The Bonds that Bind: Cybersecurity Comes Together in Legal and Finance
Since the dawn of the new millennium, technology has been expanding the reach and ability of criminals at breakneck speeds. Regulators have constantly found themselves running behind a new era of cyberthreats and dangers, struggling to respond to accidents while fortifying the road ahead.
But with limited resources and time, their effort is one of triage. Secure the vital pillars of society first, and the rest will follow. This plan especially rings true when securing arguably the most important pillar: the one buttressing the economy. Jeremy Estabrooks, senior legal editor of Thomson Reuters Practical Law, notes that the financial industry is considered a critical infrastructure industry by the federal government. “There is definitely more emphasis on making sure they have robust cybersecurity in place,” he says.
For financial institutions, the presence of governing regulations, of which cybersecurity is now part, have always been an intrinsic part of the industry. “Because banks are a creation of a regulatory culture, they really live and breathe policies and procedures, and I think the management and directors are well aware of their responsibility and the need to meet regulatory expectations,” Estabrooks says.
But building out in-house cybersecurity is a lot like putting up a firewall up to protect a network. The protection it affords only works if the network is kept centralized and does not extend to unsecure and easily targeted endpoints. Yet, for modern day financial instructions, an expanding network—from both an IT and a business perspective—is a necessity. And no outside vendor is as consequential to a financial institution’s security as its outside counsel.
But with law firms by their side and immersed in their data, how do financial institutions protect their flanks? And how can law firms meet security responsibilities to shield their financial clients from exposure and risk?
Joseph Abrenio, vice president of commercial services at Delta Risk and president of the Midwest Cybersecurity Alliance, has found that law firms “keep the secrets, good and bad, of all of their clients.” He adds, “Even if a financial institution is safe behind their own walls, they will still have weak spots with the third parties they share information with. As the saying goes, you’re only as strong as your weakest link.”
The Laws of the Land
Data security in the financial and legal industries is a tale of two sectors. While the financial industry is heavily regulated and constantly watched by federal agencies, law has at times operated in an almost laissez-faire environment, more ruled by a culture of confidentiality and secrecy than hard regulatory rules.
For financial institutions, there is never a lack of oversight, says David Ray, director of information governance at Consilio. But what’s interesting about financial services is the diverse nature of the agencies to which companies are beholden: “Some of it comes from the Federal Trade Commission (FTC), some of it is the Consumer Financial Protection Bureau (CFPB), some of it is the Federal Deposit Insurance Corporation (FDIC)—acronyms abound as far as who is responsible. Financial intuitions tend to be a bit of a Swiss cheese as far as enforcement goes.”
Such regulatory power can be traced back to 1950, with the passage of the Federal Deposit Insurance Act. Abrenio notes that the the safety and soundness provision of 12 U.S.C. Section 1831p-1 of the act applies to the cybersecurity practices of federally insured financial institutions. He adds that the section requires several of the federal banking regulators to develop regulations and guidelines to ensure the security of covered financial institutions.
The act, however, left it open for regulators to interpret what security means. “The benchmark of keeping financial firms ‘safe and sound’ is intentionally vague. As such, there is no uniformity in the industry as what qualifies as ‘safe and sound,'” Abrenio explains.
Over 40 years later, regulators were given more power over financial institutions under the Gramm–Leach–Bliley Act of 1999 (GLBA). But while the act created the modern foundation for industry-wide cybersecurity enforcement, it was primarily focused on the protection of consumers. The law, explains Thomson Reuters’ Estabrooks, “imposes the responsibility to protect customers’ privacy and confidentiality—their personal information—so that results in requirements for having an information security program in place to protect data.”
And like the Federal Deposit Insurance Act, the GLBA was also kept intentionally vague. The GLBA only “imposes the general requirements of maintaining or having information security in place,” so regulators have consistently used “guidance in the form of booklets and papers on information security” to implement broader standards, Estabrooks says.
Though there are exceptions, such as the Federal Deposit Insurance Act of 2003 that regulated consumer data disposal to combat identity theft, financial cybersecurity has mainly progressed through a hodgepodge of agency guidance. “There’s no certain specific comprehensive regulatory regime that spells out what the cybersecurity requirements are for a financial institutions. It’s an evolving process; in this case, they have elected to rely on booklets and other guidance,” Estabrooks says.
Legal’s Liberal Laws
While financial institutions must heed an ever-advancing set of regulations, the situation is far different in the legal world. Through his work with the Midwest Cybersecurity Alliance, Abrenio has found that law firms “are much less regulated, especially given the quality and quantity of confidential information they hold. They are generally obligated to maintain their clients’ information under the umbrella of a reasonable standard of care.”