The National Institute of Standards and Technology (NIST) Privacy Framework, published in January 2020, is quickly becoming the mainstream control set for organizations to align with when assessing their data privacy posture, developing readiness roadmaps, and maturing their privacy program. We have previously written about how the controls in the NIST Privacy can be mapped…
New Government Standards Raise the Stakes
With both the Fed and the FTC preparing to implement a new set of cybersecurity standards this fall, financial institutions should be making preparations to change their approach to cybersecurity from the ground up. In a 2016 advance notice of proposed rulemaking (ANPR), the Federal Reserve proposed an enhanced set of standards for banks and financial firms with $50B or more in assets. The standards are designed to limit damage from increasingly frequent cyber threats against the financial services industry.
In simple terms, institutions will be expected to take responsibility for continuously monitoring and responding to threat levels, educating all employees on best security practices and to assume responsibility for the cybersecurity integrity of vendors and partners. Board members and senior leaders of affected institutions will be expected to take a direct role in setting cybersecurity policy and managing crisis response. And, last but not least, institutions will be expected to have an independent risk manager responsible for overseeing all of these protocols and for reporting directly to the institution’s board of directors. For firms that already have a Chief Compliance Officer, it is time to incorporate cyber risk management into his or her responsibilities.
While these enhanced standards aim to reduce the risk posed by the interconnected nature of our financial institutions, the financial industry isn’t the only one affected by cybersecurity threats – in fact, according to Verizon’s 2019 Data Breach Investigation Report cyber attacks on financial services entities rank fourth behind small businesses, the healthcare industry, and the public sector (government agencies).
No industry is safe. Take for example the hotel industry – the 2018 Marriott breach compromised the information of 500 million customers. Any industry that deals with consumer’s financial data is vulnerable. And the internet of things provides an ever-increasing plethora of vulnerabilities for hackers – in a recent Bloomberg article, benevolent hackers demonstrated the ease with which bad actors can access a hotel’s internal network through an unsuspecting back door: an internet-connected sensor for remote-controlled blinds. Hackers are resourceful and determined, and they’re operating across the globe.
That’s where the European Union’s General Data Protection Regulation (GDPR) comes in to play. The GDPR, which took effect in May of 2018, has set the tone for not only companies operating in Europe, but also those operating on a global scale. Broadly speaking, the GDPR unifies privacy rules across the EU, and ensures that any data a company or entity holds that can be used to identify a person belongs to that person – and companies are obligated to secure that data or pay a hefty fine – for the highest offenses: “up to €20 million, or 4% of the worldwide annual revenue of the prior financial year.”
The GDPR’s 99 articles share many similarities with the Federal Reserve’s proposed rules and the Federal Trade Commission’s proposed regulations, as well as New York’s Department of Financial Services regulation, 23 NYCRR 500. One of their shared core tenets is the requirement that certain companies designate a data protection or cybersecurity compliance officer. The GDPR specifically makes this a requirement for companies which conduct “regular and systematic monitoring of data subjects on a large scale.”
Noncompliance is Costly
While the end goal for hackers is usually monetary, consumers’ financial information is not the only thing at stake. Hospitals, for example, store patient data on internal servers and in the cloud. Ethical questions aside, there are considerable fines for allowing a breach where such sensitive data as patient information is at stake. HIPAA Journal cites fines up to $1.5M per violation per year for willful neglect.
Even companies that don’t operate in the finance or healthcare industries can face considerable monetary consequences for neglecting to protect consumer information. According to Corporate Compliance Insights, “The fine for a breach or lapse in compliance with an industry-standard or regulation like (the EU’s) General Data Protection Regulation (GDPR)) can equal as much as 4 percent of a company’s revenue; that is potentially enough to put a company out of business.”
And financial costs aren’t just limited to fines – software companies like Apple and Microsoft host consumers’ sensitive emails and photos. Hackers can and have used compromised information to blackmail both individual consumers and the companies to which those consumers entrust their data, as in the case of the 2014 iCloud hack.
That’s not to downplay the danger of compromised email accounts – think about where banks send password recovery links. In fact, the biggest threat in recent history was Yahoo’s 2014 breach, which saw 3 billion user accounts compromised, and lowered its sale price to Verizon by about $350M. Though the tech giant was plagued by many industry shifts and management errors, for a company that was valued at $100B, its final $4.48B sale price is a lesson in the value of cybersecurity. News outlets aren’t safe either – a recent story by the Verge outlined how one hacker intercepted press releases from outlets like Business Wire and sells them for insider trading.
How to Ensure Compliance
The list of possible threats is endless. We live in an increasingly interconnected world; all industries that operate globally and handle consumer financial data should take note of the monetary and legal costs posed by noncompliance with global cybersecurity standards. The GDPR is already in effect and is only set to affect more companies, so it makes sense to get up to speed with its requirements, especially those echoed by upcoming U.S. regulations. One of the best ways to do that is to figure out what your company needs in order to be compliant – and that means designating a Data Protection Officer or an independent risk manager – someone with cybersecurity experience whose sole focus is assessing the company’s cybersecurity resilience and communicating needs directly to the board of directors.
For companies that already have a CCO, getting them up to speed on cybersecurity regulations and standards is imperative. According to Andrew Burt, of Harvard Business Review, “The once clear line between privacy and security teams is beginning to blur — a trend that businesses in general, and security and privacy practitioners in particular, should embrace. From a practical perspective, this means that legal and privacy personnel will become more technical, and technical personnel will become more familiar with legal and compliance mandates. The idea of two distinct teams, operating independent of each other, will become a relic of the past.”
What Does the CCO Need to Know?
Whether you’re hiring a dedicated Data Protection Officer or adding these responsibilities to your CCO, here are some of the requirements of the position as outlined by the GDPR:
1. Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
2. May be a staff member or an external service provider
3. Contact details must be provided to the relevant DPA (Data Processing Agreement)
4. Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
5. Must report directly to the highest level of management
6. Must not carry out any other tasks that could result in a conflict of interest.
7. Inform and advise firms and employees who carry out data processing on applicable data protection provisions
8. Monitor compliance with the GDPR, other data protection provisions, and additional internal data protection policies; this includes training and auditing
9. Advise on data protection impact assessment (DPIA)
10. Cooperate with the supervisory authority
11. Serve as the main contact for the supervisory authority
Benefits Beyond Compliance
Taking cybersecurity compliance seriously is a competitive advantage in an increasingly threatening landscape. While it makes good business sense to avoid costly breaches, it also makes good sense to build consumer trust and brand resilience. The CISCO study found that companies that went above and beyond mere compliance reaped additional rewards: “Organizations that are ready for GDPR are experiencing shorter delays in their sales cycle related to customers’ data privacy concerns than those that are not ready for GDPR. GDPR-ready organizations have also experienced fewer data breaches, and when breaches have occurred, fewer records were impacted, and system downtime was shorter.”
Consumers are demanding privacy, and they’re demanding that the companies to which they entrust their data behave responsibly. According to the Harvard Business Review, “Privacy will begin to have substantial impacts on businesses’ bottom lines — something we began to see in 2018. Facebook, for example, lost a whopping $119 billion in market capitalization in the wake of the Cambridge Analytica scandal because of concerns over privacy. Polls show that consumers are increasingly concerned about privacy issues.”
Companies must meet the demands of the market, shareholders and the government. It’s a tricky path to navigate – Chief Compliance Officers must position themselves to show the safest way forward.