A Briefing on Emerging Issues Impacting Transactional Practice - Special Edition: Cybersecurity Privacy & Data Protection 2016

Posted on 11-08-2016

 

FEDERAL DEPOSIT INSURANCE CORPORATION STAYS FOCUSED ON CYBERSECURITY

THE FDIC UPDATED ITS CYBERSECURITY WEBPAGE TO highlight what it called “a number of important steps to significantly enhance the protection of information held by the agency.”

The FDIC said it has in the past several months:

  • Expanded use of multi-factor authentication for securely downloading assessment invoices and official FDIC correspondence
  • Discontinued individuals’ ability to copy information to removable media such as CDs, DVDs, external hard drives, and thumb drives
  • Signed a memorandum of understanding to migrate to an intrusion prevention, detection, and monitoring system from the Department of Homeland Security that will help detect and block outside cyber threats
  • Implemented new controls to limit printing of sensitive information and better monitor information printed in the highest risk areas
  • Engaged an independent, third-party firm to conduct an end-toend assessment of the FDIC IT security and privacy programs

The webpage also stresses that information security is “critical to the FDIC’s ability to carry out its mission of maintaining stability and public confidence in the nation’s financial system” and that the FDIC will remain alert and continue to adjust its security controls “in light of the changing threat landscape.” The agency added that it is committed to making the public aware of changes to its cyber program and will provide regular updates. The FDIC’s focus on cybersecurity problems should come as no surprise. FDIC chairman Martin Gruenberg was recently grilled on Capitol Hill about his agency’s handling of major data breaches.

Pratt’s Bank Law & Regulatory Report, Volume 50, No. 9


NEW YORK STEPS UP CYBERSECURITY PROTECTION EFFORTS

THE NEW YORK DEPARTMENT OF FINANCIAL SERVICES IS proposing requirements designed to protect against cyber-attacks, data breaches, and hacks. The proposal requires banks and other financial services institutions to establish cybersecurity programs aimed at protecting consumers and the financial system from economic harm.

According to a department news release, the proposed regulation requires financial institutions to establish cybersecurity programs, adopt written cybersecurity policies, and designate a chief information security officer to oversee enforcement and implement policies and procedures designed to protect confidentiality and integrity of information systems.

Governor Andrew Cuomo announced the regulations saying, “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks and other criminal enterprises. This Regulation helps guarantee the financial service industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.” The new rules are subject to a notice and public comment period prior to finalization.

Lexis Practice Advisor Staff


GOVERNMENT ACCOUNTABILITY OFFICE REPORTS ON “UNREMEDIATED WEAKNESSES” IN INFORMATION SECURITY

ALTHOUGH THE FDIC HAS IMPLEMENTED NUMEROUS information security controls intended to protect its key financial systems, “weaknesses remain that place the confidentiality, integrity, and availability of financial systems and information at risk.” That’s the finding of the U.S. Government Accountability Office in a report— Information Security: FDIC Implemented Controls over Financial Systems, but Further Improvements are Needed. GAO acknowledged that the FDIC took actions in calendar year 2015 to secure its financial information and systems, but it found that the agency “continues to have unremediated weaknesses.” GAO noted that the FDIC “(1) did not have an effective process for recertifying user access rights to several systems supporting the corporation’s financial processing and (2) had not yet applied critical patches to mitigate known vulnerabilities in third-party software on systems supporting financial processing.” GAO added, “While newly-identified weaknesses, along with those previously identified that remain uncorrected, are not individually or collectively a material weakness or a significant deficiency for financial reporting purposes, the corporation will have limited assurance that its sensitive financial information and resources will be secure until these weaknesses have been mitigated . . . . In addition to the nine prior recommendations that have not been fully addressed, GAO is making two recommendations to improve FDIC’s implementation of its information security program.”

GAO also noted, in a separate report with limited distribution, that it is making 10 new recommendations to the FDIC to address newly identified weaknesses in access controls.

Pratt’s Bank Law & Regulatory Report, Volume 50, No. 8


MORTGAGE SERVICERS’ ONGOING TECHNOLOGY FAILURES AND PROCESS BREAKDOWNS TRIGGER RULE VIOLATIONS

A “SPECIAL EDITION SUPERVISION REPORT” RELEASED by the Consumer Financial Protection Bureau (CFPB) found that some mortgage servicers continue to use failed technology that has already harmed consumers, putting the companies in violation of the CFPB’s new servicing rules.

“Mortgage servicers can’t hide behind their bad computer systems or outdated technology. There are no excuses for not following federal rules,” said CFPB director Richard Cordray. In its examinations covering numerous mortgage servicers since the new CFPB rules took effect in January 2014, CFPB examiners have found violations because of deficient technology and process breakdowns. Specifically, examiners have observed problems with loss mitigation and servicing transfers. The rules require servicers to maintain accurate records, give troubled borrowers direct and ongoing access to servicing personnel, promptly credit payments, and correct errors on request. The Bureau said it is also releasing an updated mortgage servicing exam manual to spur industry in its general compliance with CFPB rules. “While the servicing market has made some investments in compliance, those investments have not been sufficient across the marketplace to ensure compliance. CFPB examiners found that outdated and deficient technology poses risks to consumers across a number of mortgage servicers,” the CFPB said.

The CFPB also found that several mortgage servicers lack proper training, testing, and auditing of their computer systems and software platforms and those of their service providers. “As a result of this insufficient investment, mortgage servicing problems continue to plague consumers,” according to the CFPB.

Pratt’s Bank Law & Regulatory Report, Volume 50, No. 8