The Board of Governors of the Federal Reserve System has recently indicated it may move forward with enhanced cybersecurity standards that had previously been floated by the Board, the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) back in 2016. Specifically, in October 2016, the Board, the three entities issued a joint advance notice of proposed rulemaking (ANPR) on enhanced cybersecurity standards before deprioritizing it in 2017. While the OCC and the FDIC withdrew their ANPRs earlier this Spring, the Board may revive the issue this coming Fall.
The recent data breach of India-based technology services provider Wipro serves as yet another reminder that technology or outsourcing service providers are high-priority targets for cyberattacks. In “Managing Risk in Light of the Wipro Data Breach,” colleagues Meighan E. O’Reardon, Andrew Caplan, Mia Rendar and
Financial institutions regulated by the New York Department of Financial Services (DFS)—referred to in this post as “Covered Entities”—should by now be well familiar with the department’s sweeping cybersecurity regulation, 23 NYCRR 500, that became effective on March 1, 2017. The regulation delves into a level of detail (e.g., multi-factor authentication and encryption requirements) and requires a level of senior level attention (e.g., annual attestation of compliance, signed by the Board of Directors or a Senior Officer) heretofore unseen in U.S. federal or state regulations.
At a recent seminar discussion on smart buildings, I was reminded of the Mr. Robot episode where the general counsel of a multinational corporation, which is being targeted by a hacker group, has her futuristic apartment hacked. In case you haven’t been watching, Mr. Robot is USA Network’s psychological thriller about a young programmer who works as a cybersecurity engineer by day but by night is a vigilante hacker.
- The European Union Court of Justice (“CJEU”) to rule on the validity of Model Contractual Clauses (“MCCs”) following referral by the Irish High Court.
- The Irish High Court has “well-founded” concerns that there is no effective remedy in US law for EU citizens whose personal data is transferred to the United States and the use of MCCs does not eliminate those concerns.
The increasing number of software supply chain compromises represents a significant weakness that should be top of mind for security professionals. Regardless of your firm’s core business, chances are they rely on and are connected to a range of software provider’s electronic distribution channels for acquiring initial licenses or software updates. Any such electronic access, even through authorized and vetted means, poses a risk to the organization. Put simply: your software provider’s vulnerabilities could easily become your next breach.
A number of major carriers have suffered high-impact IT events in the past several months. Estimates of losses in these cases have exceeded £100m. This is on top of (no doubt significant) remedial costs, reductions in share price and reputational damage.
Such high-impact events are, in theory, unlikely to occur—the result of a series of unlikely events which when taken together have a catastrophic impact. Unfortunately for corporates, the probability of a high impact IT event is increasing. This is partly due to the increasingly interconnected and complex nature of IT infrastructures but also due to heightened cybersecurity risks. Failures tend not to be not localised to a particular geography or business but have global reach.
We advise airlines to consider and revisit their current business continuity and disaster recovery (BCDR) arrangements. In our experience, the reality of BCDR arrangements often falls below the stated requirements or capabilities of such solutions, whether provided by third-party IT providers or in-house.
According to PwC’s latest biennial Global Economic Crime Survey, cyber-crime is up 20 percent since 2014 and more than half of the firms surveyed expect to become the victim of a cyber-crime in the next two years, although a third reported that they have no plan to address a cyber-incident. While we are used to seeing the big cyber-attacks make the news, an attack of any size can have a disastrous effect on a business and within the supply chain and can also have wide-reaching implications: not only for the business targeted, but all those businesses linked to it. In “Protection Planning,” an article in Logistics Business Magazine, Pillsbury partner Tim Wright discusses the steps you should be taking to proof your business from such damaging shocks.
Effective March 1, 2017, first-in-kind regulations issued by the New York Department of Financial Services (New York DFS) will begin to affect a wide array of both depository and non-depository financial institutions. The new regulations will cascade certain requirements upon these financial institutions’ third-party service providers, requiring the financial institutions to take a close look at their vendor relationships.
Who Is Covered?
The new regulations will specifically apply to “Covered Entities,” meaning any financial services firm that operates (or is required to operate) under a “license, registration, charter, certificate, permit, accreditation or similar authorization” by the New York DFS. Just to name a few, this includes banks, credit unions, insurance companies, licensed lenders and loan servicers, money transmitters, and even those operating under New York’s new virtual currency license.
The UK’s financial services regulator, the Financial Conduct Authority (FCA), has recently published summaries of the responses it received to a Call for Inputs (CfI) on the use of big data in the retail general insurance (GI) sector as well as outlining its responses to the issues raised. Insurance companies, which are increasingly using big data (gleaned from social media, loyalty cards, aggregator sites and other such sources) to determine risk profiles and set premiums, can rest a little easier given that the FCA says that it has decided not to undertake a full market study or make a reference to the Competition and Markets Authority.