|
The Morning Risk Report: New York Cyber Law Encryption Deadline Looming |
|
| |
|
|
Staff members sit at their work stations at the National Cybersecurity and Communications Integration Center in Arlington, Va., on Jan. 13, 2015. PHOTO: Saul Loeb/Agence France-Presse/Getty Images
|
|
|
Good morning. Financial institutions are approaching another deadline to meet requirements of New York State's cybersecurity law. The law was passed in March 2017 but has rolling deadlines for when organizations must meet its components, with the next implementation deadline on Sept. 1.
By that date, financial institutions must keep an audit trail of all financial transactions, and they have to retain that information for five years. This ensures they have access to key financial data should they incur a cyberattack, said Nicole Clement, a senior manager in the financial services security practice at professional-services firm Accenture.
All regulated data must be encrypted and safely erased when it is no longer necessary for business operations, and banks must maintain an audit trail of security events for three years, a big increase over the current industry standard of 30 to 60 days, said Ms. Clement.
|
|
|
|
The benefits of encrypting data are the data are less useful if they leave the network, which makes it more difficult to commit fraud, said Ms. Clement.
Encrypting data "makes it more difficult to conduct business in the network so when you are building out your encryption plan you have to know what data is essential in each spot so you can make an intelligent encryption plan that doesn't stop the business from functioning efficiently," she said.
New York's Department of Financial Services "has not put a stake in the ground" as to how and when it will penalize noncompliance, unlike the European Union's General Data Protection Regulation, which can levy penalties on an organization of up to 4% of its annual revenue for violations, said Ms. Clement.
That lack of specificity increases the risk to a financial institution because it is "unable to say here is that true financial risk we are taking on, or the true regulatory risk. Time will tell as to what the penalties will be on this," she said.
That means financial institutions need to understand the criticality of each of their systems, the types of data on those systems and understanding the applications in which those data and systems are used, said Ms. Clement.
Doing this will help determine the unique risks of the institution's most critical applications of data, then putting in place controls to manage those risks. From there, build out the plan to increase its scope over time, she said.
"Institutions need to recognize this is not a one-and-done sort of regulation," said Ms. Clement. "Cyber risks are always changing...if you want to build a strong program, do not be scared of this. The biggest fear isn't the regulators, it's the attackers, and you should always be responding to that risk."
|
|
|
|
A 50-year-old former headhunter who reinvented himself as an offshore specialist helping manage hundreds of shell companies, Benedict Worsley acquired a ringside seat into how rich Russians quietly shuffle money across the European Union. WSJ reports it is people like Mr. Worsley--lawyers, real-estate agents, corporate-service providers--who help funnel foreign money though London and cater to the world’s superrich.
Wall Street’s top regulator now takes more than two years to hand rewards to tipsters who report wrongdoing, a process that lasts longer than the average time it takes to investigate and close an enforcement case, WSJ reports. The SEC acknowledges the process can be improved, and partly blames requests from unworthy applicants trying to finagle windfalls from the program.
Federal agencies are scrutinizing how Wells Fargo & Co. purchased tax credits meant to fund housing for low-income people, WSJ reports. Wells Fargo also said in a securities filing on Friday it incorrectly denied around 625 customers modifications of their mortgage loans between April 2010 and October 2015. The bank said it has designated $8 million to pay those affected by the error.
|
|
|
U.S. tech companies, battered over their handling of consumers’ personal data, are hoping to get ahead of the public and legal fallout by working with policy makers to help shape potential new federal privacy legislation. WSJ reports the effort by tech coalitions such as the Information Technology Industry Council comes after the industry has fended off many types of federal action on privacy for years.
A computer virus is causing problems for Taiwan Semiconductor Manufacturing Co., which says the issue will delay orders and could impact earnings, Bloomberg reports. The company manufactures chips for Apple Inc.'s iPhones.
India's government and payments companies continue to look for a solution to the country's new requirement that all customer data be stored in India, something Visa Inc., MasterCard Inc. and American Express Co. say will cost them millions of dollars, Reuters reports. One possible fix: letting the companies keep copies of customer data in India.
Top administration officials are devising new penalties to hit back more forcefully at state-sponsored hackers of critical infrastructure to deter attacks such as the successful penetration of U.S. utilities by Russian agents last year. WSJ reports the push for explicit action is coming from top federal agencies to fight worsening threats to the country’s electricity system and other critical industries, particularly those sponsored by Russia, China, Iran and North Korea.
|
|
|
|
|
More companies are scouring job candidates’ online personas for racist and other red-flag comments but that hasn’t kept social-media trails from morphing into hiring minefields, WSJ reports. Social-media screening remains one the murkiest aspects of the hiring process, according to experts in employment law and human resources, as both too little and too much scouring present legal and reputational pitfalls.
Products containing Nazi and white supremacist messages were removed by Amazon.com Inc. after the company received complaints, AP reports.
A Washington museum dedicated to promoting and protecting a free press stopped selling "Fake News" T-shirts after criticism from journalists who are dealing with fallout caused by President Trump calling them the enermy of the people. Washington Post reports the Newseum, after initially defending the sale of the shirts, said it made a mistake and apologized.
A whistleblower's tip that resulted in federal charges against a Virginia seafood company and its owners is shining a light on how some sellers of Chesapeake Bay blue crab mix in crab from other countries and fraudulently label it as the real, local product, Washington Post reports. Premium prices for Chesapeake blue crab drive some companies to substitute with cheaper product from elsewhere, investigators say.
|
|
|
Live blue crabs are displayed for sale at the Maine Avenue Fish Market in Washington, D.C., on June 1, 2016. PHOTO: Associated Press/J. Scott Applewhite
|
|
|
|
Iranians are hoarding gold as a safeguard against a collapsing local currency and soaring cost of living as the U.S. is poised to impose economic sanctions on Iran, pushing the metal’s price to record highs in Tehran, WSJ reports.
A strong earthquake rocked an Indonesian island popular with tourists, killing more than 90 people one week after a different quake killed a dozen people there, AP reports. A propeller plane carrying tourists crashed in the Swiss Alps, killing 20 people, while authorities look for a sightseeing plane that crashed in Alaska with five people aboard.
Six of the 20 most-destructive fires ever in California occurred in the past year, Washington Post reports, and this has state officials considering changes to who should be held liable for these fires. Utility companies are looking to change rules that require them to pay for damage when their equipment is involved, even if it isn't the cause of the fire. But any changes could come at the expense of insurance firms.
Public-sector unions are facing steep falls in revenue and are trying to prevent the loss of members in the wake of a recent Supreme Court ruling, WSJ reports. In New York, Pennsylvania and Illinois, state governments have stopped collecting millions of dollars in agency fees following a high court ruling banning the practice.
|
|
|
A Massachusetts dairy company issued a recall of Almond Breeze almond milk after it became mixed with regular cow's milk, affecting sales in 28 states, Washington Post reports.
Cars and steel may be grabbing all the headlines as trade tensions mount but countries that really want to needle the U.S. are springing retaliatory tariffs on cranberries. The European Union, Canada, China and Mexico have launched retaliatory tariffs on the bitter berry that is threatening to reduce demand, hurting farmers and leading companies abroad to substitute other juices and berries.
|
|
|
A man harvests cranberries in a bog at Gilmore Cranberry Co. in Carver, Mass., on Sept. 14, 2015. PHOTO: REUTERS/Brian Snyder
|
|
|
|
The U.S.-China trade fight has put South Korean electronics giant Samsung Electronics Co. in an uncomfortable spot, as the two countries are among Samsung’s biggest markets, together accounting for about 40% of its 2017 revenue. WSJ reports Samsung’s challenge is to manage its ties to the U.S. and China without getting caught in the trade crossfire, even as American tariffs threaten its sales of home appliances and device components.
Honda Motor Co. once used staff technicians to design new technologies ranging from engines to the shape of the suspension arms. Today, Honda believes rapid shifts in technology mean it can no longer afford to keep pace working solely on its own. WSJ reports that is raising hackles among some within the company.
China is seeking to transform itself from a maker of cheap, copycat medicines into a producer of complex drugs—aided by looser regulations and government policies to fast-track innovation, WSJ reports.
|
|
|
PepsiCo Inc.’s longtime leader Indra Nooyi will step aside as chief executive, handing the future of the company to one of her lieutenants at a time when the soda and snacks markets are being roiled by shifting consumer tastes. WSJ reports.She will leave the CEO role on Oct 3. and the role of chairman early in 2019. Ramon Laguarta, a 22-year PepsiCo veteran, will take over as CEO.
|
|
|
Follow the WSJ Risk & Compliance Team on Twitter: @WSJRisk, @srubenfeld, @BenDiPietro1 and @LikelyMara.
Send complaints, comments and kudos to Ben DiPietro at ben.dipietro@wsj.com.
|
|
|