standards, namely WISPs, risk assessments and incident response plans.
Te rule requires implementing a WISP, just as the FTC required of Equifax in 2019. Tis time, the rule refers to the implementation of certain technical requirements. 1. encryption to protect customer information in transit and at rest
2. continuous monitoring or periodic penetration testing and vulnerability assessments
3. multifactor authentication for anyone accessing an information system
4. retention of service providers that are capable of maintaining appropriate safeguards for customer information
Perform an RA Te rule requires WISPs be based on RAs and sets forth three general areas the RA must address. 1. criteria for evaluating risks faced by the financial institution 2. criteria for assessing the security of its information systems 3. how the identified risks will be addressed
Other than these requirements, financial institutions are free to perform RAs in whatever way they choose, as long as the method identifies reasonably foreseeable risks. Importantly, the rule does not contemplate financial institutions scrapping their WISPs and starting over via a new RA but rather comparing their existing WISPs and addressing any gaps.
Update the IRP Te rule requires that IRPs be thorough. Specifically, they must be designed to promptly respond to and recover from any security event materially affecting the confidentiality, integrity or availability of customer information in their control.
Te rule also requires IRPs to address the following. 1. the goals of the IRP 2. the internal processes for responding to a security event 3. the definition of clear roles, responsibilities and levels of decision-making authority
4. external and internal communications and information sharing
5. identification of requirements for the remediation of any identified weaknesses in information systems and associate controls
6. documentation and reporting regarding security events and related incident response activities
7. the evaluation and revision as necessary of the IRP following a security incident
Employee Training and Reporting to Boards Te rule also expands on two other fundamental aspects of a WISP, employee training and reporting to boards.
Te rule requires financial institutions to provide their personnel with “security awareness training that is updated to reflect the risks identified by the risk assessment.”
Te rule requires that financial institutions have a qualified person report in writing, regularly and at least annually, to a board of directors or governing body about a WISP. Specifically, the report shall include the following. 1. the overall status of the WISP and compliance with the rule 2. material matters related to the WISP, such as RAs, risk management and controls decisions, and recommendations for changes in the WISP
Importantly, the rule exempts small businesses — those that collect information on fewer than 5,000 consumers — from the above requirements. Nevertheless, the rule will require numerous financial institutions to assess their WISPs, RAs and IRPs to ensure they comply.
As the FTC examines how to update its approach “to tackle the slew of data privacy and security challenges we presently face,” financial institutions should assess their cybersecurity posture in light of the rule. For most of the discussed requirements, financial institutions will have one year to develop and implement practices, policies and procedures that comply with the new rule.
(CIPP/US) focus on privacy and data security. They counsel Armstrong Teasdale clients on data-related incidents and digital transformation and in resulting litigation and regulatory investigations. Visit
atllp.com to learn more. Armstrong Teasdale is an MBA associate member.
THE MISSOURI BANKER 21
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32
