It’s been a hot couple of months for regulators and cybersecurity. Back in June, the FFIEC (Federal Financial Institutions Examination Council) introduced a new cybersecurity assessment and recommended guidelines for banks and credit unions. In August, a U.S. appeals court ruled that the FTC (Federal Trade Commission) has the authority to regulate corporate cybersecurity. And just a few weeks ago, Dwolla, a payment platform company, found itself the first ever data security target of the CFPB (Consumer Financial Protection Bureau), and was hit with $100,000 in fines. We review the details of each, and what this means for the future.
FFIEC’s New Cybersecurity Assessment
In light of the numerous recent cybersecurity attacks, this assessment was developed “to help institutions identify their risks and determine their cybersecurity preparedness.” It consists of two main components:
- The Inherent Risk Profile, which is a series of questions about the type, volume and complexity of a financial institution’s operations, as well as the threats that institution faces. This is meant to determine the level of risk that their activities, services and products pose to the institution. The results fall into one of five risk profiles, from least to most inherent risk.
- The Cybersecurity Maturity, which outlines assessment factors and declarative statements for each five maturity levels across five separate cybersecurity domains.
The two sections of the assessment work in tandem, with the institutions’ inherent risk profile leading to guidelines on which maturity level FIs should be at for each of the cybersecurity domains.
This assessment has been the brunt of quite a bit of criticism from both banks and credit unions, because even though it’s been presented as “voluntary,” many FIs are having the opposite experience when examiners come through.
"The agencies have indicated that the use of the assessment is voluntary for banks in Federal Register notices and various meetings," said Jeremy Dalpiaz, assistant vice president of cybersecurity and data security policy for the Independent Community Bankers of America in an interview with BankInfoSecurity. "At the same time, however, the assessment is being used by examiners as part of the examinations process."
It remains unclear whether or not the assessment will become mandatory, but many banking consultants and advisors are telling clients to dedicate time to completing it in 2016, as the increased conversation around it is likely a sign that it will be an expected part of examinations in the near term.
FTC and Corporate Cybersecurity Oversight
In 2012, due to a lack of wide-ranging legislation on data security, the FTC decided to fill the void by filing a lawsuit against Wyndham for three breaches that occurred in 2008 and 2009, exposing credit and debit card details for more than 619,000 customers.
While Wyndham batted the lawsuit in court, claiming that the FTC’s actions were “alarmist” in nature, Circuit Judge Thomas Ambro ultimately upheld a 2014 decision to let the lawsuit move forward.
FTC Chairwoman Edith Ramirez, in response to the August decision, said “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
In December, Wyndham settled the lawsuit without having to pay the FTC anything in fines. Rather, it agreed to “establish a comprehensive information security program designed to protect cardholder data - including payment card numbers, names and expiration dates. In addition, the company is required to conduct annual information security audits and maintain safeguards in connections to its franchisees’ servers.”
Wyndham’s obligations under the settlement are in place for 20 years, and many industry experts have considered this a big win for the FTC, cementing their place in regulating corporate cybersecurity.
CFPB Enforcing Data Security
Earlier this month, the CFPB took action against payment platform Dwolla for misleading consumers on the security of their data on the platform. Specifically, the CFPB cited the following law violations: “deceptive acts and practices relating to false representations regarding Respondent’s data-security practices in violation of Sections 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act of 2010 (CFPA), 12 U.S.C. §§ 5531(a), 5536(a)(1).”
This cost Dwolla $100,000 in penalties, along with an order to fix any security weaknesses in their systems, put in place and train employees on comprehensive data security policies, and perform consistent risk assessments and audits.
In a statement from the CFPB, Director Richard Cordray said: “Consumers entrust digital payment companies with significant amounts of sensitive personal information. With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”
This is the first foray the CFPB has made into the data security space, which has put the industry on edge. This decision, while certainly outside the core list of issues the agency published back in February, puts the focus back on consumer data security and how organizations with access to it are ensuring its security.
The Dodd-Frank Act states CFPB’s jurisdiction as follows: “The CFPB has authority to regulate any person who engages in offering or providing a ‘consumer financial product or service,’ or any affiliate service provider of such a person.
The act defines “consumer financial products or services” as follows:
- Financial products or services that are “offered or provided for use by consumers primarily for personal, family, or household purposes.”
- Certain financial products or services that are delivered, offered, or provided in connection with a consumer financial product—specifically, those related to extending credit and loan servicing, real estate settlement services, consumer reporting, and debt collection.
With this broad of a reach, many companies have taken special note of the decision. When you stack this up with orders and guidelines from the aforementioned Federal Agencies, it’s clear that the protection and security of consumer data is a priority and should be taken seriously.
Miss last week’s guidance from the Fed on prepaid cards? Check it out below:
