The September 2018 Securities and Exchange Commission (SEC) ruling against Voya Financial Advisors was a wake-up call for financial institutions everywhere.

The Des Moines-based investment advisor was fined $1M for its failure to appropriately respond to a cyber intrusion that compromised thousands of customer records. Voya was charged with violating the SEC’s Safeguards Rule and Identity Theft Red Flags Rule, a charge which was a first-time enforcement of the rule since its inception six years ago.

Like Voya, all financial institutions collect and use personal information regularly, and are therefore highly regulated against data compromise. That’s why data breaches, and their subsequent compliance failures, cost the financial industry more, second only to healthcare. Domestic data breaches cost financial institutions $206/record1, with an annual industry price tag of to $18.28M.2

Emerging Regulatory Risk

Additional state, local and international regulatory standards have emerged recently to make compliance even more of a challenge for financial institutions. Here are a few:

General Data Protection Regulation, effective 6/25/18. GDPR contains a strict 72-hour notice requirement of a data breach involving an EU resident(s). Companies that miss the deadline face fines of 20 million Euro or 20% of the company’s annual revenue, whichever is higher.

New York Cybersecurity Regulation, effective 8/28/17. Banks, insurance companies, and other financial services institutions are required to have a cybersecurity program designed to protect consumers’ private data. Formal incident response plans, an appointed Chief Information Security Officer and a long list of technical and process controls to help protect data and systems are now mandatory. Companies found non-compliant would face monetary penalties.

Canadian Digital Privacy Act, effective 11/11/18. Organizations are required to inform individuals about the personal information they’re collecting, including specific mandates for children and other vulnerable individuals and the regulators may publish information disclosed via mandatory breach reporting. Violations may result in fines ranging from $10k to $100k.

Plan Now: Develop an Incident Response (IR) Plan

According to the 2018 Ponemon Institute Cost of Data Breach Study, having an IR plan and an IR team in place ahead of a breach reduces costs by $14 per compromised record.1

A robust IR plan involves identifying a team of individuals from across the firm’s departments that are responsible for coordination of the following:

  • Breach identification/ investigation/escalation
  • Preserve breach evidence and document all decisions and actions
  • Assist law enforcement
  • Make recommendations to avoid future incidents
  • Issue a final breach report

Get Ready: Conduct a Table-top Exercise

Creating the IR plan is just the first step, executing it is next. Without real practice, an IR plan won’t do much in a crisis. Doing an informal simulation and walk through response plans (also known as a tabletop exercise) annually - or even quarterly - will ensure that your business is ready for a breach scenario. Typically, a tabletop exercise will begin with a scenario thrown at the IR team, at random. Here are a few examples:

  1. There’s been a ransomware attack on the business. “CTO: What’s your first step?”
  2. More than 100 customer records have been stolen. “Risk Manager: What do we do now?”
  3. Take either of the above scenarios and ask the marketing/communications team member: “The media is calling. They heard from an employee that there’s an issue. Who will field the call?”
  4. Again, take either scenario and pose the following to the team: “The FBI is at the door. They want to take the servers. How can you coordinate their investigation and your parallel investigation?”

Contact your HUB Cyber and Financial Institutions specialists for help with developing an appropriate IR plan for your business, and training on it with table top exercises.

1 Ponemon and IBM, 2018 Cost of Data Breach Study. https://databreachcalculator.mybluemix.net/assets/2018_Global_Cost_of_a_Data_Breach_Report.pdf

2 Ponemon and Accenture, 2017 Cost of Cyber Crime Study. https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf