During client planning calls, we are frequently asked about any regulatory changes we are seeing for IT on the horizon. We generally hear about these changes in three ways: through regulatory updates, observed trends in findings on regulatory reports, and through information shared at conferences.
We continue to see an emphasis on cybersecurity and, in particular, ransomware threats. Having an offline/immutable set of critical data backup is now considered a control requirement that the regulators are expecting to see. For those using a maturity-based cybersecurity assessment tool, the regulators in the past year have begun expecting maturity goals to be set above baseline for high-risk systems. The FFIEC updated their Cybersecurity Resource Guide for Financial Institutions in November 2022 for the express purpose of enhancing controls over ransomware attacks. So, expect cybersecurity to continue to be a regulatory hot topic in 2023.
The Federal Trade Commission (FTC) Safeguards Rule will receive some regulatory attention as the extended compliance deadline of June 2023 is fast approaching. The Safeguards Rule does not apply to banks but to non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. However, it is common for requirements adopted by one agency to become requirements for other agencies, so we expect these requirements will eventually be adopted by the bank regulators. The provisions of the updated rule specifically affected by the six-month extension include that covered financial institutions have the following control requirements within their information security program:
- designate a qualified individual to oversee their information security program,
- develop a written risk assessment,
- limit and monitor who can access sensitive customer information,
- encrypt all sensitive information,
- train security personnel,
- develop an incident response plan,
- periodically assess the security practices of service providers, and
- implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.
Most of the above standards have been in place for many years, but there are noteworthy changes in the standards, including encryption of all customer private data at rest and having multi-factor authentication (MFA) in place for any system that houses customer private information.
The standard for encrypting customer data that leaves the organization has been enforced for several years. The updated requirement is extended to customer information at rest on the network. Although there does not appear to be a clearly defined minimum standard for encryption strength, the industry appears to be moving toward AES 256-bit. It is unclear if/when the regulators will begin looking for stronger encryption standards, but it is conceivable it could be in the coming year.
The use of MFA has been the standard for any remote access solution and for authentication of privileged users, but MFA is becoming the recommended authentication for any system that houses customer information. Tightly regulated systems, such as the FedLine Advantage wire transfer solution, have required MFA for many years. The new guidance for network authentication has shifted to MFA, and the regulators will be looking for network-wide MFA in the foreseeable future.