Security & Privacy
“All things data” gains regulatory vigor with higher (and expanded) data risk management expectations
Security
Regulators will continue to focus on strengthening risk management and governance around the security of data, IT systems, and networks as well as promote resiliency and incident response. Regulators will be reviewing:
- Cybersecurity Threats: Increasing cybersecurity risks (e.g., adversarial attacks, data poisoning, insider threats, and model reverse engineering) will drive regulatory scrutiny to:
- Processes for assessing, identifying, and managing risks from potential cybersecurity threats and potential threat actors.
- Board oversight and management effectiveness, including roles, responsibilities, and applicable experience.
- Timely reporting and disclosure of material cybersecurity incidents.
- Speed of incident remediation.
- Threat Detection and Monitoring: Expanding expectations around the adequacy of threat detection and monitoring processes will include:
- Maturity of endpoint detection and monitoring solutions.
- Coverage of threat intelligence (both on premises and cloud environments).
- Maturation of third-party risk programs, inclusive of ongoing management of supply chain risks.
- Technology/Operational Resiliency: The small number of cloud service providers is driving renewed regulatory focus on the wide range of service uses (e.g., IT and cybersecurity management, data storage, and computing facilities need for AI/ML applications). Areas of interest will include:
- Resiliency (e.g., cyber incidents, technical vulnerabilities, physical events) and business continuity planning.
- Transparency from cloud service providers (e.g., information on risks related to incidents and outages needed to build technology architecture with consumer protections).
- Market concentration, interconnectedness of providers, and concentration of “critical uses” of cloud services and similar third-party services.
- Clarity and thoroughness of company and cloud provider responsibilities documented in contracts; third party risk management.
Data management
Regulators emphasize the importance of data management and controls across all systems and applications, whether internal, or through affiliates and/or third or fourth parties, and across the data lifecycle. Areas of regulatory focus will include:
- Access: Attention to access management programs and controls (e.g., multifactor authentication (MFA), least privilege, recertification), authentication credentials (e.g., encryption), and data practices (e.g., purpose, collection and handling, use, safeguarding, retention, and disposal).
- Third/Fourth Parties: Evaluation of third- and fourth-party risk management and governance processes throughout the relationship lifecycle, including whether “higher-risk” activities and complex relationships are subject to more comprehensive and rigorous oversight.
- “Automated Systems”: Application of existing authorities and regulations to supervise and enforce the design, development, and deployment of “automated systems” (e.g., algorithms, predictive analytics, AI, ML, quantum computing and other innovative technologies). Key risk areas will include data integrity, statistical validity, model accuracy, transparency, fairness, resiliency/reliability, and protections against data manipulation. Firms are expected to consider during the design stage and thereafter ways that a system could potentially be misused for fraud or cause other harms, and to take reasonable steps to mitigate such risks through “durable, built-in features.”
Privacy
Regulators will continue to assess consumer financial data privacy protections across collection, use, safeguarding, retention, and disposal, including increasing attention to purpose limitation, data minimization, and consumer rights. Expect examinations to cover:
- Evolving Processes: Is data privacy considered in the design, operation, and management of new applications, including technology systems, automated systems, and digital business practices, with the goal of preventing vulnerabilities (e.g., malware, fraud, identity theft, insider risk, reputation risk)?
- Lifecycle Operations: Are regulatory requirements related to consumer data integrated throughout the data lifecycle, including consumer notices, disclosures, opt outs, and other rights enumerated under applicable privacy laws and regulations (e.g., UDAP, GLBA, GDPR, CPRA)?
- Data Brokering: Are data aggregation practices or those of third parties, including monetization and use by data brokers and their customers, designed to ensure transparent practices and consumer privacy protections (e.g., clarity of communications, consumer choice)?
What to Watch
As data collection and use proliferates, so will security and privacy threats. Key regulatory actions to watch will include:
- SEC Cybersecurity Disclosures: Finalized in 2023, the rule requires public companies to disclose information about cybersecurity risk management, strategy, governance, and material incidents. Additional rule proposals for investment funds and advisers and market entities similarly address “cyber hygiene,” incident notification, and data privacy protection.
- SEC Amendments to Regulation S-P: A proposal to amend on consumer financial data privacy protections-rules by imposing requirements regarding notification of data breach, monitoring and detection of unauthorized access to or use of sensitive data, and proper disposal.
- Third-Party Risk Management (TPRM): Final Interagency Guidance: Finalized in 2023, the Interagency (FRB, FDIC, OCC) guidance establishes expectations for “sound” TPRM over the relationship lifecycle, varying with the degree of risk and complexity of each relationship.
Call to Action…
- Enhance board and executive oversight: Strengthen the oversight of security risk management, strategy, and governance at the board and executive level. Conduct regular communication and reporting between executives, management, and the board to foster a proactive approach to identifying, monitoring, and mitigating potential security threats as well as timely incident response.
- Maintain transparent and timely reporting: Implement a system for transparent and timely reporting of security threat incidents, as required by regulatory authorities. All incident-related information should be accurate, up to date, and communicated to the appropriate stakeholders, including regulatory agencies and customers, as appropriate.
- Effectively govern data management: Establish formal and effective governance around the management of data assets, including:
- Governance around data definitions, standards, artifacts, and key data management processes; and
- Well-defined roles and responsibilities pertaining to the management and ownership of data assets.
- Prevent privacy vulnerabilities: Design, operate, and manage new applications, including technology systems, AI, and digital business practices, with the goal of preventing privacy vulnerabilities (e.g., malware, fraud, identity theft, insider risk, reputation risk).
- Invest in expertise and talent: Cultivate a skilled workforce that is well-equipped to manage data and security risks in areas, such as systems access/authorization; development of “automated systems”; arrangements with 3rd/4th parties; consumer protections; and data retention, storage, use, and disposal. Encourage ongoing training and continued development at all levels of the organization.
Explore more
Regulatory Insights
A source for updates and perspectives on regulatory activity and issues
Read moreSubscribe to Risk and Cyber Insights
The latest news and updates on how organizations can manage risk in today's environment.
Meet our team
Amy S. Matsuo
Principal, Growth & Strategy, Regulatory Insights, KPMG LLP
Matthew P. Miller
Principal, Advisory, Cyber Security Services, KPMG US
Amy S. Matsuo
Principal, Growth & Strategy, Regulatory Insights, KPMG LLP
Matthew P. Miller
Principal, Advisory, Cyber Security Services, KPMG US