Data-Centric Security Strategies and Regulatory Compliance

In the wake of a recent spate of cybersecurity breaches, the practice of data-centric security has received renewed attention from business leaders concerned about the integrity of critical data. As defined by a PKWare white paper, data-centric security focuses on protecting data itself, rather than the systems that contain it.1 Central to the concept of data-centric security is the notion that the systems established to store and guard data sometimes crumble in the face of cyberattacks.1 Given that all manner of data storage systems have shown themselves to be vulnerable, it is hard to argue with this foundational principle. Rather than offering prescriptions for the improvement of systems, then, data-centric security places safeguards around the data itself – safeguards which are automatically applied and regularly monitored to ensure data security.1

Data-centric security strategies have several key advantages over the “network-centric” models currently employed by many firms.2 As discussed, data-centric strategies account for the proclivity of security networks to succumb to cyberattacks by securing the data itself. In addition, because security measures are built into data, “security travels with the data while it’s at rest, in use, and in transit,” a characteristic of data-centric strategies that facilitates secure data sharing and allows firms to move data from system to system without having to account for inevitable variations in security infrastructure.3 Moreover, data-centric security allows for easy access to data (a cornerstone of productivity in any firm) without compromising data security. In fact, Format-Preserving Encryption (FPE) – the specific type of encryption employed by many data-centric strategies4 – “maintains data usability in its protected form,” striking a balance between security and accessibility.5 Clearly, data-centric strategies provide stronger, more all-encompassing, and eminently manageable modes of data protection.

But perhaps the most important aspect of data-centric security is its essential role in any security regime compliant with New York State cybersecurity regulations. In fact, as the data security company Vera has noted, “the new rules are focused not just on protecting information systems but on securing, auditing and the disposition of data itself.”6 New York’s determination to advance data-centric security is evident in certain provisions of the recent cybersecurity regulation, the most important of which mandate that companies “restrict access privileges not only to systems but to the data itself.”6 Moreover, New York State’s cybersecurity regulations reflect the priorities of data-centric security because they require firms to “implement an audit trail system to reconstruct transactions and log access privileges,” a system which allows the security of individual pieces of data to be monitored automatically.6 New York regulators have already recognized the benefits of data-centric security strategies. Now, with the assistance of legal experts well-versed in cybersecurity compliance, companies concerned about their data security can too.

____________________________________________________________________________________

  1. https://pkware.cachefly.net/webdocs/pkware_pdfs/us_pdfs/white_papers/WP_Data_Centric_Security_Blueprint.pdf
  2. https://www.symantec.com/blogs/expert-perspectives/data-centric-security-changing-landscape
  3. https://www.comforte.com/fileadmin/Collateral/comforte_FS_tokenization_vs_FPE_WEB.pdf?hsCtaTracking=8a3a11b3-5ba3-4e1a-a41f-78bb92d22458%7C358952c5-4dff-4793-bbeb-8835361c3b14
  4. https://www.1stmarkets.de/en/blog/blog-article-3
  5. https://www.techpowerusa.com/wp-content/uploads/2018/03/MicroFocus.Techpower-Big-Data-eBook-2018-9434.pdf
  6. https://www.vera.com/wp-content/uploads/2018/02/Veras-Guide-to-the-NY-DFS-Regulations.pdf

Cybersecurity Compliance Could Have Saved Capital One Millions

A recent cybersecurity breach involving one of the country’s largest financial services firms illustrates both the necessity of strong cybersecurity regulations and the imperative for credit card holders to jealousy safeguard their personal information. In a criminal complaint filed July 29th, 2019 at the U.S. District Court for the Western District of Washington, the federal government alleged that Paige A. Thompson, a computer engineer, had taken advantage of a gap in Capital One’s cloud security to obtain the personal financial records of millions of the company’s customers in the U.S. and abroad.1 Thompson, who used the online alias “erratic,” allegedly exploited a defect in Capital One’s firewall to access confidential financial information stored on the servers of the Cloud Computing Company, a Capital One service provider.1 Despite Capital One’s claim that “no credit card account numbers or log-in credentials were compromised and less than one percent of Social Security numbers were compromised,” the episode is a reminder that without robust cybersecurity measures and a broad-based commitment to personal data security, information stored with American financial institutions remains vulnerable to cyberattack.2 In fact, had Thompson been more careful to remain anonymous,3 the data breach could well have become catastrophic.

First, the data breach demonstrates the value of robust cybersecurity regulations. For example, if Capital One’s cybersecurity measures had met the stringent standards of the regulations issued by New York State’s Department of Financial Services that is now being enforced by the state’s new Cybersecurity Division, this problem may have been avoided. The DFS has committed itself to ensuring that “encryption and other robust security control measures” characterize the cybersecurity policies of the state’s financial services firms.5 Had Capital One encrypted or tokenized6 all of the data subject to the recent breach, it is possible that the effects of the cyberattack may have been less widespread. In fact, the criminal complaint against Thompson notes that “although some of the information” targeted by the cyberattack “has been tokenized or encrypted, other information[…]regarding their credit history has not been tokenized,” allowing “tens of millions” of credit card applications to be compromised.1 Of course, the cybersecurity regulations adopted by New York State are burdensome. But the alternative is even worse – especially considering that Capital One will “incur between $100 million and $150 million in costs related to the hack, including customer notifications, credit monitoring, tech costs and legal support,” a price tag that doubtless outstrips the costs of regulatory compliance.3

Pastore & Dailey is a leading firm in the drafting and implementation of procedures necessary to comply with federal and state securities and banking cybersecurity regulations and laws, which in this case could have saved Capital One millions if properly followed.

Second, the cyberattack bears out the importance of diligence in safeguarding financial information. According to Forbes, individuals worried about the security of their financial information can take a host of precautions: “[updating] passwords,” avoiding the use of e-mail accounts to share confidential information, “[establishing] two-factor authentication,” and so on.7 Cyberattacks like the one that recently struck Capital One have become a fact of life for many Americans who bank online, but they need not be costly. Common-sense precautions and security diligence can go a long way towards ensuring the integrity of your financial records.

New DFS Cybersecurity Division

Perhaps as a signal of its commitment to fight cybercrime and stringently enforce its cybersecurity regulations, New York State recently established a “cybersecurity division”1 within the state’s Department of Financial Services (DFS). The creation of the division marks yet another step taken by New York State to guard against the dangers posed by cyberattacks, perhaps motivated by its status as the home of many prominent financial services firms. In addition, the presence of the division strongly suggests that the cybersecurity regulation2 issued by DFS in Spring 2017 [WB1] cannot be taken lightly by the state’s largest and most important financial services firms. Aside from the comprehensive nature of the regulation and the sizable power afforded to the new cybersecurity division, the novelty of New York’s recent innovations in cybersecurity regulation suggests their importance and staying power. In fact, as JDSupra notes, the creation of the new division more or less completed a years long process that has made “New York[…]the only state in the country that has a banking and insurance regulator exclusively designated to protect consumers and companies from the ever-increasing risk of cyber threats.”1

Some financial services firms, conscious of their vulnerability to cyberattacks, will doubtless welcome these additional steps. As a report from the Identity Theft Resource Center notes, financial services firms “are reportedly hit by security incidents a staggering 300 times more frequently than businesses in other industries.”3 Far from being mere annoyances, these cyberattacks are often extremely costly. In fact, according to a study from IBM and the Ponemon Institute, the cost to a financial services firm per record lost in a cyberattack was more than $100 greater than the cost to the average company.4 Moreover, cyberattacks can also cripple consumer confidence in financial services firms, causing them to lose business and endure even greater costs.5 In general, then, cyberattacks can damage both a financial services firm’s sensitive records and its public image, making them a grave threat to any such company’s bottom line.

It would be a mistake, however, to think about DFS regulation purely in terms of cost reduction. Regulation also entails costs – not least because compliance with the 2017 regulation can be investigated and punished by DFS’ new cybersecurity division. In fact, these new developments indicate that cybersecurity will not come cheaply, especially because the regulation imposes a bevy of new security requirements on top firms, costing them a not insignificant amount of time and money. From multi-factor authentication to training programs to the appointment of a “Chief Information Security Officer,” the now fully enforceable regulation will force financial services firms to foot the bill for a host of cybersecurity measures.6

  1. https://www.jdsupra.com/legalnews/new-york-creates-cybersecurity-division-20881/
  2. https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf
  3. https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_Generali_The-Impact-of-Cybersecurity-Incidents-on-Financial-Institutions-2018.pdf, pg. 3
  4. IBM and the Ponemon Institute, The Cost of a Data Breach (2017), summarized in https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_Generali_The-Impact-of-Cybersecurity-Incidents-on-Financial-Institutions-2018.pdf, pg. 6
  5. https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_Generali_The-Impact-of-Cybersecurity-Incidents-on-Financial-Institutions-2018.pdf, pg. 8
  6. https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf, pg. 5

SEC Discusses New Cyber Unit to Combat Cyber-Related Misconduct

On October 26, 2017, Stephanie Avakian, Co-Director of the SEC’s Division of Enforcement gave a speech regarding Enforcement’s initiatives, in particular, regarding cybersecurity.

Ms. Avakian identified cybersecurity as one of the SEC’s “key priorities” necessitating a strategic focus and allocation of resources in order to fulfil the SEC’s “investor protection mission.”[1]  In order to effectuate these initiatives, the SEC created a Cyber Unit to combat cyber-related misconduct.[2]  According to Ms. Avakian, the increasing frequency coupled with the increasing complexity of these matters is what fueled the creation of the Cyber Unit.

The SEC identified three types of cases that have caught Enforcement’s interest:

Hacking to access material, nonpublic information in order to trade in advance of some announcement or event, or to manipulate the market for a particular security or group of securities;

Account intrusions in order to conduct manipulative trading using hacked brokerage accounts; and

Disseminating false information through electronic publication, such as SEC EDGAR filings and social media, in order to manipulate stock prices.[3]

Specifically addressing the second area of Enforcement’s interest, Ms. Avakian identified specific SEC Rules—Regulations S-P, S-ID, SCI, among others—which are risk based and, notably, flexible, that apply to failures by registered entities to take the necessary precautions to safeguard information.  These situations often involve coordination with OCIE, where the SEC will consult with OCIE at the outset in order to determine which entity is better suited to lead an investigation.

Interestingly, in efforts to combat the third area of Enforcement’s interest, the SEC  has not yet brought a case.  Despite identifying the importance of the disclosure requirements, Ms. Avakian states that “[w]e recognize this is a complex area subject to significant judgment, and we are not looking to second-guess reasonable, good faith disclosure decisions, though we can certainly envision a case where enforcement action would be appropriate”—seemingly indicating that of the three areas of interest, cyber-fraud in disclosures and the like may be of the least importance in Enforcement’s new cyber-initiatives.

The Cyber Unit will also spearhead the blockchain technology investigations, as the emerging issues in this area necessitate a “consistent, thoughtful approach.”  Although Initial Coin Offerings and Token Sales may be a new and legitimate platform to raise capital, this virtual currencies and offerings may also serve as “an attractive vehicle for fraudulent conduct.”[4]

Prior to the creation of the Cyber Unit, much of the cyber-related investigations have been led by the Market Abuse Unit, as there is a significant overlap between insider trading schemes and cyber-related schemes.  The risk, however, that cyber-related incidents pose is too great and, according to the SEC, warrants its own investigative unit.

[1] Stephanie Avakian, The SEC Enforcement Division’s Initiatives Regarding Retail Investor Protection and Cybersecurity, U.S. Securities and Exchange Commission (Oct. 26, 2017), https://www.sec.gov/news/speech/speech-avakian-2017-10-26#_edn2.

[2] Press Release 2017-176, SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors (Sept. 25, 2017), available at https://www.sec.gov/news/press-release/2017-176.

[3] Avakian, supra note 1.

[4] Avakian, supra note 1.

FINRA Fines Member Firms for Violation of Its Recordkeeping Provisions and Issues Cybersecurity Warning

FINRA fined twelve of its largest member firms a combined $14.4 million for violation of its Rule 4511 and SEC Rule 17a-4(f) for their failure to keep hundreds of millions of electronic documents in a WORM or “write once, read many” format.  The WORM format is designed to ensure that important firm records including customer records containing Personally Identifiable Information are not altered after they are written.

The firms included Wells Fargo & Co., RBC Capital Markets, LPL Financial, RBS Securities, SunTrust Robinson Humphrey, Georgeson Securities Corp and PNC Capital Markets.  FINRA also found that these firms violated its Rule 3110, Supervision, and several other SEC recordkeeping provisions, Securities Exchange Act Section 17(a) and Rules 17a-4 (b) and (c), thereunder.

FINRA noted that such records must be maintained in order to ensure member firm compliance with investor protection rules and that over the last decade the volume of such data being stored electronically has risen exponentially.  In a cybersecurity warning, FINRA stated:

there have been increasingly aggressive attempts to hack into electronic data repositories, posing a threat to inadequately protected records, further emphasizing the need to maintain records in WORM format.

P&D is pleased to note that its newest partner, John R. “Jack” Hewitt is one of the country’s foremost cybersecurity authorities, and a major part of his practice is advising broker-dealers, RIAs and banks on their adherence to SEC, FINRA, CFTC and state cybersecurity requirements.  Among other things, he advises firms on information security programs, guides them through cyber-incidents and represents them in the event of a regulatory inquiry.  Mr. Hewitt regularly conducts cybersecurity audits for broker-dealers and investment advisers, and was the SEC appointed independent outside consultant in the first major SEC cybersecurity enforcement action.  He is the author of Cybersecurity in the Federal Securities Markets, a BloombergBNA publication, and Securities Practice & Electronic Technology, an ALM treatise. Mr. Hewitt is the Co-Chair of the American Bar Association, Business Section, White Collar Crime Subcommittee on Cybersecurity.

Read FINRA’s official announcement

NYS DFS Cybersecurity Regulation Webinar 4/20/17: Presented by P&D’s Jack Hewitt and CohnReznick’s Jim Ambrosini

John R. Hewitt, Partner at Pastore & Dailey LLC, and Jim Ambrosini, Managing Director at CohnReznick Advisory, will be conducting a complimentary Webinar on Thursday, April 20, 2017 at 12:00 PM EDT.  Mr. Hewitt is recognized as a national authority in cybersecurity and Mr. Ambrosini is a leader in cybersecurity and technology assurance service offerings at CohnReznick.

Mr. Hewitt and Mr. Ambrosini will discuss the New York State’s Department of Financial Services (DFS) regulation, effective as of March 1, 2017, providing an overview of the regulation, a summary of what controls must be in place, how to implement controls using a risk-based approach, key DFS regulation issues, and how to develop a roadmap towards compliance.

Please join us for this Webinar on April 20, 2017 at 12:00 PM EDT by registering below:

https://event.on24.com/eventRegistration/EventLobbyServlet

The Facebook-FTC Settlement and the Future of Privacy Regulation

In the wake of a landmark Federal Trade Commission (FTC) settlement imposed on the social media giant Facebook, it is fair to speculate whether other companies will be forced to pay hefty fines and prioritize compliance with privacy standards in order to escape punishing federal regulation. The settlement, which was announced on Wednesday, July 24th, compels Facebook to pay a five billion dollar fine, the largest ever penalty leveled on a social media company in connection with privacy violations.1 Though the fine is relatively trivial in the context of Zuckerberg and co.’s multi-billion dollar annual earnings, the settlement also forces Facebook to “submit to quarterly certifications from the FTC to acknowledge that the company is in compliance with the [settlement’s] privacy program,” a major defeat for a company whose business model revolves around the collection and analysis of user data.2 The settlement also forces Facebook to reform its corporate structure and submit to oversight from an internal “privacy committee” tasked with ensuring the integrity of user data, among other impositions.2

All in all, the settlement is important not so much for its impact on Facebook as its implications for legal scrutiny of other technology companies. Although the federal government lacks the congressional mandate required to more expansively scrutinize the privacy standards of technology companies, such a mandate may well be in the offing, especially considering that political interest in privacy violations is cresting among members of both parties. Moreover, even if Congress elects not to craft a comprehensive online privacy law, future settlements imposed by the FTC could cripple rival companies lacking the social media giant’s seemingly inexhaustible resources.

Although the FTC settlement represented a major shift in the regulatory landscape, social media companies innocent of the sort of grave violations committed by Facebook can rest easy for the moment, given that the agency must target offending companies one-by-one in the absence of a sweeping congressional privacy mandate. In fact, the sort of stringent legal protections for user data commonplace in the European Union have not yet been approved by American lawmakers, who have so far refrained from devising a tough privacy law in the mold of the E.U.’s General Data Protection Regulation. Specifically, the European regulation requires social media companies to “inform users about their data practices and receive explicit permission before collecting any personal information,” a level of government oversight unheard-of stateside.3 Without the sweeping powers afforded to their European counterparts, American regulators have chosen to target serious individual offenses – like the unauthorized collection of user data by third party programs that sparked the inquiry into Facebook.2

But it would be a mistake to assume that the legal and political landscape will become more favorable to technology companies in the foreseeable future. Conservatives and liberals alike have entered into an uneasy alliance to promote a stringent new privacy law,4 and both Marco Rubio and Ron Wyden – lawmakers on distinct poles of the ideological spectrum – have proposed new regulations on social media giants.5 As a consequence of broad-based political support for privacy restrictions, future settlements reached with technology companies are bound to be at least as costly as the one recently reached with Facebook – a prospect that should trouble smaller companies that lack the ability to maintain profitability in the wake of a federal crackdown. Although federal regulation may prove burdensome and costly, compliance seems to be the vastly more preferable alternative.

 

 

  1. https://www.ftc.gov/news-events/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions
  2. https://www.cnbc.com/2019/07/24/facebook-to-pay-5-billion-for-privacy-lapses-ftc-announces.html
  3. https://www.nytimes.com/2019/06/08/opinion/sunday/privacy-congress-facebook-google.html
  4. https://www.nytimes.com/2019/07/14/technology/big-tech-strange-bedfellows.html
  5. https://blog.malwarebytes.com/security-world/privacy-security-world/2019/03/what-congress-means-when-it-talks-about-data-privacy-legislation/