United States: Data Security In The Financial Industry: Five Key Developments To Keep An Eye On In 2016

Last Updated: February 1 2016
Article by Jenna N. Felz

According to a 2015 report on threats to the financial services sector, 41% of financial services organizations polled had experienced a data breach or failed a compliance audit in the previous year, and 57% listed preventing a data breach as their top IT priority.  Reflecting the ever-increasing awareness of threats to financial data security, 2015 also saw a number of regulatory enforcement actions and legislative efforts directed at financial institutions.  Below we outline some of the most significant developments of the past year.

  1. SEC Enforcement Action

In September 2015, the SEC reached a settlement with a St. Louis-based investment adviser on charges that it failed to establish required cybersecurity policies and procedures in advance of a breach affecting the personally identifiable information ("PII") of 100,000 individuals.

The SEC has the power to bring enforcement actions against registered financial entities that fail to meet certain cybersecurity standards. Specifically, the SEC may bring enforcement actions for violations of SEC Regulation S-P (17 CFR § 248.30(a)) (commonly referred to as the "Safeguards Rule"). Under the Safeguards Rule, all registered entities must have written policies and procedures designed to:

  • Insure the security and confidentiality of customer records and information;
  • Protect against any anticipated threats to the security of customer information; and
  • Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.

In this case, the investment adviser stored its clients' sensitive PII on a third party-hosted web server that was attacked by hackers. The SEC found that the investment adviser violated the Safeguards Rule by failing to:

  • adopt written policies and procedures reasonably designed to safeguard customer information;
  • conduct periodic risk assessments;
  • implement a firewall;
  • encrypt PII stored on its server; and
  • maintain a response plan for cybersecurity incidents.

Notably, there was no evidence of any harm to clients as a result of the hack. Despite the lack of harm, the SEC announced its intention to enforce the Safeguards Rule "even when there is no apparent financial harm to clients." It also cautioned financial firms to adopt written policies to protect customers' private information and to "anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs."

2. New York Department of Financial Services Cybersecurity Regulatory Framework Proposal

In November 2015, the New York Department of Financial Services (NYDFS) issued a letter setting forth an extensive cybersecurity regulatory framework proposal. Following its surveys of the cybersecurity programs of over 150 financial institutions in 2013 and 2014, the NYDFS announced that it is now considering new cybersecurity regulations for the industry. Under the potential new regulations, "covered entities"–financial institutions regulated by NYDFS–would be required to implement and maintain written cybersecurity policies and procedures that address:

  • information security;
  • data governance and classification;
  • access controls and identity management;
  • business continuity and disaster recovery planning and resources;
  • capacity and performance planning;
  • systems operations and availability concerns;
  • systems and network security;
  • systems and application development and quality assurance;
  • physical security and environmental controls;
  • customer data privacy;
  • vendor and third-party service provider management; and
  • incident response, including the delineation of clearly defined roles and decision making authority.

Additionally, covered financial entities would be required to implement policies and procedures to ensure the security of sensitive data held by third party service providers. At a minimum, contracts with third parties with access to sensitive customer information would need to include:

  • the use of multi-factor authentication to limit access to sensitive data and systems;
  • the use of encryption to protect sensitive data in transit and at rest;
  • notice to be provided in the event of a cybersecurity incident;
  • the indemnification of the entity in the event of a cybersecurity incident that results in loss;
  • the ability of the entity or its agents to perform cybersecurity audits of the third party vendor; and
  • representations and warranties by the third party vendor concerning information security.

Covered entities would also need to:

  • use multi-factor authentication for databases containing sensitive customer information, as well as for access to internal systems and data from an external network;
  • appoint a Chief Information Security Officer (CISO) to oversee and implement cybersecurity programs;
  • employ data privacy and security personnel;
  • conduct annual penetration testing and quarterly vulnerability assessments; and
  • immediately notify the NYDFS of any cybersecurity incident with a reasonable likelihood of materially affecting the normal operations of the entity (e.g. health, credit card information, or biometric data).

NYDFS seeks input from a variety of stakeholders, including other regulatory agencies, prior to proposing final regulations for the financial industry. It is likely that NYDFS will promulgate rules in 2016. Accordingly, covered entities should continue to assess the state of their data privacy and security infrastructures to prepare for the heightened cybersecurity standards required by NYDFS and other state regulators.

3. FINRA Report on Cybersecurity Practices

In February 2015, the Financial Industry Regulatory Authority (FINRA) issued its Report on Cybersecurity Practices.  The Report, which applies to financial advisers and broker dealers, focuses on eight key areas. According to the Report, organizations should:

  1. Create frameworks that involve senior management, incorporate the organization's risk tolerance, and allow for risk assessments that help improve the framework over time.
  2. Identify the sources of potential cybersecurity threats and prioritize the areas in most need of improvement given the organization's risk tolerance.
  3. Take specific actions to protect software and hardware that contain data, especially data subject to cybersecurity threats.
  4. Implement procedures for responding to cybersecurity incidents and define roles for individuals in charge of incident response.
  5. Take a risk-based approach to selecting, engaging, and monitoring third party service providers.
  6. Provide employees and other authorized users of the organization's systems with training appropriate to their specific responsibilities and the types of data they may access.
  7. Create and deploy an effective cyber intelligence program using all resources available to the organization.
  8. Periodically review the adequacy of an organization's cybersecurity coverage to determine if the policy aligns with threats identified by the organization's risk assessment(s) and ability to bear losses. Organizations that do not have cyber insurance should evaluate the cyber insurance market to determine if coverage is available that would enhance the organization's ability to manage the financial impact of a cybersecurity event.

FINRA has urged financial advisers and broker dealers to consider these principles as they develop or enhance their cybersecurity programs.  While the guidance does not create any new legal or regulatory requirements, FINRA will assess the adequacy of firms' cybersecurity programs in light of the risks they face.

4. New European Union Data Privacy and Security Regulations

2015 was a landmark year for data protection and privacy in Europe, with the approval of two new major regulations.


The first is the General Data Protection Regulation (GDPR), which is expected to replace the existing Data Protection Directive 95/46/EC.  After years of development and negotiation, the European Council and Parliament reached an agreement on the text of the GDPR in December 2015.  It is expected to be formally adopted this spring and come into effect two years after its adoption.  The GDPR will impose new obligations on companies in the areas of data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few.

Financial institutions should be aware of certain key provisions of the recently approved draft:

  • The law applies to any controller or processor of EU citizen data, regardless of where the controller or processor is located. (Under the 1995 Directive, only controllers were directly liable.)
  • EU Data Protection Authorities have been given new powers, including the ability to fine organizations up to 4% of their global turnover for violations of the new GDPR provisions.
  • In the event of a data breach creating risk to the "rights and freedoms" of EU citizens, notification must be made to the relevant data protection authorities within 72 hours of discovery of the breach.
  • Personal data of EU data subjects should only be collected for "specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes."
  • Processing of EU citizens' data will only be lawful if the processing is done in accordance with one of the following 6 grounds: (1) with explicit consent of the data subject, (2) to perform a contract, (3) to comply with a legal obligation, (4) to protect the vital interests of the data subject, (5) to perform a task in the public interest, or (6) where "necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child."
  • A data subject's consent will be invalid if the controller requires consent for the provision of a service where the processing of personal data is not necessary to the actual performance of the service or contract.
  • Data controllers must provide any information they hold about an EU citizen free of charge and within one month of request.
  • EU citizens have a "right to erasure," which requires data controllers to delete personal data if: (1) the data are no longer necessary in relation to the purposes for which they were collected or processed; (2) the data subject withdraws consent on which the processing was based and there is no other legal ground for processing the data; or (3) the data were unlawfully processed, among other grounds.

The 200 page text of the GDPR includes many other provisions, and financial institutions should closely monitor it as it moves towards formal adoption this spring.

NIS Directive

European authorities also agreed on the text of another major data security initiative, the Network Information Security (NIS) Directive.  After more than two years of negotiation, the European Council reached an informal agreement with the Parliament, and the text was approved by European Member States in December 2015.  The text must now be formally approved by the European Council and Parliament, which is expected this spring.  The Member States will then have 21 months to implement the NIS Directive.

The NIS Directive applies to operators of "essential services" in "critical sectors," which the NIS Directive defines as (a) "essential for the maintenance of critical societal and/or economic activities," (b) dependent on network and information systems and (c) would produce "significant disruptive effects" in the event of a breach on the provision of its service.  Banks and financial market infrastructures fall under the purview of the NIS Directive.

The NIS Directive would require banks and financial market infrastructures–as operators of essential services in critical sectors–to implement "state of the art" network and information security systems appropriate to each organization's risks.  It also would require these entities to report to the appropriate data protection authority "without undue delay" any security incident to its systems that would create a "significant impact" on the continuity of its services.  The significance of an incident would be determined by "(a) the number of users affected by the disruption of the essential service; (b) the duration of the incident; [and] (c) the geographical spread with regard to the area affected by the incident."  Member States are expected to provide more detail regarding definitions of these key terms when they pass country-specific legislation in accordance with the NIS Directive.

  1. EMV Credit Card Payment Standard

EMV refers to a smart-chip technology for payment cards that creates a dynamic authentication code for each transaction.  Its main benefit is the prevention of counterfeit card-present fraud (from a card-swipe in a store).  If someone steals the data contained in the magnetic stripe of a payment card, that person can embed the stolen data in a different magnetic stripe, and create a counterfeit card to fraudulently use in an in-store purchase.  The embedded EMV chip, however, creates a dynamic authorization code for each transaction that cannot be replicated, and therefore helps prevent fraudulent in-store purchases.  The new EMV card system does not apply to e-commerce transactions, as the chip may only be read by a physical terminal.

Being ready to accept EMV transactions involves purchasing EMV-enabled terminals and obtaining certifications of the devices and payment applications through the merchant's acquiring bank for each card network.  While EMV card acceptance is not required, as of October 1, 2015, any merchant that cannot accept EMV cards faces the liability for chargebacks for card-present counterfeit fraud losses.  Additionally, merchants that are EMV-compliant will enjoy a safe harbor from post-breach liability if the merchant meets certain criteria under certain card network programs.

What does this mean for credit card issuers?  Prior to October 1, 2015, issuers were primarily responsible for card-present counterfeit fraud losses.  Now, merchants that are not EMV-compliant will be responsible for all card-present counterfeit fraud losses.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions