FFIEC
Online banking institutions will be held accountable to more rigorous security demands from the Federal Financial Institutions Examination Council (FFIEC) in January. That’s when examiners begin assessing financial institutions according to risk assessment best practices including better fraud protection and use of layered security technology to augment the multi-factor authentication laid out by the last update to FFIEC’s guidance set out in 2005.
PCI DSS 2.0
Released well over a year ago, the revised specifications for the Payment Card Industry Data Security Standards (PCI DSS) second revision offer some key tweaks to requirements, including clarifications about encryption key management, network segmentation and risk-based vulnerability assessments. Enforcement of the changes starts in January.
Federal Trade Commission
While there are no new regulations from the FTC, this agency plans more enforcement of its Fair Information Practice Principles, which govern how companies collect, use and protect information about customers online. FTC cases against Google, Disney and Facebook this year for not following the principles show that companies need to treat these rules more seriously next year.
Securities Exchange Commission
In October of this year the SEC let it be known that it wanted public companies to start informing shareholders when they experience ‘material cyber attacks.’ In 2012, public companies must be ready to disclose the financial implications of breaches and incidents they experience going forward.
HIPAA
The coming year may well be the year that HIPAA grows teeth. The Office for Civil Rights recently started a program to audit organizations. When the OCR notifies an organization that it is subject to audit, it will only have 10 days to produce the paperwork.
ISO 27036
It may not be ratified yet, but experts believe that the ISO 27036 standard that is currently making the rounds for approval could become the defacto security standard by which third-party service providers–cloud or otherwise–are measured by prospective customers. Partners would do well to know the ins and outs of this standard before it goes live.
FinCEN
Starting in June 2012, financial institutions could potentially be required to adhere to new updates from Financial Crimes Enforcement Network (FinCEN) with regard to how they manage electronic reporting for Suspicious Activity Report (SAR) filing. These organizations will need to keep an eye on FinCEN updates and treat them with due care.