On October 18, 2017, the Consumer Financial Protection Bureau (CFPB) issued a set of Consumer Protection Principles regarding the sharing and aggregation of consumers’ financial data. The timing of the announcement in light of last month’s disclosure of the Equifax breach of approximately 140 million consumers’ financial data seems noteworthy, as all companies whose businesses

The 180-day transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies is set to expire Aug. 28, 2017. Financial services companies must achieve compliance with the cybersecurity regulations prior to this deadline or face substantial monetary penalties and reputational harm.

Cybersecurity Regulation Overview

The cybersecurity regulations became

On October 19, 2016, the Federal Reserve, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency (together, the “Prudential Regulators”) published an advance notice of proposed rulemaking (ANPR) that would require banks with more than $50 billion in assets to take additional steps to protect against cyber-attacks.  Comments to the

Last Monday, October 24, Consumer Financial Protection Bureau (CFPB) Director Richard Cordray spoke on the Bureau’s approach to FinTech at Money 20/20, a conference focused on payments and financial service innovation.  In his remarks, Cordray focused on responding to criticism of the CFPB’s enforcement actions against FinTech start-ups and appeared to warn large financial

Businesses and financial entities continue to grapple with the increasing frequency and sophistication of hacking, displayed by the recent botnet attack that affected numerous websites on October 21, 2016, as well as the recent SWIFT hack which was used to steal $81 million dollars from the Bangladeshi central bank.  On October 11, 2016, G-7

On October 18, 2016, the Federal Financial Institutions Examination Council (FFIEC) issued answers to frequently asked questions (FAQs) to clarify points in FFEIC’s Cybersecurity Assessment Tool (Assessment).  FFIEC released the Assessment in June 2015 to help financial institutions identify their risks and assess their cybersecurity preparedness.  The Assessment incorporates cybersecurity principles from the FFIEC Information Technology (IT) Examination Handbook (the IT Handbook) and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (the NIST Framework).  While FFIEC’s Assessment is a good tool for banks to evaluate their cybersecurity standards, some banks experienced challenges mapping processes to the NIST Framework and interpreting FFIEC’s IT Handbook.  FFIEC’s FAQs should resolve these common issues, but they also raise other questions.
Continue Reading FFIEC Issues FAQs on the Cybersecurity Assessment Tool

On October 6, 2013, the Federal Financial Institutions Examination Council (FFIEC) announced that it will host two webinars with the goal of increasing cybersecurity preparedness by its member financial institutions.  FFIEC’s webinars are in recognition and observance of National Cybersecurity Awareness Month.

FFIEC’s first webinar will cover Mobile Financial Services – Appendix E of

On September 9, 2016 the Federal Financial Institution Examination Council (FFIEC) updated its Information Security Booklet (available here).  In addition to certain editorial non-substantive changes, the modifications include revisions to IT risk management and information security processes, and updated examination procedures in Appendix A to help examiners evaluate an institution’s culture, governance, information

On September 13, 2016, the New York Department of Financial Services (DFS) proposed new first-in-the-nation cybersecurity regulations (Regulations) that would require banks and other financial institutions to adopt minimum cybersecurity standards. In some ways the regulations are consistent with existing Federal Financial Institutions Examination Council (FFIEC) cybersecurity guidelines and FFEIC’s Information Technology (IT) Examination Handbook

On June 7, 2016, the Federal Financial Institutions Examination Council (FFIEC) reminded banks of the cyber risks associated with interbank messaging and wholesale payment networks. FFIEC made its announcement after hackers allegedly used the Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system to steal millions of dollars from banks around the world, including $81