If you run a financial services firm, you’ve seen many new cybersecurity rules issued in recent years — but are you ready for regulators to get serious about enforcing them? In this post, we hear from three experts who say the crackdown has begun. And smaller firms won’t be spared.
We asked the experts to identify key regulatory and cybercrime trends affecting small to medium-sized financial services firms (and just about any other type of SMB that collects, processes, and/or stores customers’ sensitive financial data).
(Note: In future posts, we’ll dig more into details and tactics that we discussed with these cybersecurity pros.)
Attorney Robert (Bob) Cattanach
Bob Cattanach, a Minneapolis-based partner at the law firm Dorsey & Whitney,
specializes in cybersecurity regulatory compliance and litigation.
Trend 1: State regulators will increasingly crack down on companies that don’t protect customer data
Landmark state laws and regulations on both coasts are changing the cybersecurity landscape nationwide, says Bob, and Minnesota probably soon will follow along. Two examples:
- The New York Department of Financial Services’ sweeping set of cybersecurity policies and procedures became effective March 1, 1017, with a final compliance date of March 1, 2019.
Bob points out that many of the New York DFS changes pertain to smaller financial services providers. And more importantly, they set the tone for more aggressive enforcement by other state regulators.
- California’s Consumer Privacy Act of 2018, touted as the nation’s toughest data privacy law, takes effect in 2020. The CCPA gives consumers far more control over the use of their private data, and it also dictates sweeping changes that mandate comprehensive data access and data security policies and procedures, Bob says.
The CCPA may even directly affect small to medium Minnesota financial services providers, if they handle data of California residents.
(Here’s a good summary to help you see whether your business might be affected. Read more in-depth background on CCPA written by Bob and his colleagues on the Dorsey & Whitney website here and here.)
“Even if your firm isn’t immediately affected by CCPA, if past is prologue, Minnesota firms are likely to see new regulations within the next couple of years that mirror the CCPA at least to some degree,” Bob says.
Trend 2: Exposure to class action lawsuits for data breaches will increase considerably
The new California law will also be a major game-changer for class action lawyers. For the first time, the CCPA makes it easy to file class action lawsuits on behalf of the people whose data was exposed in a breach, Bob says.
This new exposure makes trend #3 even more important.
Trend 3: Cyber-loss insurance is becoming more critical
Insurance coverage for cyberattack losses — including class action lawsuit damages — is available to small to mid-sized financial services firms.
Many of these products are still relatively new, however. Bob urges firms to check with a broker or attorney who has specific experience with this type of coverage.
One caveat: Be careful when filling out cyber insurance applications. You’ll be asked about certain data protections and policies you currently have in place. That information will be verified should you suffer a loss, and if your answers prove incorrect, your policy may be void.
Takeaways from Bob
Get off the sidelines.
Financial industry regulators and media have been warning financial services providers that cybersecurity will be a priority in 2019 and going forward. For example, see:
- The SEC’s 2018 investigative report on cyber threats
- FINRA’s 2019 Risk Monitoring and Examination Priorities Letter (and an analysis by Smarsh attorney Marianna Shafir)
- Summary of evolving cybersecurity risks from AICPA’s Journal of Accountancy
- Regulatory crackdown summary from Investment News
The deluge of warnings, however, can easily become so much noise for a busy financial services executive.
And at a smaller firm, Bob points out, these cybersecurity materials often aren’t anyone’s top priority. But that needs to change now, even if you need to delegate cybersecurity compliance to a third party.
Conduct a simple cybersecurity self-assessment.
Bob recommends following these preliminary steps to create the bones of a cybersecurity plan:
– Identify all of the personal and financial information you gather.
– Determine whether it’s absolutely necessary for you to collect that information.
– Map how this data flows through your IT infrastructure.
– Identify who is responsible for the data security at each point in its journey.
CPA Firm IT Manager Dave Jones
Dave Jones has been the IT Manager for the accounting firm Pearce, Bevill, Leesburg, Moore, P.C.
in Birmingham, Alabama, with 20 years of experience in financial services technology.
Trend 4: Vendor management documentation will increase
As more lawyers and insurance companies become involved in cybersecurity, one thing is sure to follow: more documentation. Expect client companies to request more documentation, such as cybersecurity checklists and letters that overview how your firm will handle and protect their data, Dave says.
And in turn, regulators will probably increase the documentation you must secure from any third parties your firm uses that touch client data in any way.
“When you’re a financial services provider, often your clients’ data may run through a variety of shops — some may be very small and vulnerable,” Dave says.
Trend 5: Mid-size firms will lean more on outsourced IT firms for cybersecurity
In addition to running Pearce Bevill’s IT operation, Dave occasionally works with client companies on cybersecurity. He says firms with about 30 to 100 workstations are the most difficult to protect against cybercrime.
“They’re too small for dedicated IT staff, but they’re so big that it’s difficult to train everyone. And the threats are increasing, so they need to have someone monitoring network activity at all times.” Dave says. “More and more, they’re relying on outside vendors.”
Trend 6: Expect more “business email compromise” attacks
Dave sees a trend in business email compromise (BEC) attacks that begin with innocuous emails that don’t include the telltale phishing links or attachments. “I’m new in town and I need an accountant to do my taxes…” That sort of thing. The scammer is starting a conversation.
Only after establishing a rapport does the scammer offer up a link or attachment that unleashes malware. Other BEC attacks focus on getting employees to wire money to a fraudulent account.
We’ll cover more about identifying and defeating BEC attacks in future posts. (One form of BEC attack is “whaling,” which we discussed in this previous post.)
Takeaways from Dave
Put antivirus AND encryption on every business device.
If you have a mobile workforce, such as a group of auditors, Dave puts your risk of losing a laptop, tablet, or smartphone at about 100%. He warns that if those devices contain clients’ sensitive data, “that can be a business killer.”
Choose an IT services partner that’s focused on security.
Dave says it’s a mistake to believe that all IT services providers are cybersecurity experts. He’s had pushback from some IT vendors for clients who didn’t see the need for certain security basics.
Talk with current or potential IT vendors about their data security procedures, certifications, and other qualifications.
Cybersecurity Expert Kip Boyle
Kip Boyle, owner of Cyber Risk Opportunities in Seattle, is a cybersecurity pioneer, beginning with security
for the U.S. Air Force in the 1990s, then moving to a large insurer and the Stanford Research Institute.
Trend 7: Organized cybercrime will increasingly target medium-sized firms
Kip wrote the cybersecurity guidebook, “Fire Doesn’t Innovate: The Executive’s Guide to Thriving in the Face of Evolving Cyber Risks.” In this blog post, adapted from the book, Kip profiles an infamous Russian hacker who targets big banks and small businesses alike.
“You might think Russian cybercriminals are only interested in large, multinational banks worth hundreds of millions,” Kip says. “You’d be wrong. Cybercriminals exploit weakness for profit no matter who the target is or what the score will be.”
It’s a simple, cost effective strategy: Organized cybercrime groups cast a wide net with automated phishing emails and malicious code installation to thousands of businesses, usually spread by people who work very cheaply.
Think of cybercriminals as a serious business competitor. “Cybercrime is a dynamic risk. It’s constantly changing to disrupt you — just like your competitors try to do,” Kip says.
Trend 8: Cybercriminals seeking multiple, smaller hits on victims
When targeting smaller firms, cybercriminals are getting more sophisticated than ransomware attacks that simply lock your network and demand money, Kip says. They’re installing code — usually via phishing — that hides silently in the background, looking for bank transfer patterns.
The thieves look for commercial bank account IDs and passwords, and then make a series of relatively small fraudulent transfers to their own account. This can keep the thefts under the radar for months, without stealing so much that you go out of business and turn off the spigot.
Takeaways from Kip
Require dual control on money transfers.
This is a difficult rule for many smaller companies — even financial services firms — but no one person should be able to move money electronically without a second person signing off. This is the best way to guard against BEC attacks.
Get buy-in for cybercrime program by leading.
Kip consults with companies of all sizes on cybercrime prevention, and he says those that succeed almost always have leaders who commit to making cyber risk management a priority. They commit their own time and effort to the program, and get buy-in from every employee.
Regulations Will Always Trail Cyber Thieves
All of these experts agreed that complying with cybersecurity regulations is necessary, but compliance does NOT equal safety. The nature of financial industry regulations is that they address risks your company faced in the past.
Your cybersecurity program, therefore, must include completing all of the checklists your regulators require, while also focusing ahead on the evolving risks of cybercrime.