Fintech Trends 2018
Cyber & Data - New Risks, New Rules
14 December 2018
“The next 12 to 24 months are likely to see a substantial increase in regulation and enforcement in this area.” - Dessislava Savova, Partner, Clifford Chance LLP
Cyber attacks continue to increase and regulators are getting tougher; launching ambitious cyber enforcement to hold companies to account.
Recent research suggests that on average, a company suffers 130 breaches a year – almost double what it was five years ago. These attacks have a significant financial as well as reputational impact on the businesses affected.
In the EU, the Network and Information Security Directive is intended to ensure that operators of essential services (e.g. energy, transport and financial), have secure IT systems and apply new technical and reporting standards. It imposes appropriate security measures and requires the reporting of significant incidents to national authorities.
The General Data Protection Regulation (GDPR), which came into force on 25 May 2018, regulates the collection and processing of personal data throughout the EU. It also significantly extends the extraterritorial effect of the EU regime. It seeks to modernise the EU law on data protection and achieve greater legal consistency across the EU and the EEA. It also introduces a raft of new expansive, and intrusive, rules.
In the US, in March 2017, the New York Department of Financial Services (DFS) cyber security regulations came into force. Its onerous requirements include: the need to develop a cyber security programme; to designate a chief information security officer; to regulate access to privileges; to organise cyber security training for all employees; to report to the DFS any cyber security event within 72 hours of its occurrence; and implement an incident response plan. The DFS regulations also require senior executives personally to testify to compliance with the rules. Only the smallest financial institutions – those with less than ten employees and assets under US$10 million (or annual revenues below US$5 million in the past three years) are exempt from these requirements.
China and Russia have also introduced new cyber security regulations and Singapore will pass new legislation early this year.
- The introduction of the DFS rules is an unprecedented action by a state government agency. They are at the forefront of cyber-enforcement regimes and are likely to influence the development of similar laws and regulations throughout the US, at the federal level, (in both the civil and the criminal arenas), and abroad, where they may come to serve as a blueprint for corporate cyber-regulation and cyber-policing frameworks.
- Those businesses which cannot demonstrate preparation focused around these emerging regulations are likely to be penalised with large fines. For example, the GDPR includes fines of up to 4 per cent of group global turnover or EUR 20 million (whichever is greater) for serious breaches or up to 2 per cent of group global turnover or EUR 10 million (whichever is greater) for lesser infringements. Cross-border and extra-territorial enforcement will be prominent features of regulatory action.
- A growing number of companies are examining the third party obligations that attach to the data they hold, which third parties have access to their systems and whether they are monitored. Expect to see much more of this in the future.
- The next 12 to 24 months are likely to see a substantial increase in regulation and enforcement in this area. In addition to governmental regulation of cyber security, we also expect to see an increase in industry or trade group-specific “model” rules or best practices standards.
- In the US, consumer and shareholder class action lawsuits are likely to become bigger and more sophisticated; we expect the number and size of shareholder and consumer claims to increase. In the EU and the EEA, the GDPR allows data subjects to nominate not-for-profit organisations to bring claims on their behalf, opening the possibility of class actions.