Free Site Registration

Navigating Cybersecurity on a Stretch of “Regulatory Rapids”

Traders Magazine Online News, October 20, 2017

Joanna Fields

As global cybersecurity regulatory trends becomes increasingly more complex, navigating legal exposure and reputational risk has become more akin to white water rafting the Taos Box section of the Rio Grande. In order to successfully steer, one must have the ability to quickly identify obstacles or threats; and then leverage the tools at your disposal; such as “eddy cushions”, (water that flows in the opposite direction from the rest of the river that enables rafters to slow down) to identify, detect, protect, respond and recover. As global capital markets have increased dependency on complex technology networks, and have seemingly embraced the arms race for speed; firms appear less apt to employ tools to force systems to slow down, which is in part forcing “High Side” global legislation and regulatory requirements.

On May 25th 2018, the EU will enact the Global Data Protection Regulation (GDPR), a set of rules addressing privacy and information-sharing that could profoundly affect US firms transacting with EU clients. GDPR standardizes and replaces existing and disparate cyber privacy and protection requirements that have been in place for years to protect EU citizens. Not unlike NY state requirements, under GDPR there is a 72-hour window to notify a client if there is a breach of data. If we take a moment to consider the recent Equifax breach, which took approximately two months to disclose, a 72-hour notification window is an important consideration for the development of external communication policies and procedures.

EU and US Conflux

All firms that store or carry EU client data will fall under the jurisdiction of GDPR. Computer IP address information, email, and other relevant client data should be scrutinized with regard to the sharing of personal information and whether EU client consent is required.

As financial firms strive to develop forward thinking global cybersecurity frameworks to address the increasing risks of electronic trading, it is not uncommon to encounter a “sleeper” or two (submerged rock or bolder without surface disturbance). Due to the complexities of interacting regulatory forces, the lack of standardized global privacy requirements, and design requirements that require agile, and flexible detection and response programs to react to highly sophisticated industry threats.

Moreover, regulatory reporting, data retrieval for liquidity risk assessment, capital calculations, and simply the ability to identify every location client data is used and stored within a firm is not as easy as it may seem.  This issue is only amplified for global firms that may outsource business support to affiliated entities, use third party vendors or transfer client data across borders. With regards to GDPR, it is important to note that data processors are governed by the new requirements; so, wherever cloud technology is utilized, it will fall under the jurisdiction of this mandate.

Regulatory Hazards

For more information on related topics, visit the following channels:

Comments (0)

Add Your Comments:

You must be registered to post a comment.

Not Registered? Click here to register.

Already registered? Log in here.

Please note you must now log in with your email address and password.