Privacy and Cybersecurity

CSBS Releases Cybersecurity Programs to Help Nonbank Financial Services Institutions Improve Cybersecurity Posture

October 4, 2022 By Lance Taubin, Kimberly Peretti, Nanci Weissgold, Consumer Finance Team

A&B ABstract

On August 9, 2022, the Conference of State Bank Supervisors (CSBS) released two cybersecurity tools for nonbank financial services institutions to help them prepare for state cybersecurity examinations and, ultimately, improve cybersecurity maturity and protect financial institution infrastructure. These tools are designed to address key aspects of the Uniform Rating System for Information Technology; namely, Audit, Management, Development and Acquisition, and Support and Delivery. The CSBS also outlined the key documents that state examiners are likely request during examinations to help ensure nonbank financial services institutions are prepared to respond to examination questions.

CSBS Cybersecurity Tools

Developed by a multi-state team of cybersecurity examination experts, the Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program (the “Programs”) are a set of cybersecurity questions used by state examiners to assess the ability of nonbank financial services companies to comply with applicable cybersecurity and data protection requirements. While these Programs are optional resources, the CSBS encourages nonbank financial services institutions to leverage these Programs as prescriptive guidance in implementing and maintaining a compliant cybersecurity program.

The Baseline Nonbank Cybersecurity Exam Program is intended for small nonbank financial services institutions, whereas the Enhanced version is used by state examiners evaluating larger more complex nonbank financial services institutions (the distinction between which institutions fall under the Baseline vs the Enhanced Program are not specified). Both Programs cover four overarching areas of the Uniform Rating System for Information Technology (URSIT) – (1) Audit, (2) Management, (3) Development and Acquisition, and (4) Support and Delivery. Specifically, the examination covers a wide range of topics, such as executive oversight of the cybersecurity program, details on the institution’s network security, vendor management, cyber insurance, malware protection controls, patch management procedures, asset inventory, business continuity management and incident response plan. The examination questions, where relevant, cite to the FTC Safeguards Rule, as amended (16 CFR § 314) which became effective January 10, 2022 (with the exception of a limited number of sections that are not enforceable until December 9, 2022).

The CSBS also provides a Document Request List, outlining key artifacts that state examiners may request (and have requested during past examinations) to help support the institutions’ response to the examination questions. Key artifacts include core policies and procedures, written information security programs, risk assessment(s), materials presented to the board/senior management discussing cybersecurity, vulnerability assessments, and patch deployment confirmation.

These Programs, according to CSBS’s Senior Vice President of Nonbank Supervision, Chuck Cross, are intended to streamline supervisory clarity and create a more resilient financial system. These Programs are a part of CSBS’ larger initiative to equip the industry with the necessary tools to protect the critical infrastructure of financial institutions; for example, it previously provided nonbanks with a Ransomware Self-Assessment Tool and a Cybersecurity 101 Guide for executives.

Takeaway

Through the Programs, CSBS has provided nonbank financial services institutions the ability to more adequately prepare for regulatory examinations by outlining core questions and artifacts. However, the cybersecurity regulations applicable to financial institutions continue to evolve, both on the federal and state level, requiring additional resources and expertise. It is also unclear how widely adopted these Programs will be by state regulators, particularly state regulators that have developed their own comprehensive cybersecurity examination questions (such as the New York Department of Financial Services), and there will likely continue to be differences across state regulatory examinations.

We will continue monitoring the guidance issued by CSBS and other financial industry participants and regulators with respect to the evolving cybersecurity compliance landscape.

Department of Justice Announces New Civil Fraud Cybersecurity Enforcement Team

October 10, 2021 By Privacy & Data Security Team

On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced the launch of the Department of Justice’s Civil Cyber-Fraud Initiative. As Kellen Dwyer, Kim Peretti ,and Jon Knight report on the Privacy, Cyber & Data Strategy Blog, the Department plans to use civil enforcement tools to “pursue…those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards.”

Colorado Privacy Act Becomes Third Comprehensive State Privacy Act in the United States

July 29, 2021 By Dorian Simmons, Consumer Finance Team

The Colorado Privacy Act (CPA) became law when Governor Jared Polis signed the bill on July 7, 2021. The CPA is the third general state privacy law in the United States, following the Virginia Consumer Data Protection Act (CDPA) and the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). Although the CPA does not provide an express private right of action, businesses that violate the Act may face liability for deceptive acts (and a civil penalty of $20,000 per violation), enforced by the Colorado attorney general and/or Colorado state district attorneys.

In a Privacy, Cyber & Data Strategy Advisory, our Privacy, Cyber & Data Strategy Team highlights some of the similarities and differences between Colorado’s new consumer privacy law and its older siblings in California and Virginia.

Colorado Becomes the Third State to Adopt a General Privacy Law

July 12, 2021 By Dorian Simmons

On July 7, Colorado became the third state behind California and Virginia to adopt a comprehensive privacy law when Governor Jared Polis signed the Colorado Privacy Act into law. The CPA contains many similarities to the Virginia Consumer Data Protection Act (VCDPA) and the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA). But there are several key differences, including with respect to the scope of certain of the consumer privacy rights and the contract terms required in agreements with processors. Like CPRA but unlike the VCDPA, the statute mandates a formal rulemaking process. Notably, the law does not contain a private right of action, but a violation of the CPA is considered a deceptive trade practice and may result in a fine of $20,000 per violation. The CPA takes effect July 1, 2023.

Please contact our Privacy, Cyber & Data Strategy Team with any questions or for further guidance.

Executive Order Details Cybersecurity Changes For Public And Private Sectors

May 14, 2021 By Privacy & Data Security Team

In a lengthy Executive Order issued on May 12, 2021 (the “Order”), the Biden Administration has taken steps “to make bold changes and significant investments” in both public and private sector cybersecurity “in order to defend the vital institutions that underpin the American way of life.” The full scope of the Order remains to be seen. Much will depend on the recommendations and rules issued by various agencies over the coming months. Nonetheless, the Order itself signals several areas where significant changes can be expected.

In a May 14 blog post, Jon Knight of Alston & Bird’s Privacy, Cyber & Data Strategy team explores the impact of the Order.