Legal Compliance Can Help You Improve Cybersecurity And Customer Confidence

Posted: Updated:

In today’s cybersecurity threat environment, financial institutions—including banks and credit unions—are frequent targets.  Banks, for instance, have been increasingly falling prey to a variety of cyber-attacks, including malware infections, phishing scams, denial-of-service attacks, and cyber-extortion.  Such cyber-attacks not only cause a financial institution to experience monetary losses and expend numerous resources on incident response, but they also unfortunately contribute to an erosion of trust between the institution and its customers. By proactively taking steps to comply with cybersecurity laws and regulations, your financial institution may mitigate the likelihood of a cyber-attack.

Given the proliferation of cyber-crime in virtually every business sector, both state and federal regulators have ramped up their efforts to ensure that financial institutions, in particular, prioritize cybersecurity in their risk management strategies.  For example, the New York State Department of Financial Services (DFS) issued the nation’s first state cybersecurity regulation aimed at protecting financial institutions from cyber-crime.1  The regulation requires financial institutions that are within DFS’ jurisdiction to implement comprehensive information security programs that will help to prevent and defend them against cyber-crime. It is possible that other state regulators will issue similar regulations in the years to come.

Federal regulators are already more rigorously scrutinizing financial institutions’ compliance with the Gramm-Leach-Bliley Act (GLBA),2 which includes requirements that banks and credit unions meet certain standards to protect the “non-public personal information” of consumers of their financial services and products.  While the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Federal Reserve System are generally the primary enforcers of the GLBA against banking institutions, the National Credit Union Administration (NCUA) enforces the GLBA against federally-insured credit unions.  Each enforcement body has promulgated regulations based on the GLBA Financial Privacy and Safeguards Rules.

In part, the GLBA Financial Privacy Rule requires financial institutions to annually disseminate a notice of its privacy practices to its customers that describe how their information will be used, disclosed, and shared with third parties, such as affiliated or nonaffiliated companies.  More notably, the GLBA Safeguards Rule consists of specific steps banks and credit unions must take to build a comprehensive, written information security program that outlines administrative, technical, and physical security controls designed to minimize the risks to the data they hold about their customers.  As part of its information security program, the Safeguards Rule requires a financial institution to: (1) designate an information security coordinator, (2) require the undertaking of a “risk assessment” to evaluate the risks and vulnerabilities to all customer data, (3) require the development of a “risk management plan” to mitigate identified risks to the data to reasonable levels; (4) require an assessment of its relationships and contracts with third-party service vendors to ensure they are safeguarding the data; and (5) require the periodic evaluation and adjustment of its information security program to account for changes in business operations and the threat environment.  Additionally, the federal “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice” requires banks and credit unions to have procedures for responding to security incidents and breaches and notify the affected individuals, as well as appropriate regulatory and law enforcement agencies.3

Although achieving GLBA compliance is a seemingly daunting task, it is a necessary step for a financial institution to take to minimize its chances of experiencing a cyber-attack, data breach, or a regulatory action or lawsuit stemming from a breach.  Fortunately, the GLBA Safeguards Rule allows a bank or credit union the flexibility to tailor its information security program to the size and complexity of its operations.  Investing in GLBA compliance will not only serve to keep regulators and lawsuits at bay, but also will improve your customers’ confidence that their information will be secure. 

Nick Merker is a partner and Deepali Doddi is an attorney in Ice Miller’s Data Security and Privacy Practice Group. They may be reached at nick.merker@icemiller.com and deepali.doddi@icemiller.com.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

  • Perspectives

    • What’s Your Biggest Waste of Money?

      Americans are in the age of reducing waste. There’s a big push to purchase sustainable products, reduce our usage of plastics, and recycle. But has this trend carried over to our personal finances?  Not really.  In a study by The Ascent, the financial expertise arm of The Motley Fool, more than 60 percent of respondents felt they have wasteful financial tendencies. Why is that?

    More

Subscribe

Name:
Company Name:
Email:
Confirm Email:
HTML
INside Edge
Morning Briefing
BigWigs & New Gigs
Life Sciences Indiana
Indiana Connections
INPower
Subscribe
Unsubscribe

Events



  • Most Popular Stories

    • POET ethanol co. announced in Aug 2019 it was closing the plant in Cloverdale. (photo courtesy: POET)

      Cloverdale Ethanol Plant Closes

      South Dakota-based POET LLC, the nation’s largest biofuels producer, is moving forward with a plan to shut down its biorefining plant in Cloverdale, leaving 50 Hoosiers without jobs effective Friday. The company tells Inside INdiana Business that it is not making any changes to the plans announced two months ago. 

    • (IIB Photo/Joe Ulery)

      Neighborhood Concerned About Old GM Site, Too

      As the city of Indianapolis and Ambrose Property Group squabble about the future of the old GM Stamping plant site in downtown Indy, a fight that could end up in court, residents who live near the property are weighing in with their concerns. Jay Napoleon, president of The Valley Neighborhood Association, says it’s important the mixed-use vision for the property remain intact. Napoleon and Ambrose Property Group Vice President Mali Simone Jeffers talked about the future of...

    • (Image of downtown Shelbyville courtesy of Mainstreet Shelbyville Inc.)

      Shelbyville Unveils Major Downtown Redevelopment

      The city of Shelbyville is announcing what it calls a major downtown redevelopment project to boost overall quality of life. The project plans feature green spaces, increased parking, market-rate housing, and infrastructure for public entertainment and community events. 

    • What’s Your Biggest Waste of Money?

      Americans are in the age of reducing waste. There’s a big push to purchase sustainable products, reduce our usage of plastics, and recycle. But has this trend carried over to our personal finances?  Not really.  In a study by The Ascent, the financial expertise arm of The Motley Fool, more than 60 percent of respondents felt they have wasteful financial tendencies. Why is that?

    • The IU School of Informatics, Computing and Engineering will now be named for Fred Luddy for his $60M gift. (photo courtesy James Brosher/IU)

      $60M Gift to Fund AI Center

      An Indiana University alumnus who founded the information technology firm, ServiceNow, has given his alma mater $60 million to establish an artificial intelligence center. The university says the gift from cloud-computing pioneer Fred Luddy is the second largest in the history of the IU.