2. 1-800-ASK-CBIZ • cbiz.com/banking @CBZCBIZ BizTipsVideos
(Continued from page 1)
PAGE 2
7 Trends in Total Compensation -
A Guide to Maximizing Your
Organization’s Value
January 23
1–2 p.m. CDT
Come take a look at what’s most important today
in the world of total compensation by exploring
the top trends in this arena.
Who should attend? HR professionals, chief
financial officers and any management team
members interested in compensation
program design.
Executive Education Series: Eye on
Washington - Quarterly Business Tax
Update
February 8
1–2 p.m. CDT
Our Eye on Washington webinars assist CEOs,
CFOs, financial executives and advisors, and
other interested parties in navigating the
complex tax environment. .
Benefits-Law Tax Reform: What Changes
Are in Store?
February 27
1–2 p.m. CDT
In this webinar, we will review the lay of the
land on benefits-related taxes, whether via
administrative, regulatory or legal sources.
Join us for the hour to learn more!
Who should attend? Human resources executives
or anyone else responsible for HR compliance,
chief operating officers and CEOs. Employers of
all sizes are welcome.
(Continued on page 3)
Webinars
provisions, the executive order led to the National Institute
of Standards and Technology (NIST) Cybersecurity
Framework, which today is one of the gold standards
for information security protection. It also created the
Critical Infrastructure Cyber Community Voluntary
Program to help infrastructure industries adopt the
recommendations in the NIST framework.
The frameworks established, however, only provide
recommendations for improvements. Regulators are
weighing whether to make the best practices identified in
cybersecurity protection mandatory. Financial institutions
in particular may soon find that robust cybersecurity
programs are not optional. A closer look at the
developments in information security requirements
for financial institutions may give us a glimpse of
what’s ahead for cybersecurity regulation of other
infrastructure industries—and other companies at
high risk for data breach.
Proposed Regulations in the Works
The Federal Financial Institutions Examination Council
(FFIEC) has cybersecurity recommendations for all
financial institutions. These regulations include ongoing
risk assessments and risk mitigation practices. It suggests
following software assurance industry practices for
applications and regularly evaluating third-party software
and services for unusual activity or behavior. It also has
recommendations for protecting user permissions and
cybersecurity awareness training.
In 2016, financial regulators proposed taking things a step
further. The Office of the Comptroller of the Currency, the
Board of Governors of the Federal Reserve System and the
Federal Deposit Insurance Company announced proposed
cybersecurity rules for large financial institutions. Rules
would apply to any bank or financial institution with total
consolidated assets of $50 billion or more, or any bank
or financial institution that is a subsidiary of a financial
institution with $50 billion or more in total consolidated
assets. Third party service providers that serve these
financial institutions would need to implement the rules
as well.
Rules, which draw heavily from the NIST Cybersecurity
framework and other cybersecurity publications, fall into
five general categories: cyber risk governance, cyber risk
management, internal dependency management, external
dependency management and incidence response, cyber
resilience and situational awareness. Comments on the
proposed rules were due by Jan. 17, 2017, but later were
extended to Feb. 17, 2017. It remains to be seen how the
proposed rules would change in a final version.
3. 1-800-ASK-CBIZ • cbiz.com/banking @CBZCBIZ BizTipsVideos PAGE 3
(Continued from page 2)
KRIS ST. MARTIN
Minneapolis, MN
Local Cybersecurity Efforts
Another trend that may be worth monitoring is state-
mandated cybersecurity requirements. In the wake of
cybersecurity incidents that affected the New York Stock
Exchange and other New York-based financial institutions,
the state passed its own cybersecurity requirements for
financial institutions. Rules in 23 NYCRR 500 became
effective on March 1, 2017 for qualifying financial
institutions. It requires financial institutions to implement a
comprehensive cybersecurity program that covers 17 key
components, including:
■ A formal cybersecurity program and policy
■ A chief information security officer
■ Regular penetration testing and vulnerability
assessments
■ A cybersecurity audit trail
■ Access privileges requirements
■ Application security measures
■ Cybersecurity personnel and intelligence
■ A formal third party service provider security policy
■ Multifactor authentication for network access
■ Limitations on data retention
■ Ongoing training and monitoring
■ Encryption of nonpublic information
■ An incident response plan
■ Notices to superintendent
■ Confidentiality measures
Lessons from Financial Institution Regulation
Infrastructure companies should monitor how mandatory
rules play out for financial institutions. If the regulatory
efforts are successful in reducing the number of financial
institution cybersecurity incidents, state and federal
regulators may turn their attention to other industries.
Organizations that have had a history of information
security threats and disruptions may also want to
consider undergoing a cybersecurity risk assessment and
penetration testing exercises to pinpoint where their current
practices are falling short. All sectors should also consider
the benefits of cyber liability insurance. Insurance policies
frequently require a minimum set of standards to be in place
to protect information security and may help keep your
organization up-to-date on cybersecurity best practices.
Related Reading
■ A Good Cybersecurity Defense Starts with People
■ The Internet of Things Makes the Future of
Cybersecurity Much More Complicated
■ Cybersecurity Check-In: 6 Questions Boards of
Directors Should Ask About Cybersecurity
If you have specific comments,
questions or concerns about
cybersecurity, you can reach
Kris St. Martin at 763-549-2267
or kstmartin@cbiz.com, or contact
your local CBIZ advisor.
AShortHistory
oftheCFPB
BY JAKE MCDONALD
n July of 2010, Congress passed and President Obama
signed the Dodd-Frank Wall Street Reform and Consumer
Protection Act. This Act, in response to the financial crisis
of 2008, included the creation of the Consumer Financial
Protection Bureau (CFPB), an autonomous U.S. government
agency tasked with ensuring that banks, lenders, and
financial companies treat consumers fairly by providing
greater protection and establishing rights to consumers of
financial products.
In some ways the autonomy of the CFPB is unique. But in
others it is similar to the Federal Reserve. The Fed’s goals
(Continued on page 4)
I
4. 1-800-ASK-CBIZ • cbiz.com/banking @CBZCBIZ BizTipsVideos PAGE 4
(Continued from page 3)
and purpose—to establish maximum employment and
stable prices—are set by Congress, but its funding and
operation remain autonomous in order to prevent being
swayed by political pressure. The thinking behind the
CFPB’s structure was similar. The Bureau receives its money
not through Congressional appropriation but from the Fed.
The agency was given independence purposely so that it
could proceed with its work without worrying about
political retribution.
The entire premise for the creation of the CFPB is to protect
consumers from financial predators and criminals. Existing
government agencies have been in place for decades to
monitor and regulate financial institutions. This approach
fractionalized the regulatory role across various agencies.
The CFPB consolidates government authority in regards to
consumer protections into a single agency.
Since the inception of the CFPB there have been several
high profile financial industry scandals within the financial
industry, including the collusion and fixing of LIBOR interest
rates by multiple banks and the creation of fraudulent bank
accounts and loans in the name of bank customers. In its
capacity as the sole consumer protection agency, the CFPB
has brought many less visible yet purposeful actions. For
example, just since August of this year the CFPB took action
against the following:
■ Citibank, N.A. for student loan servicing failures that
harmed borrowers.
■ Xerox Business Services, LLC, now called Conduent
Business Services, for software errors that led to
incorrect consumer information about more than one
million borrowers being sent to credit reporting agencies.
■ Freedom Debt Relief, the nation’s largest debt-settlement
services provider, and its co-CEO Andrew Housser for
deceiving consumers.
■ Tempo Venture, Inc., doing business as Culpeper
Pawnbroker, for deceiving consumers about the actual
annual costs of its loans.
■ Top Notch Funding for lying in loan offers to NFL players,
Deepwater Horizon victims, and 9/11 first responders.
■ American Express Centurion Bank and American Express
Bank, FSB for discriminating against consumers in Puerto
Rico, the U.S. Virgin Islands, and other U.S. territories by
providing them with credit and charge card terms that
were inferior to those available in the 50 U.S. states.
How the CFPB May be Changing
It now seems that the purpose and role of the CFPB is
in jeopardy. The transition from the Obama to the Trump
administration in 2017 has ushered in Congressional
pushback on regulatory activities in the financial sector. In
October 2017, the U.S. Senate followed the House in striking
down the CFPB’s “Arbitration Rule” aimed at removing the
ability of “providers of certain consumer financial products
and services” to require consumers to agree to arbitration in
their contracts (such as credit card, cable TV and cell phone
agreements) and barring the consumer from joining in a
class action over any grievance that may arise under
the agreement.
Now, the leadership of the CFPB is disputed following the
resignation of Director Richard Cordray to prepare for a run
at the governorship of Ohio. The Acting Director, Leandra
English, the designated replacement according to the Act that
established the CFPB, has been unseated by the President’s
hand-picked appointed successor, Mick Mulvaney. Mulvaney,
who currently also serves as director of the Office of
Management and Budget, has openly expressed his dislike
for the CFPB. Not surprising, his appointment has set off a
legal battle of who is really in charge.
In early December, a federal judge held that the Vacancies
Reform Act took precedence, handing control to Mulvaney
as the acting director until the Senate confirms a permanent
CFPB director. Nearly 30 Congressional Democrats recently
vowed to continue fighting to displace Mulvaney and replace
him with English. English herself is suing Trump to block
Mulvaney leading the watchdog agency.
Adding a measure of intrigue, Deepak Gupta, the lead lawyer
of a boutique law firm that launched its suit on behalf of
CFPB acting director Leandra English, confirmed in a CNBC
interview that English is not paying for his hourly fees, but
rather unknown anonymous donors are.
But English is not alone. Citing “regulatory chaos” caused
by the fight over who is the legal leader of the regulator,
the Lower East Side People’s Federal Credit Union called
on a federal court to remove Mulvaney and affirm Leandra
English as the proper acting head of the bureau. This
is a legal challenge against the administration by an
entity regulated by the CFPB. The Credit Union charges
that “President Trump has attempted an illegal hostile
takeover of the CFPB,” claiming that the Vacancies Reform
Act’s provision that the President “cannot appoint an
acting director to an independent multi-member board or
commission without Senate approval” was illegally ignored.
It will be interesting to see how this all plays out. Will
the CFPB survive or be one of the shortest lived
federal agencies?
Jake McDonald, a member of the CBIZ
Credit Risk group, keeps his finger on
the pulse of the financial sector. He
can be reached at (610) 862-2202
or jwmcdonald@cbiz.com.Jake McDonald
Philadelphia, PA
5. W
ith the hustle and bustle of the holiday season
in full gear, consumers and retailers need
to be especially careful. Holiday sales and
discounted prices on goods mean more transactions.
More transactions mean more opportunities for cyber
criminals to access potentially sensitive information.
Consumers and retailers that understand the types
of holiday risks they may be facing and how stolen
information is being used may be able to avoid getting
wrapped up in a scam.
Stolen Information and the Dark Web
Sensitive information has been shown to be valuable on
the so-called Dark Web, though the abundance of stolen
information available has knocked the price point down
a bit. More than 145 million people had their sensitive
’TistheSeasonfor
CybersecurityRisksBY RAY GANDY
information stolen over the summer in the breach of
the credit rating agency Equifax. Individuals potentially
affected by the breach may need to keep monitoring their
activities because the breach is only the beginning of the
cybersecurity marketplace.
The internet has several layers to it. Browsers that come
installed on internet-ready devices take users to the top
layer, the Surface Web. The Surface Web’s pages can be
easily accessed and found through search engines.
There is also the Deep Web, which includes content that is
basically hidden but accessible through a standard internet
connection. Typically this data belongs to a company and
includes proprietary information, such as personal email or
data archives.
1-800-ASK-CBIZ • cbiz.com/banking @CBZCBIZ BizTipsVideos PAGE 5
(Continued on page 6)
6. 1-800-ASK-CBIZ • cbiz.com/banking @CBZCBIZ BizTipsVideos PAGE 71-800-ASK-CBIZ • cbiz.com/banking @CBZCBIZ BizTipsVideos PAGE 6
(Continued from page 5)
Ray Gandy
Boston, MA
DISCLAIMER: This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional
advice. This information is general in nature and may be affected by changes in law or in the interpretation of such laws. The reader
is advised to contact a professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in
connection with the use of this information and assumes no obligation to inform the reader of any changes in laws or other factors that
could affect the information contained herein.
They should report any suspicious credit or debit card
activity to their bank right away to try to stop stolen
purchases from going through.
Individuals should also be aware that the standard
cyber risks are going to be at an all-time high, too. Cyber
attacks may be getting more sophisticated, but phishing
emails are as common as ever. During the holiday
shopping season, these phishing emails
may be touting deep discounts of name-
brand items. The Department of
Homeland Security recommends
hovering over hyperlinks before
you click anything to make sure
you recognize the URL first.
Messaging in phishing emails
also tends to be urgent, and it
may sound too good to be true.
Any suspicious emails should
be reported to the FBI’s Internet
Crime Complaint Center, local
police and the Federal Trade
Commission.
Stay Alert
The holiday season is no time to let your
guard down when it comes to cyber risks.
Businesses and consumers that are in tune with cyber
attacks and cybersecurity trends may be able to avoid the
season’s greatest cyber risks.
Related Reading
■ A Good Cybersecurity Defense Starts with People
■ The Internet of Things Makes the Future of
Cybersecurity Much More Complicated
■ Four Steps to Beat Cyberattacks
Ray Gandy is a Director and Leader
of the IT Risk and Security Practice
in New England. For additional
information, you can reach Ray directly
by email (or 617.761.0722), or contact
your local CBIZ MHM professional.
Finally there’s the Dark Web, which is essentially a black
market operation that functions similarly to the experience
of a Surface Web page. Users need specific software
and browsers, such as Tor, in order to access Dark Web
pages. Websites on the Dark Web are harder to track, so
they’ve become a haven for the buying and selling of illegal
products. The amount of technology involved in getting to
the Dark Web also makes them popular for cyber
criminals, who use the Dark Web to sell
malware or other hacking “guides.”
Personal information obtained in a
breach could end up in the Dark
Web marketplace, packaged
with the information from
other breach victims. Personal
data sets are then sold to the
highest bidder. Once the seller
obtains personal information,
he or she could use the credit
card numbers or whatever else
was compromised to place online
orders of merchandise or make
other illicit purchases.
How Businesses Can Protect
Themselves from the Dark Web
Businesses that conduct a significant amount of
business online or that have data that may be particularly
appealing to cyber criminals should brush up on Dark Web
trends and what seems to be selling well on underground
channels. For example, information collected by the
National Security Administration was leaked onto the
Dark Web in early 2017, and some of that information
on known system vulnerabilities was used as part of the
WannaCry incident.
Organizations and their information security teams will
also want to monitor the methods used by large scale
attacks to ensure their systems and processes are
capable of addressing that type of intrusion. Security
and software patches are essential, as is ongoing staff
awareness training.
How Can Individuals Protect Themselves
from the Dark Web
Now, more than ever, individuals need to be vigilant about
monitoring their online purchases and bank statements.