Currently, there is no shortage of regulatory and legal actions against companies that fail to maintain a robust and comprehensive cybersecurity program. One recent action involved Nationwide Mutual Insurance Company and one of its subsidiary entities, Allied Property & Casualty Insurance Company (subsequently referred to collectively as “Nationwide”), following a criminal data breach. The breach at issue may have resulted in the loss of sensitive information—such as social security numbers and birthdates—belonging to 1.27 million consumers.
Hackers successfully exploited a vulnerability in Nationwide’s web application hosting software, and were able to gain access to the sensitive information. After the breach, Nationwide applied a software patch that was not in place at the time of the hack, in an effort to address the software vulnerability. While Nationwide admitted that the breach occurred, it denied any wrongdoing or liability as a result of the breach.
The Attorneys General of 33 states, who are tasked with enforcing consumer protection laws in their respective states, entered into an Assurance of Voluntary Compliance (“Voluntary Assurance” or the “Agreement”) along with Nationwide, in which the company agreed to meet certain requirements. Along with an online disclosure informing individuals that their personal information is retained while they maintain an active account or to provide services, Nationwide was also required to elect an information technology officer (“ITO”). According to the terms of the Voluntary Assurance, the ITO will be tasked with a number of responsibilities aimed at preventing another data breach, like the one previously experienced by Nationwide. For example, he or she will be responsible for instituting a process to review and revise Nationwide’s security policies related to software and application security updates and security patch management.
In addition, the newly elected ITO will also be responsible for overseeing and managing software and application security updates and security patch management, and supervising, coordinating and evaluating patch management tool(s). A full list of responsibilities to be met by the ITO is provided in the text of the Voluntary Assurance, which can be accessed here.
In addition to the requirements outlined in the Agreement, Nationwide agreed to pay $5,500,000 to the Attorneys General. The money may be applied by the Attorneys General, in full, or in part, to any law enforcement fund with the mission of consumer protection, “. . . including future consumer protection or privacy enforcement, consumer education, or litigation . . . “
The regulators have made it clear that due to the increasing number of cyberattacks against financial firms, cybersecurity is, and will be, an exam priority for the foreseeable future. Does your firm have an adequately tailored cybersecurity policy in place? Contact us for assistance in creating or revising a cybersecurity policy for your firm, as it is imperative that investment advisers and broker-dealers take precautions to address this evolving threat.