinois (HB 4095 and SB 2230) and Michigan (HB 5055).


The number of introduced bills dealing with credit reporting agencies and data breaches now stands at 22, according to LexisNexis State Net’s legislative information system. Five of those bills, all dealing with security freezes and fees associated with them, have been passed by their chamber of origin.


But even before the Equifax incident there were indications that state cybersecurity legislation and regulations might be on the way for the financial services industry. Congress and the Trump administration began working on rolling back Obama-era financial regulations - including Federal Communication Commission rules dealing with internet privacy and, more recently, “net neutrality” - almost as soon as the president took office last year. But less than a month after the inauguration, New York’s DFS issued first-of-their-kind rules requiring insurance companies, banks and other financial institutions to establish cybersecurity programs and report data breaches within 72 hours of their detection, among other things. And in October the National Association of Insurance Commissioners, a standard-setting organization made up of the chief insurance regulators from every state, adopted an Insurance Data Security Model Law based on the New York DFS regulation.


The NAIC’s model law came in response to increasing interest in cybersecurity from state policymakers and regulators as a result of incidents like the Equifax breach, according to John Salmon and Robert M. Fettman, partner and counsel, respectively, at the law firm of Hogan Lovells.


“Thus it would not be surprising to see states look to adopt a version of the NAIC model law, [New York’s] cybersecurity regulations, or other similar cybersecurity requirements in the coming year,” the two attorneys told Law360 in joint emailed remarks, although they also noted that at least three states opposed the adoption of the model law.


Lawmakers in only two states, Rhode Island and South Carolina, have introduced an “Insurance Data Security Act” specifically - HB 7789 and SB 2497 in the former state and HB 4655 and SB 856 in the latter - according to LexisNexis State Net’s legislation database. But bills referring to “insurers” and either “data security” or “cybersecurity” have been introduced in 13 other states: Alabama, Georgia, Illinois, Kansas, Kentucky, Maryland, New Mexico, New York, Oregon, Utah, Virginia, Washington and West Virginia. Several of those bills have been passed by their originating chamber, including the “Insurance Data Security Act” in South Carolina’s House.


Legislation dealing with cybersecurity in general has been introduced in 30 states so far this year. Fourteen of the over 200 total proposed bills and resolutions have already been enacted or adopted. And those numbers have been on the rise. There were more than 240 introductions and 24 enactments or adoptions in 42 states in 2017 and 104 introductions and 24 enactments or adoptions in 28 states in 2016, according to analysis of LexisNexis State Net legislative data by the National Conference of State Legislatures.


The wave of cybersecurity regulation could impose significant new costs on the financial services industry. As Law360 pointed out, the New York DFS rules mandate that companies’ cybersecurity programs be overseen by and compliance with the DFS rules be certified each year by senior company officers, potentially exposing them to liability claims in the event of a data breach.


The DFS rules also make financial services companies largely responsible for the cybersecurity standards of their vendors and third-party service providers, ensuring, among other things, that they encrypt sensitive data and utilize multi-factor authentication to confirm the identity of users, raising liability questions as well.


“Because cybersecurity is an interlocking system, one issue that is going to come up is, whose problem is it if there is a data breach and resulting litigation? Would it be the financial institution’s, or the vendor’s, and whose insurance is responsive?” asked Wiley Rein LLP Privacy Practice Chair Kirk Nahra, according to Law360.


Attorneys say those sorts of legal exposures make it “more important than ever for financial services companies and their vendors to have in place a robust set of insurance policies guarding against cyber-related risks,” according to the same Law360 report.


The cost of that coverage or of potential litigation would come on top of what financial services companies already spend dealing with cyberattacks. And according to a study by Accenture and the Ponemon Institute, cybercrime cost the global financial services industry an average of $18.28 million per firm in 2017, significantly more than the $11.7 million average for the 15 industries included in the study combined. That isn’t too surprising given the nature of the data stored on the computer systems of financial services companies.


But the study also found that financial services companies were less vulnerable than companies in other industries to the more common types of cyberattacks, like the WannaCry malware attack that hit over 100,000 organizations in 150 countries last year.


“Banks and other financial services firms have implemented advanced solutions for malware, reducing the susceptibility to such attacks,” Chris Thompson, Global Security and Resilience Lead for Accenture, told the Insurance Journal.


Thompson also said, “While the cost of cybercrime for financial services companies continues to rise, our research found that these companies have considerably more balanced and appropriate spending levels on key security technologies to combat sophisticated attacks than do those in other industries.”


Still, the study also found that the average number of data breaches per company in the financial services industry more than tripled, from 40 to 125, between 2012 and 2017, while the per-company average for all industries nearly doubled to 130. And while those increases may be due in part to data breaches just being reported more, the fact remains that cyberattacks are on the rise. And so too, it seems, is state cybersecurity regulation.