The quality of the CFPB’s information security program “has decreased since last year, leading us to conclude the program no longer is effective,” the bureau’s Inspector General (IG), said in a report.
The bureau’s overall security program has decreased from “manageable and measurable” to “defined,” the IG said in an annual audit conducted between April 2025 and October 2025, which is only one step above the lowest security rating.… Continue Reading
As previously reported in May 2024 FHA announced a requirement for FHA approved lenders to notify the U.S. Department of Housing and Urban Development (HUD) of Significant Cybersecurity Incidents, and the requirement was effective immediately. Apparently in response to industry criticism, in Mortgagee Letter 2024-23 FHA announced revised requirements.
Originally, for purposes of the reporting requirement, a Significant Cybersecurity Incident (Cyber Incident) is “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies and has the potential to directly or indirectly impact the FHA-approved mortgagee’s ability to meet its obligations under applicable FHA program requirements.” … Continue Reading
The California Privacy Protection Agency (CPPA) recently published two new sets of draft regulations addressing a range of cutting-edge data protection issues. Although the CPPA has not officially started the formal rulemaking process, the Draft Cybersecurity Audit Regulations and the Draft Risk Assessment Regulations will serve as the foundation for the process moving forward. … Continue Reading
On November 9, 2022, New York Department of Financial Services (NYDFS) Superintendent Adrienne Harris announced that the NYDFS formally proposed an updated cybersecurity regulation. Although the updates had previously been released in draft form, the formal announcement commences the 60-day comment period.
The proposed regulations would create three different tiers of companies based on their size, operations, and nature of their businesses. … Continue Reading
On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Cyber Security Regulations. The Amendments, if adopted, would further regulatory trends and impose important new requirements on covered entities.
The Amendments contain three significant changes relating to ransomware. First, the Amendment specifically adds “the deployment of ransomware within a material part of the covered entity’s information system” as a cybersecurity event requiring notice to the superintendent within 72 hours. … Continue Reading
In a report released June 21, 2022, the U.S. Government Accountability Office (GAO) urged the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury’s (Treasury) Federal Insurance Office (FIO) to jointly assess whether the risk to critical infrastructure and potential financial exposures from catastrophic cyber incidents warrant a federal insurance response, and to inform Congress of the results of their assessment. … Continue Reading
The last few months have seen a flurry of new federal cybersecurity incident reporting requirements and proposals impacting private entities in the financial sector. As the number and frequency of cyber attacks continue to grow, regulators have attempted to enhance cybersecurity protections via increased and more rigid incident reporting obligations, leading to a constantly shifting regulatory patchwork of varying disclosure and timing obligations. … Continue Reading
On December 18, 2020, the Office of the Comptroller of the Current (OCC), Federal Reserve Board (FRB), and Federal Deposit Insurance Corporation (FDIC) announced an interagency notice of proposed rulemaking that would require supervised banking organizations to provide notification of significant computer security incidents to their primary federal regulator. Under the proposed rule, for incidents that could result in a banking organization’s inability to deliver services to a material portion of its customer base, jeopardize the viability of key operations of a banking organization, or impact the stability of the financial sector, the banking organization must notify its primary federal regulator no later than 36 hours after determining an incident has occurred. … Continue Reading
On August 21, 2019 the Conference of State Bank Supervisors (“CSBS”) launched three new online tools designed to help non-bank financial services companies navigate state regulations and protect against cyber security risks: a State Regulatory Guidance Portal, a State Survey Map of Money Transmission Laws, and Cybersecurity 101: A Resource Guide for Financial Sector Executives.… Continue Reading
Ballard Spahr is proud to partner with Venminder, Inc., on this podcast posted today discussing third-party vendor risk management concerns of financial institutions and service providers. Hosted by Venminder’s Chief Risk Officer Branan Cooper, the podcast features Glen Trudel, a partner in Ballard Spahr’s Consumer Financial Services Group with extensive experience in this area.… Continue Reading