Gibson Dunn discusses Cybersecurity Regulation in the Financial Sector

In response to a string of publicly disclosed cyberattacks against financial institutions in recent months, New York and federal regulators are pushing the financial sector to better protect itself and, notably, are seeking additional information about banks’ cybersecurity efforts.  Benjamin Lawsky, the Superintendent of the New York State Department of Financial Services (“DFS”) has been at the forefront of this increased regulatory focus.

New York State

On October 21, 2014, Superintendent Lawsky reportedly sent a letter to dozens of banks that not only urges them to address the cybersecurity of their third-party service providers but also requests detailed information about their cybersecurity practices.  Noting that “a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors,” Superintendent  Lawsky’s letter asks banks to disclose “any policies and procedures governing relationships with third-party service providers,” including an outline of methods for safeguarding data that is sent to or received from third-party vendors.[1]  The letter also asks banks to provide “any due diligence processes used to evaluate” the adequacy of security procedures of third-party providers and any protections, such as insurance, in place to guard against potential losses incurred from the security failure of a third-party.[2]  The banks have been asked to provide this information by November 4, 2014.

Superintendent Lawsky’s latest request for information builds on a series of requests and actions taken by DFS in recent years concerning cybersecurity.  These requests have allowed DFS to acquire detailed information about the cybersecurity practices of banks.  For instance, last year, DFS asked more than 150 banking institutions about their cybersecurity programs, including corporate governance practices, frequency and response to cybersecurity breaches, budget and costs associated with cybersecurity and future plans on cybersecurity.[3]  This information was used to produce a comprehensive report published in May 2014 on cybersecurity practices and incidents in the banking sector.  The information collection and resulting report was designed in part to facilitate information sharing between banks and to enable benchmarking that might not otherwise occur in a competitive marketplace.[4]

The approach taken by DFS regarding cybersecurity in the financial sector likely will not be limited to information collection and the publication of reports.  In an indication of the seriousness in which DFS is viewing the issue, last month, Superintendent Lawsky highlighted his belief that cyberterrorism is “the most significant issue DFS will work on in the next year,” commenting that the possibility of an organized attack on the financial system is the one thing that keeps him awake at night.[5] Superintendent Lawsky’s recent letter to the banks describes one potential future requirement, that “regulated financial institutions obtain representations and warranties from their third-party service providers” regarding those vendors’ cybersecurity standards and policies.[6]

The Federal Government

The federal government is also increasingly focusing on the risk of cyberattacks in the financial sector.  Over the last several years, Thomas J. Curry, Comptroller of the Currency and current Chair of the Federal Financial Institutions Examination Council (“FFIEC”), has repeatedly emphasized the importance of addressing the risks posed by cyberattacks on U.S. banks, explaining that such emerging threats “have the potential to be as destructive of the financial system as the excesses of the mortgage and securitization markets.”[7] Curry has stated on multiple occasions that cybersecurity is one of the top priorities of the Office of the Comptroller of the Currency and FFIEC.[8]  And, the FFIEC issued an advisory letter this spring, which included joint statements by the FFIEC’s members[9] regarding (i) cyber-attacks on financial institutions’ ATM and card authorization systems and (ii) distributed denial-of-service (“DDoS”) cyber-attacks, risk mitigation, and additional resources.[10]  The purpose of the advisory letter and joint statements is to notify the financial institutions regulated by the FFIEC members of risks associated with cyberattacks.

Members of the Board of Governors of the Federal Reserve System have also emphasized the risk from cyberattacks in recent months.  In testimony before the Senate Banking Committee, Governor Daniel K. Tarullo discussed the Federal Reserve’s expectations regarding information security, noting that cyberattacks on financial institutions “pose significant risks to the economy and to national security more broadly.”[11]  Cybersecurity continues to be a focus of both the federal banking regulators and Congress, as evidenced by questions at a recent Senate Banking Committee hearing on the implementation of the Dodd-Frank Act.[12]

Similarly, the Securities and Exchange Commission (“SEC”) has been focused on cybersecurity, particularly as it relates to public company disclosures and financial sector practices.  The SEC published interpretive guidance in 2011 regarding disclosure obligations relating to cybersecurity risks and cyber incidents.[13]  And, more recently, the SEC hosted a roundtable discussion in the spring of 2014 to discuss the challenges raised by cybersecurity.  As a result of that discussion, the SEC announced plans to review the defenses of 50 broker-dealers and investment advisors to assess their preparedness for cyber threats as well as their relationships with vendors.[14]

Almost simultaneously, the Federal Trade Commission (“FTC”) and the Department of Justice issued a policy statement on the importance of sharing cybersecurity information.  FTC Chairwomen Ramirez acknowledged the “serious threat posed by cyberattacks,” and “ma[de] it clear that antitrust laws do not stand in the way of legitimate sharing of cybersecurity threat information.”[15]  Similarly, Deputy Attorney General James Cole highlighted that policies “should encourage [private parties] to share cybersecurity information.”[16]  This summer, Treasury Secretary Jacob Lew emphasized the importance of cybersecurity to the global financial system and noted that his deputy would be working with federal and state agencies to address cyber threats to the financial system.[17]

Conclusion

While New York state and federal regulators have produced limited regulatory guidance on cybersecurity practices thus far, it is clear that they are increasing their focus on the topic and are building momentum with their growing knowledge of the cybersecurity landscape in the financial sector.  Financial institutions should expect more examinations and supervisory scrutiny in this fast-paced and ever-changing area.  With that increased regulatory attention, there is also the prospect of increased investigations and enforcement activity.  We will continue to monitor developments at both the state and federal levels.

 

[1]   Letter from Benjamin Lawsky, Superintendent of the N.Y State Dep’t of Fin. Serv., to N.Y. Banks on Cybersecurity (October 21, 2014).

[2]   Id.

[3]   N.Y. State Dept. of Financial Services, Report on Cyber Security in the Banking Sector, 1 (May 2014), available at http://www.dfs.ny.gov/about/press2014/pr140505_cyber_security.pdf.1.

[4]   Cyber Security: Defending New York from Cyber Attacks: Public Hearing Before N.Y. State Senate (November 18, 2013) (Testimony of Benjamin Lawsky, Superintendent of the N.Y. State Dep’t of Fin. Serv.), video available at http://www.youtube.com/watch?feature=player_embedded&v=21IhSWt1V0w.

[5]   Remarks by Benjamin Lawsky, Superintendent of the N.Y. State Dep’t of Fin. Serv., at the Museum of Jewish Heritage in Manhattan, N.Y. (September 22, 2014).

[6]   Letter from Benjamin Lawsky, supra note 1.

[7]   Remarks by Thomas J. Curry, Comptroller of the Currency, before the Exchequer Club, 1 (September 18, 2013), available at http://www.occ.gov/news-issuances/speeches/2013/pub-speech-2013-138.pdf.

[8]   Remarks by Thomas J. Curry, Comptroller of the Currency, before RMA’s Governance, Compliance, and Operational Risk Conference (May 8, 2014), available at http://www.occ.gov/news-issuances/speeches/2014/pub-speech-2014-69a.pdf (“Helping to make banks less vulnerable and more resilient to cyber-attacks has been one of my top priorities as Comptroller and as current chairman of the FFIEC.”); Remarks by Thomas J. Curry, Comptroller of the Currency, before a Meeting of CES Government (April 16, 2014), available at http://www.occ.gov/news-issuances/speeches/2014/pub-speech-2014-59.pdf  (“… I am spending more and more of my time on IT issues in general and cybersecurity in particular. In fact, there are few issues more important to me–and to the Office of the Comptroller of the Currency–than shoring up the industry’s defenses against cyberattacks.”); and Testimony of Thomas J. Curry, Comptroller of the Currency before the Committee on Banking, Housing, and Urban Affairs, U.S. Senate (February 6, 2014), available at http://www.banking.senate.gov/public/index.cfm?FuseAction=Files.View&FileStore_id=6bcb40e5-b5f0-42f4-ad83-bd1a317ef450 (“There are few issues more important to me or to the OCC than the emerging risks posed by the increasing sophistication of cyber attacks.”).

[9]   The voting members of the FFEIC include a Governor of the Board of Governors of the Federal Reserve System, the Chairman of the Federal Deposit Insurance Corporation, the Chairman of the National Credit Union Administration, the Comptroller of the Currency, the Director of the Consumer Financial Protection Bureau, and the Chairman of the State Liaison Committee.  See Members of the FFIEC, available at https://www.ffiec.gov/members.htm.

[10]   FFIEC Advisory Letter, “Financial Regulators Release Statements on Cyber-Attacks on Automated Teller Machine and Card Authorization Systems and Distributed Denial of Service Attacks,” (April 2, 2014), available at http://www.ffiec.gov/press/pr040214.htm.

[11]   Testimony of Daniel K. Tarullo, Federal Reserve Board, before the Committee on Banking, Housing, and Urban Affairs, U.S. Senate (February 6, 2014), available at http://www.federalreserve.gov/newsevents/testimony/tarullo20140206a.htm.

[12]   “Wall Street Reform: Assessing and Enhancing the Financial Regulatory System,” Committee on Banking, Housing, and Urban Affairs, U.S. Senate (September 9, 2014), webcast available at http://www.banking.senate.gov/public/index.cfm?FuseAction=Hearings.LiveStream&Hearing_id=b15fc832-df18-47d7-8c7d-1367e5770086 (Senators Reed and Manchin posed questions regarding cybersecurity at financial institutions).

[13]   SEC, CF Disclosure Guidance: Topic No. 2 – Cybersecurity (Oct. 13, 2011), available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.

[14]   OCIE Cybersecurity Initiative, National Exam Program Risk Alert (Apr. 15, 2014), available at http://www.gibsondunn.com/publications/Pages/SEC-Assesses-Cybersecurity-Preparedness-in-the-Securities-Industry-in-Wake-of-Cybersecurity-Roundtable.aspx.

[15]   “FTC, DOJ Issue Antitrust Policy Statement on Sharing Cybersecurity Information,” Press Release (Apr. 10, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/04/ftc-doj-issue-antitrust-policy-statement-sharing-cybersecurity.

[16]   Remarks as Prepared for Delivery by Deputy Attorney General James M. Cole at the Pen and Pad Briefing on the Justice Department and Federal Trade Commission Joint Antitrust Policy Statement on Sharing of Cybersecurity Information (Apr. 10, 2014), available at http://www.justice.gov/opa/speech/remarks-prepared-delivery-deputy-attorney-general-james-m-cole-pen-and-pad-briefing.

[17]   Remarks of Secretary Jacob J. Lew at the 2014 Delivering Alpha Conference Hosted by CNBC and Institutional Investor (July 16, 2014), available at http://www.treasury.gov/press-center/press-releases/Pages/jl2570.aspx. 

The full and original memorandum was published by Gibson, Dunn & Crutcher LLP on October 27, 2014, and is available here.