Throughout 2024, financial sector regulators sharpened their focus on data protection and cybersecurity issues impacting financial institutions and the public. Key federal agencies like the Securities and Exchange Commission (“SEC”), the Federal Trade Commission (“FTC”), and the Consumer Financial Protection Bureau (“CFPB”) have been joined by state regulators, such as the New York Department of Financial Services (“NYDFS”), in proposing and finalizing significant rulemaking, pursuing novel enforcement actions, and issuing influential guidance. 2025 promises to be a continuation of this considerable trend.
SEC
The SEC is approaching data protection and cybersecurity in an increasingly assertive manner. The SEC has been particularly aggressive in issuing guidance, conducting examinations, and proposing rules regarding cyber risks facing entities that it directly regulates, such as registered investment advisers, registered investment companies, and broker-dealers. 2024 brought adoption of highly anticipated amendments to Regulation S-P as well as the SEC’s first enforcement actions under the cybersecurity disclosure rules.
On May 16, 2024, the SEC officially adopted amendments to Regulation S-P that require broker-dealers, registered investment companies, and registered investment advisers to adopt written policies and procedures creating an incident response program to address unauthorized access to customer information, including procedures for notifying persons affected by the incident within 30 days. Response programs must also include written policies and procedures that address the risk of harm posed by security compromises at a covered institution’s service providers, including assurances that service providers notify the covered institution no later than 72 hours after becoming aware of a security breach. Though these and other changes to Regulation S-P take effect beginning in December 2025, preparations are well underway by many covered institutions in recognition of the significant operational and procedural changes necessitated by the updated rules.
Another set of SEC rules featured prominently in 2024. In July 2023, the SEC adopted rules requiring public companies to disclose material cybersecurity incidents as well as information regarding their cybersecurity risk management, strategy, and governance (the “Cybersecurity Disclosure Rules”). Among other requirements, the Cybersecurity Disclosure Rules mandate disclosure of “material cybersecurity incidents” within four business days from the date on which a cybersecurity incident is determined to be “material.” Notably, on October 22, 2024, the SEC filed settled enforcement orders involving four current and former public companies – Unisys Corp., Avaya Holdings Corp., Check Point Software Ltd, and Mimecast Limited. The settlements centered around the issuers’ allegedly negligent material misstatements regarding the impact of the SolarWinds breach. For example, the SEC took issue with statements in annual reports that discussed the risks from cybersecurity events as hypothetical despite knowledge of the compromise and took note of deficient controls relating to escalating potentially material cyber incidents to senior management. Ultimately concluding that the issuers “negligently minimized” the impacts of the breach, the SEC imposed civil monetary penalties ranging from $990,000 to $4 million. These cases illustrate the SEC’s continued focus on the disclosure of cyber incidents and signals a stringent, hindsight parsing of issuers’ cyber-related disclosures.
In addition to continued enforcement activity in 2025, a number of other proposed rules remain in the mix and could be finalized next year, including the expansion of Regulation Systems Compliance and Integrity (“Regulation SCI”) and cybersecurity risk management requirements for various entities, including broker-dealers and transfer agents. Either way, the SEC remains one to watch in 2025.
FTC
The FTC’s Safeguards Rule applies to a broad range of “financial institutions” not subject to oversight by another functional regulator such as the SEC. Pursuant to amendments to the FTC’s Safeguards Rule, effective May 2024, covered non-banking institutions must report information about a notifiable security event affecting the unencrypted data of 500 or more customers within 30 days of discovery of the event. The report to the FTC must include a general description of the “notification event,” the type of information compromised, and the date or date range of the event. A “notification event” under the rule includes any instance where unencrypted information is accessed by a third party without a customer’s authorization. Additionally, under the Safeguards Rule, “customer information” is defined broadly to mean any record containing nonpublic personal information about a customer—a larger set of information than what is captured under state breach notification laws. The Safeguards Rule’s new notification requirement underscores the FTC’s ongoing engagement in cybersecurity enforcement and could lead to increased exposure for many firms.
While the FTC’s Safeguards Rule does not apply to institutions that are within the jurisdiction of other financial regulators, such as the SEC, the FTC’s views are likely to be influential in assessing whether the security programs adopted by organizations subject to SEC regulation, such as registered investment advisers and broker-dealers, are “appropriate” or “reasonable.”
CFPB
The Consumer Financial Protection Bureau (“CFPB”), established pursuant to the Dodd-Frank Wall Street Reform and Consumer Financial Protection Act, grants the CFPB exclusive enforcement authority over federal consumer laws against nondepository-covered entities as well as exclusive supervisory authority and primary enforcement authority over insured depository institutions or insured thrifts with assets totaling over $10 billion. In October 2024, the CFPB finalized a long-awaited proposed rule on personal financial data rights that requires firms to provide consumers and authorized third parties with access and portability options for their financial data. The rule is intended to make it easier for customers with accounts at certain financial institutions to move to a competitor firm without incurring any costs and reflects the CFPB’s goal of increasing competition and facilitating a shift to open banking. The rule also targets what the CFPB refers to as “bait-and-switch data harvesting” by requiring that personal financial data can only be used for the purposes the consumer requests and prohibiting use of such data for unrelated business purposes. However, the rules are subject to legal challenge, including a lawsuit filed by the Bank Policy Institute representing U.S. banks.
CISA
Enacted in 2022, the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”) introduced the first cross-sectoral federal cybersecurity incident and ransomware payment reporting system. As required by the statute, on April 4, 2024, the Cybersecurity and Infrastructure Security Agency (“CISA”) within the Department of Homeland Security issued its Notice of Proposed Rulemaking (“NPRM”), which requires “covered entities”—organizations in certain critical infrastructure sectors—to report substantial cybersecurity incidents to the Department of Homeland Security within 72 hours after the organization reasonably believes the cyber incident has occurred. Covered entities will also be required to report ransom payments within 24 hours of making a payment in response to a ransomware attack. For companies that are covered entities, the CIRCIA 72-hour proposal would be a significant change from the 30-60 days in most state data breach notification reporting requirements.
The NPRM does not define “critical infrastructure,” but pursuant to Presidential Policy Directive 21, the financial services sector is among the 16 sectors designated as such. The NPRM also proposes to include entities that meet a set of specific sector-based criteria, regardless of size and unrelated to an entity’s assessment of the critical infrastructure sector, including “any entity that owns or operates financial services sector infrastructure.” According to the NPRM, this section intends to capture financial services sector entities that are required to report cybersecurity incidents to their respective primary federal regulator, entities for whom the primary federal regulator has indicated an intention to require cybersecurity incident reporting, and entities encouraged or expected to report cybersecurity incidents to their primary federal regulator pursuant to an Advisory Bulletin.
Companies, even those not historically considered critical infrastructure, should analyze the proposed rule to determine if they would be swept into the proposed reporting requirements. Given the current lack of definitional clarity relating to critical infrastructure sectors, companies connected even indirectly with one or more of those sectors may nevertheless be covered by the rule. Indeed, CISA explicitly notes in the preamble that “at least some entities that do not own or operate systems or assets that meet the definition of critical infrastructure . . . but are active participants in critical infrastructure sectors and communities” would be considered critical infrastructure within the meaning of CIRCIA. CISA is required to publish a final rule by October 2025.
NYDFS
Through its Cybersecurity Regulations, the NYDFS has asserted a leading role among cybersecurity regulators. The Cybersecurity Regulations, which took effect in 2018 and were amended in 2022, set forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk. Key requirements include a 72-hour notification to NYDFS of a cybersecurity event that has occurred at the covered entity, its affiliates, or a third-party service provider that (1) impacts the covered entity and gives rise to an obligation to notify any government body or self-regulatory agency, (2) has a reasonable likelihood of materially harming normal operations, or (3) results in the deployment of ransomware within a material part of the information systems. The Cybersecurity Regulations also feature a 24-hour notification to NYDFS of any extortion payment made in connection with a cybersecurity event. These cyber incident reporting obligations align with the proposals in the CIRCIA NPRM and indicate that the U.S. may be moving toward the 72-hour notice required under the General Data Protection Regulation in effect in the European Union and United Kingdom.
Not to be left out of the 2024 AI fervor, NYDFS joined the fray and signaled that AI will be top of mind for the department moving forward. For example, in July 2024, NYDFS issued a Circular Letter advising insurers of the Department’s “expectation” that such entities will develop and manage their use of “artificial intelligence systems,” “external consumer data and information sources,” and other predictive models in underwriting and pricing insurance policies and annuity contracts in a manner that complies with applicable laws and regulations. The Department emphasized risks relating to fairness, bias and discrimination, data actuarial validity, transparency, and governance and risk management. In October 2024, the NYDFS followed with an Industry Letter to covered entities subject to the Cybersecurity Regulations on the cybersecurity risks arising from AI and strategies to combat such risks. The Letter calls covered entities’ attention in particular to AI-enabled social engineering, AI-enhanced cybersecurity attacks, exposure or theft of substantial amounts of nonpublic information, and increased vulnerabilities as a result of third-party, vendor, and other supply chain dependencies. The Letter then poses specific mitigation strategies in line with the Cybersecurity Regulations, which covered entities would be advised to review and incorporate into their cybersecurity programs.
Looking Ahead
The regulations, enforcement actions, and guidance detailed above should be top of mind in 2025 for entities within these agencies’ ambit. Recommended areas of prioritization include solidifying a firm’s cyber incident response plan, including integrated legal and communications plans, to address proper response, escalation, and notification procedures in accordance with the various rules and regulations at play; ensuring due diligence and oversight of third-party service providers, particularly in relation to security incidents experienced by such vendors and whether such incidents trigger a firm’s own incident response process; confirming asset inventories and data mapping and classification are in place; and continuing to integrate board and committee oversight of cybersecurity risks and governance.
For more information on PLI’s new edition of its cyber law treatise, Cybersecurity: A Practical Guide to the Law of Cyber Risk, click here.