Earlier this month, the Federal Deposit Insurance Corporation’s Division of Risk Management Supervision released “A Framework for Cybersecurity” in its Winter 2015 issue of Supervisory Insights. The FDIC article outlines the current and evolving cyber threat landscape and identifies the challenges presented by these threats as “critical” to financial institutions. The article describes regulatory steps the FDIC has taken and also how banks should incorporate cybersecurity into their overall risk management framework. The article is helpful for understanding the FDIC’s cybersecurity focus and the issues upon which it expects banks subject to its supervision to focus.
The Federal Trade Commission yesterday announced settlements with two companies over security breaches caused by peer-to-peer (P2P) file sharing software. The settlements require the companies to establish and maintain comprehensive information security programs and to undergo data security audits by independent auditors every other year for 20 years.
Data stored in the cloud will be subject to numerous data security laws, explains Hogan Lovells partner Phil Porter in a recent article. Specific types of data will trigger different security regulations, ranging from HIPAA rules for health data, to Gramm-Leach-Bliley Act rules for financial service data, to COPPA for data about children. Data hosted in the cloud in the U.S. might also subject the data to U.S. national security rules, including USA Patriot Act. Cloud service providers and customers need to tailor their contractual provisions to match these regulatory imperatives.
Yesterday the financial regulatory agencies issued a model notification form for Gramm Leach Bliley Act consumer notices, Use of the new model form provides a “Safe Harbor” for covered entities required to provide consumer notices of data sharing practices. A link to the new form is contained within this blog entry.