On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. Today’s post is the second in a series of summaries sharing essential, timely insight on how these practices impact your business. Please click here for the first post on cybersecurity practice impacts.

FINRA names “phishing” attacks as one of the most common cybersecurity threats raised by firms with the self-regulator.[1] The goal of a phishing email is to manipulate the recipient into taking action. FINRA focuses on two types of phishing attacks in the report. The first is “spear phishing,” where the sender researches and targets the recipient(s) with a customized approach designed to get confidential information from the individual(s). The second is “whaling,” wherein the hacker sends targeted emails impersonating senior executives at the firm in order to set action in motion, typically wiring funds to specifically identified accounts.    Continue Reading FINRA’s 2018 Report on Cybersecurity Practices – Preventing “Spear Phishing” and “Whaling” Attacks

On December 20, 2018, the Financial Industry Regulatory Authority (FINRA) released a report on cybersecurity practices for broker-dealers. This post is the first of a series of summaries sharing essential, timely insight on how these practices impact your business. The Report follows close on the heels of FINRA’s annual Report on Examination Findings issued Dec. 14, 2018. Now we know why Cybersecurity, a top regulatory and examination priority for FINRA in 2018, was not included in their examination findings report. Not surprising, albeit somewhat unusual, the importance of the topic and FINRA’s insights warranted a separate communication. Continue Reading FINRA Issues 2018 Report on Selected Cybersecurity Practices

As previously discussed, software as a service (SaaS) solutions offer the allure of being able to outsource IT for data storage.  Being able to rely on someone else to protect you sounds great, but is it really?  Losing control over your sensitive data requires serious diligence of the third party vendor.  Caveat emptor: SaaS solutions can expose companies to unknown risks. Tips to avoid those risks are discussed below.

Continue Reading Three More Risks to Consider with SaaS Solutions

On November, 2, 2018, Ohio’s recently passed Data Protection Act (Act) officially became law. The Act provides a possible affirmative defense to businesses in lawsuits where the plaintiff alleges a tort based on a business’ failure to implement a cybersecurity framework.

Importantly, the new law does not create a minimum cybersecurity standard in Ohio or new cybersecurity regulations that businesses must follow. Rather, the law operates by incentivizing businesses to develop and maintain a cybersecurity program that “reasonably conforms” to an already existing, industry recognized cybersecurity framework. If the company can prove that it had a compliant cybersecurity program in place at the time of a breach, the company can use the program’s existence as an affirmative defense to certain tort claims. Continue Reading New Cybersecurity Law Offers Safe Harbor Against Tort Claims

As a part of National Cybersecurity Month, last week the Federal Trade Commission (FTC) launched a campaign to help educate and assist small businesses with cybersecurity.  In conjunction with the Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST), and the Small Business Administration (SBA), the FTC has published a collection of materials for small businesses about cybersecurity. These materials include information about the following:

  • Cybersecurity Basics;
  • Understanding the NIST Cybersecurity Framework;
  • Physical Security;
  • Ransomware;
  • Phishing;
  • Business Email Imposters;
  • Tech Support Scams;
  • Vendor Security;
  • Cyber Insurance;
  • Email Authentication;
  • Hiring a Web Host; and
  • Secure Remote Access.

Additional information about the cybersecurity campaign and access to the materials can be found here.

2018 Best Legal Blog Contest - Click to Vote

CA IoT Cybersecurity Bill Heads To Governor’s Desk
The bill (SB-327), if signed by Gov. Brown, will take effect on January 1, 2020. It is aimed at securing connected devices. The bill states that, “a manufacturer of a connected device shall equip the device with a reasonable security feature or features.”

House Approves Financial Sector Data Breach Bill
On Sept. 13 the House Financial Services Committee approved bill (H.R. 6743) to create a national data breach notification standard for the financial sector. The bill would amend the GLBA and preempt state law for institutions covered under the financial services law.

Department of Commerce Launches Collaborative Privacy Framework Effort
NIST announced it has launched a collaborative project to develop a voluntary privacy framework to help organizations manage risk. NIST will hold a public workshop on Oct. 16, 2018, in Austin, Texas—in conjunction with the International Association of Privacy Professionals’ Privacy. Security. Risk. 2018.

Upcoming Events:

McGuireWoods HIPAA Webinar Series: September 24, 2018 
This webinar will examine the application of HIPAA to the ever-growing array of mobile health applications and devices, with an emphasis on the design and security implications of such devices.

NIST has published Special Publication (SP) 1800-5, “IT Asset Management” to help financial service companies monitor and manage IT assets.  According to the release:

“The example solution…gives companies the ability to track, manage, and report on information assets throughout their entire life cycle. This can ultimately increase cybersecurity resilience by enhancing the visibility of assets, identifying vulnerable assets, enabling faster response to security alerts, revealing which applications are actually being used, and reducing help desk response times.”

A copy of the SP can be found here.

CTIA, a trade association representing the wireless communications industry, recently announced a new cybersecurity certification program for IoT cellular-connected devices. The announcement comes shortly after NIST hosted a workshop in July regarding Considerations for Managing IoT Cybersecurity and Privacy Risks.

CTIA states, “[t]he program will protect consumers and wireless infrastructure, while creating a more secure foundation for smart cities, connected cars, mHealth and other IoT applications.” Tom Sawanobori, SVP and Chief Technology Officer at CTIA states that, “[t]he IoT Cybersecurity Certification Program harnesses CTIA’s network of authorized labs and reflects our commitment to securing networks and devices in an increasingly connected wireless world.”

According to CTIA, the Cybersecurity Certification Program is built upon NTIA and NIST IoT security recommendations. The Program will begin accepting devices for certification testing in October 2018.

More information about the Cybersecurity Certification Program can be found here.

On August 14, 2018, President Trump signed into law S. 770, the “NIST Small Business Cybersecurity Act.”  This Act requires the National Institute of Standards and Technology (NIST) to develop and disseminate resources for small businesses to help reduce their cybersecurity risks. The Act states that the resources should be:

  • “Generally applicable and usable by a wide range of small business concerns;
  • Vary with the nature and size of the implementing small business concern, and the nature and sensitivity of the data collected or stored on the information systems or devices of the implementing small business concern;
  • Include elements, that promote awareness of simple, basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships, to assist small business concerns in mitigating common cybersecurity risks;
  • Include case studies of practical application;
  • Technology-neutral and can be implemented using technologies that are commercial and off-the-shelf; and
  • Based on international standards to the extent possible, and are consistent with the Stevenson-Wydler Technology Innovation Act of 1980.”

The eighteen month transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies expires on September 4, 2018. These requirements apply to entities, “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”  In less than a month, these Covered Entities subject to Part 500 are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.

These requirements include:

  • Implement and maintain audit trail requirements (500.06);
  • Adopt written application security requirements (500.08);
  • Adopt written data retention requirements (500.13);
  • Implement monitoring/unauthorized access requirements (Section 500.14(a)); and
  • Implement encryption requirements (500.15).

The final compliance deadline is March 1, 2019.  In addition to those aforementioned Covered Entities, credit reporting agencies with significant operations in New York were recently required to comply with the cybersecurity regulations.  More information about the Cybersecurity Requirements can be found here.