Data and Cybersecurity: 2023 Regulatory Challenges

Risk management and governance

Regulators are looking to strengthen data risk management, especially in areas such as governance incident reporting, vulnerability management, and identity/access management. Companies should look to build practical and defensible frameworks for scoping their programs that consider both regulatory requirements and expectations as well as business needs.

Regulatory scrutiny around data risk governance will include:

• Strength of skills at board, management, and staff levels.
• Accountabilities across business lines and key functions (e.g., IT, data management, risk and compliance).
• Timely board reporting, proof of challenge.
• Strategy, inventory, and data lineage to legacy systems.
• Clarity on data and information deemed critical to the organization, with associated data classification and risk rating to control programs.

Other aspects of data risk that regulators will also consider include:

• Compliance with incident response and reporting requirements, including:
  • Reporting and disclosure timeliness (such as current banking agency standards, forthcoming SEC proposals, FinCEN SARs).
  • Reporting for national security and/or law enforcement purposes (e.g., CISA, state AGs).
• Threat and vulnerability management, including:
  • Tools and processes for discovery, verification, and remediation of vulnerabilities.
  • Management of non-patchable vulnerabilities.
  • End-of-life system management.
  • Traceability of reporting.
• Identity and access management, including:
  • Existence/adequacy of the privileged access management (PAM) programs and controls.
  • Protection of authentication credentials (including non-person acccounts).

Data collection and use

Regulators have shown increasing interest in, and scrutiny of, companies’ practices around data collection, utilization, sharing, and monetization. They are seeking to understand and set parameters around the ways data is collected and used as well as how it is protected from misuse. Ongoing areas of focus include:

• Commercial surveillance (e.g., FTC’s ANPR seeking input on the need for regulations to address the scale of available data, data security practices, use of algorithms and automated systems to target behavioral advertising, potential consumer harms).
• Consumer reporting agencies (e.g., CFPB’s expansion of “credit reporting agencies” under the FCRA to include “other data brokers”).
• Payment platforms (e.g., CFPB’s orders to Big Tech on data practices).
• New products and services, such as BNPL lenders and automated valuation models (both a focus of CFPB) and digital engagement practices (SEC potential rulemaking).
• State and local laws, such as the CCPA and CPRA and NYC’s requirements around automated employment decision models.

Regulators will be reviewing practices related to data risk management and consumer protection including:

• Practices for data collection, sharing, monetization, and utilization, including clarity of communication and customer choice.
• Implementation of purpose limitation and data minimization policies (collect only what is needed for only as long as needed).
• Management and controls over data retention and deletion.
• Controls and monitoring of third-party processes regarding consumer data.
• Fairness and fair treatment.

Privacy

Regulators are evaluating companies' privacy practices related to the consumer and customer data they collect and use. Examples of privacy-related legislative and regulatory developments to watch for in 2023 include:

• FTC amendments to the Safeguards Rule (requires information security programs to have administrative, technical, and physical safeguards; potential rulemaking to require reporting of cyber events where customer information has been or is likely to be misused).  
• SEC proposal on digital engagement practices (proposed rule anticipated to cover predictive data analytics and related concerns including conflicts of interest, bias, and concentration risks).
• CFPB proposal on personal financial data rights (Section 1033 of Dodd-Frank).
• Guidance and/or examinations on models and algorithms, machine learning, and artificial intelligence.
• State regulations, such as the CCPA and CPRA, the NY DFS Cybersecurity Rule (amendments), and other state consumer data laws.
• Federal legislative proposals addressing consumer data privacy and/or data rights.

Increasingly, data privacy issues, and privacy-related legislative and regulatory developments, reflect elements, or “standards of care,” intended to facilitate transparency and consumer data rights. These may include:

• Clear disclosure/communication and transparency of consumer choice policies and processes.
• A consumer’s ability to access, correct, delete, or opt-out of the collection, processing, and utilization of their personal data.
• Requirements for obtaining a consumer’s consent to collect and process sensitive personal data, such as geolocation, protected characteristics, or genetic or biometric data.