Review of 2016: A hard line on data leaks

In June, Morgan Stanley became the latest financial institution to be fined by the Securities and Exchange Commission for failing to safeguard customer data, thereby breaching sweeping cybersecurity guidance issued by the commission in 2015.

The bank was ordered to pay $1 million after confidential client data was posted online, and the firm was deemed by the SEC to have insufficient data protection measures in place.

The commission is taking a hard line on cybercrime, something it considers to be the single biggest threat to the financial services industry, and regulators elsewhere are following suit.

The New York Department of Financial Services unveiled its plans to introduce a new set of comprehensive cybersecurity regulations aimed at safeguarding information systems and non-public information.

Under the proposals, covered entities – those operating under the banking, insurance, or financial services umbrella – will be required to appoint a chief information security officer to develop a bi-annual report addressing the state of their cybersecurity programs. The legislation is due to take effect in January 2018.

The data protection rules recently passed in the European Union go even further. The Global Data Protection Regulation expands the scope of EU data privacy protection regulation to cover all businesses that control or process personal data related to the offering of goods and services or that monitor the behavior of individuals in the European Union, whether those companies are based in the EU or elsewhere.

It was adopted by in April 2016, and affected firms have two years in which to prepare for compliance.

Speaking at the PEI Alternative Funds Finance and Compliance Forum in October, one general counsel said the regulation was one of the most far-reaching pieces of data protection regulation imaginable.

“The GDPR is coming, and firms must start preparing now,” the general counsel said. “The fine for a data breach following its entry into force will be the equivalent of 4 percent of the company’s global annual turnover. Not only will non-compliance damage a firm’s reputation, it may also send it under.”