Financial Services Firms Under Increased Regulatory Scrutiny for Data Protection

Financial services firms increasingly have to comply with more regulations surrounding data protection, initially global such as General Data Protection (GDPR), followed by countries and states instituting their own including J-SOX, the New York State’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) and California Consumer Privacy Act (CCPA). 

EisnerAmper sat down with Michael Asher, Chief Information Officer of Richard Fleischman & Associates, who discussed some of the regulations; and Rahul Mahna, Managing Director, Managed IT Services in EisnerAmper’s Process, Risk & Technology Solutions (PRTS), who addressed how IT can help assist firms in adhering to these rules.   The first part of this two-part blog series (See part two) will discuss the abovementioned regulations.

EISNERAMPER: GDPR

The E.U.’s GDPR focuses on data classification (tagging), data monitoring in transit and at rest (when data is transmitted or sent to third parties), and mandates that data can be erased from all systems upon request.

ASHER:

Firms need to identify and classify the types of data they interact with, especially anything considered covered personal identifiable information (PII), which also includes internal HR information about employees. Data collected from natural persons should align with a specific business requirement and identify purpose for use. For covered information, it is important to ensure proper controls are implemented for data security, access (only for authorized personnel), and monitoring that data access.  It is also important to implement proper mechanisms for appropriate data retention and to address any data erasure (“right to be forgotten”) requirements which includes data anonymization/masking if data is to be retained to support business functions. Finally, firms must adhere to privacy policy and reporting mechanisms to ensure that the privacy policy (including for any website cookie use) is available for reference and includes protocols for aligning with breach reporting requirements to the ICO under GDPR.

MAHNA:

Data collection, storage and removal are essential and the major tenants of GDPR; however, they need to be closely examined in relation to the mandates of a typical IT department because oftentimes they are in sharp contrast to the IT directives. Many IT departments are focused on backup and disaster recovery techniques and providing storage capabilities that are infinite and permanent.  We have noticed a growing challenge in how to ensure a strong data retention policy while adhering to a GDPR mindset of removal of all data when requested and not leaving some data on a backup/disaster recovery system. It’s quite a complicated task to adhere to these divergent mandates and we see this as one challenge IT departments have moving forward.

EISNERAMPER: J-SOX

J-SOX is similar to and based on the U.S. Sarbanes Oxley Act but designed for Japanese-registered entities under Japan’s Financial Instruments and Exchange Law. There are many similarities to the COSO framework used for reporting SOX compliance; but J-SOX has additional focus on importance of “IT support” and some differences in “preservation of assets.”

ASHER:

With J-SOX, IT teams help firms ensure that the following programs are in place to provide three basic parts:

• “Basic Framework of Internal Control,” which describes internal controls on financial reporting and requires oversight and responsibility of senior management.
• “Evaluation and Reporting of Internal Control for Financial Reports,” which define management’s approach to evaluating the effectiveness of internal audit program.
• “Auditing of Internal Control for Financial Reports” which “explains approach to standards for audits conducted by independent accounting firms.”

These report components must be submitted on an annual basis along with a “certification” from management stating “descriptions in financial statements are appropriate and in compliance with laws and regulations.”

MAHNA:

J-SOX compliance is a specialization and requires an audit team that is experienced in its nuances. In the past year working with our internal J-SOX compliance team, we have seen a heightened focus on IT general controls (“ITGCs”) and their impact in the overall financial statement audit.  There are some unique characteristics of ITGCs for J-SOX and a new trend we are noticing is the IT function is working closely with the audit function in organizations to ensure, in advance of making major IT implementations, that those changes will be in compliance with J-SOX requirements before proceeding. Incorporating a system into an organization’s IT environment must be prudently planned and executed to ensure compliance with the J-SOX IT General Controls framework. Internal audit teams are supporting management with pre- and post-implementation system reviews and consideration should be given to whether the new software conforms to existing controls or if modifications, updates or additions need to occur in order to address key risks.

Additionally, we’re seeing an increased focus on cybersecurity and compliance as it relates to J-SOX in-scope financial systems and applications.  It is important to recognize that cybersecurity is an ever-evolving risk that increasingly requires greater attention from organizations. Unauthorized access to an organization’s information systems and data presents a significant threat around the integrity of financial reporting, misappropriation of assets and fraud, including unauthorized payments to fictitious vendors. Organizations, with the assistance of internal audit and advisors, are now incorporating cyber-risk assessment and defense strategies as part of their J-SOX program to help mitigate against cyber threats.

EISNERAMPER:  SHIELD Act

New York State’s SHIELD Act, which went into effect on March 21, 2020, requires financial services firms to implement a data security program.

ASHER:  

The SHEILD Act includes six key elements:

• Framework/Assigning Committee: Designating employees to coordinate data security program;
• Training: Information security training for employees in security program practices, procedures and the proper handling of sensitive information;
• Limiting risk: Assessing internal and external risks in network/software design, information processing, transmission and storage, and implementing controls to reduce those risks;
• Know your vendor: Selecting service providers capable of maintaining appropriate safeguards;
• Physical security: Safeguarding information storage, measures to prevent unauthorized access to private information during collection, transportation and disposal, and timely secure destruction;
• Monitoring: Detecting, preventing and responding to attacks and system failures.

In addition, the SHIELD Act broadens the circumstances that qualify as a “breach” by including incidents that involve “access” to private information, regardless of whether they resulted in “acquisition” of that information. Prior to SHIELD, access without acquisition does not qualify as a breach.

The SHIELD Act also adds several factors for determining whether there has been unauthorized access to private information, including “indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.”

MAHNA:

Increasingly, the theme is to inform and protect the consumers and with the SHIELD Act this protection extends beyond the consumer to the organization’s employees. With the SHIELD Act organizations are being compelled to focus on three elements around data security:

• MEASURE risk,
• MANAGE with the right tools and team, and most importantly
• MONITOR, as every organization is constantly changing.

The SHIELD Act considers data security reasonableness commiserate with the size of the organization, complexity of operations, and sensitivity of the data it collects. An organization can satisfy these requirements with the right staff and follow frameworks, as found in NIST or SANS for example. To ensure our clients have robust IT controls to manage risk, we launched a proprietary assessment tool called Financial Risk of Security Technologies (“FiR$T”), looking to provide them with a checklist of where their current IT gaps are compared to their peers. From this assessment, which can be done virtually, we provide them recommendations on exactly what IT components they should invest in to ensure they have robust cybersecurity.

EISNERAMPER: CCPA

Similar to GDPR, CCPA requires companies perform analysis and classification of data collected and any covered information configured with appropriate data protection and monitoring.

ASHER:

Many firms assumed GDPR compliance would also cover CCPA compliance. While the two are similar, there are additional components firms need to consider and address to achieve CCPA compliance.

• Broad applicability scope – any company that serves California residents and has at least $25 million in annual revenue, regardless of company location (both domestic and international).
• Widens scope of “personal information”:
  • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers;
  • Characteristics of protected classifications under California or federal law;
  • Commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies;
  • Biometric information;
  • Internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement;
  • Geolocation data;
  • Audio, electronic, visual, thermal, olfactory or similar information;
  • Professional or employment-related information;
  • Education information, defined as information that is not publicly available PII as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99);
  • Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.

MAHNA:

CCPA has definitely been a strong topic of discussion since the beginning of the year. We are anticipating a lot of pressure to come as the legal aspect of the enforcement comes to fruition. As with all new standards, a readiness assessment, to gauge whether the organization is in compliance or to identify the gaps in compliance, is prudent. There are a few software tools that are being offered to help an organization get organized for CCPA and we encourage the usage of those; however, to truly get a sense of risk we believe an independent third party who is experienced in risk management and mitigation is essential. The nuances listed above are only the beginning of the analysis, the true essence comes when working with a potential client/vendor that requires it and who is going to attest to the readiness of the standards and the acceptability of those statements.