Another high-profile corporate hack puts cybersecurity back into the spotlight as thieves made off with 1.5 TB of data from HBO, including scripts of upcoming Game of Throne episodes.
The bad news for financial institutions is that this elevated focus on cybersecurity will make meeting their cyber-security regulatory mandates only more challenging as more jurisdictions ramp up their cyber-security requirements.
The laws are changing all the time as New York, Colorado, and Connecticut enhance their cybersecurity laws, said Chad Pinson, managing director at Stroz Friedberg during a panel discussion hosted by the US Securities and Exchange Commission and FINRA. “It is hard to keep up with what those different states require.”
There is little to no chance that financial firms will find relief from any Federal preemption law that would supersede state data protection and data breach notification laws added fellow panelist Richard Johnson, an attorney at the law practice Jones Day.
“That is something that has been talked about, but that is not even under consideration at the moment,” Johnson said.
As a result, firms that experience a breach that involves consumer information will have to comply with as many state laws as locations where they have customers, he added.
To complicate cyber-security compliance even further, each regulator brings its own focus to cybersecurity that makes it difficult to harmonize with other regulators.
State regulation tends to focus on protecting the consumer and help state attorneys general get re-elected, according to Pinson.
At the Federal level, the US Department of Justice is more interested in who orchestrates the data breaches, added Shamoil Shipchandler, Regional Director, Fort Worth Regional Office, at the SEC and who moderated the panel.
“They are not looking at victims,” he said. “They are looking at them more as witnesses and looking at the companies only to the extent that they can help identifies witnesses and how they were compromised.”
Industry regulators, such as the SEC and FINRA, look to acknowledge a firm's cybersecurity status, but they do not issue overly prescriptive check list that every regulated firm must meet.
“We are not going to come close to doing that,” said Shipchandler. “And the reason is that we do not speak like that because everyone is different in shape of their organizations, their structure, and their assets. The more prescriptive we get, the more likely we are going to force firms to incur costs that are going to be passed down to the very individuals that our mission says we have to protect.”
FINRA shares the same reasoning for not issuing a prescriptive list of cybersecurity mandates, according to David Kelley, surveillance director at FINRA.
“It would be hard to write a rule that that says you have to do these particular items," said Kelley. "It just does not make any sense right now.”
However, Kelley noted that FINRA issues a report on cyber-security practices in February 2015, which should give firms the areas in which FINRA is interested.
The best response would be for firms to triangulate their cyber-security strategies with the various compliance requirements, according to Johnson.
“I think firms want to be in the position, just to minimize their possible legal and regulatory liabilities, to be checking a lot of the boxes that are in common across the board," he said.