Policy Watch: Cybersecurity
As attempts to steal consumers’ personal and financial information rise, so does the number of bills introduced to put safeguards in place.
Cybersecurity is on the nation’s radar, and for good reason: The Center for Strategic and International Studies estimates the cost of cybercrime to the global economy at $445 billion in a typical year, and Bloomberg projects security spending for cyber threats will top $40 billion annually by 2017.
As in other sectors, financial institutions are moving with the times to upgrade their technology, but technological advancement comes at a price, as each new technology introduces complexity and system vulnerability. According to the Financial Services Sector Coordinating Council (FSSCC), most financial firms experience near-daily cyber-attacks. When cyber-attacks are successful, losses can be profound, costing financial institutions millions of dollars per successful breach—and often harming their reputations in the process.
Regardless of against what type of institution or company these cyber-attacks occur, note FSSCC Chairman Russell Fitzgibbons and Vice Chairman Doug Johnson, they are often intended to compromise consumers’ financial information.
Cybersecurity in the Financial Sector
Title V of the Gramm-Leach-Bliley Act (GLBA) of 1999 requires that financial institutions develop safeguards to ensure the security of consumer records and to protect against anticipated threats to consumers’ information. Following GLBA, federal financial regulators including the Board of Governors of the Federal Reserve System issued supervisory guidance delineating expectations and requirements for information security and risk issues in areas such as authentication, continuity planning, payments collection, and vendor management. Federal banking agencies also require that banks, bank holding companies, and their subsidiaries implement a risk-based response program to address breaches to customer information systems.
For at least the past 14 years, then, the financial services sector has what Fitzgibbons and Johnson note is “a robust data protection and examination and enforcement system” in place, one that requires thorough assessments of risks to consumers’ information. But it’s no longer enough.
Financial institutions have placed cybersecurity among their highest priorities and are working diligently to protect themselves and consumers from cyber-attacks. Addressing concerns presented by Sen. Elizabeth Warren (D-MA) and Rep. Elijah Cummings (D-Baltimore) in their November 2014 letters to 16 large financial institutions, the FSSCC outlines several initiatives to increase cybersecurity and curb the number of financial-sector breaches. These initiatives include security platforms from a number of third-party vendors working on solutions to assimilate and analyze threat information in order to assist financial services companies in combating cyber-attacks.
Also in process today is collaboration between members of the FSSCC and merchant/retailer associations to address cybersecurity threats affecting merchant and financial services industries. The Merchant and Financial Cybersecurity Partnership brings together financial services, retail, government, and other stakeholders to collaborate on public policy in order to increase information sharing among sectors, improve card-security technology, and build and maintain consumer trust.
Cybersecurity Legislation: 2015
As in the private sector, facilitating cybersecurity through enhanced information coordination is a key focus of the White House and the 114th Congress. Barack Obama issued a February 2015 Executive Order—Promoting Private Sector Cybersecurity Information Sharing—to address cyber threats to the economic and national security of the United States.
While not concerned solely with the financial sector, several cybersecurity-related bills impacting banks and banking have been introduced in the 114th Congress.
Some bills are enjoying bipartisan support in their earliest stages. The Cybersecurity Information Sharing Act of 2015 has had the most success to date and, if passed into law, would encourage voluntary sharing of cyber-threat information while protecting individuals’ civil liberties. A sister-bill in the House, the Protecting Cyber Networks Act introduced in late March has since been referred to the full House for consideration. While the two bills offer liability protection to entities who share cybersecurity information voluntarily, two significant differences lie between them. The House bill would prohibit the use of collected data for surveillance purposes. The Senate bill, in contrast, requires information shared by private entities to first go through the Department of Homeland Security.
A related cybersecurity bill originating in the House is the Cyber Privacy Fortification Act of 2015, which seeks to amend the federal criminal code to provide for criminal and civil penalties if a private entity intentionally neglects to notify an individual of a security breach there is reason to believe has resulted in improper access to “sensitive personally identifiable information.” The bill would also require the entity to provide prompt notice of the breach to the US Secret Service or the FBI.
These bills mean to incentivize financial-sector cooperation, which some in Congress argue has been lacking. There are numerous reasons a company or financial institution might hesitate to share cyber-attack information, however. Perceived legal risks to sharing such information act as a deterrent, as does providing information of benefit to competitors or of detriment to one’s own sales or stock prices. Finally, if there is no mechanism in place to incentivize information sharing—and currently there is not—one’s competitors might take advantage of the information provided but not contribute in turn.
These and other bills seek to remove such roadblocks.
Cybersecurity and the Federal Reserve
It is, perhaps, out of practicality that the Federal Reserve advocates pursuing non-regulatory and non-legislative approaches in support of cybersecurity strategies whenever possible.
According to the January 2015 report Strategies for Improving the U.S. Payment System, there remain important challenges to financial- and retail-sector cybersecurity, “including the time to develop security standards, inconsistent adoption of security improvements, and barriers to sharing fraud and threat information among stakeholders.” Jason Tarnowski, an assistant vice president at the Federal Reserve Bank of Cleveland, observes that technological advances have been embraced by financial institutions, driving innovation in payment and other systems and deepening interconnectedness among financial, retail, utility, and other sectors. “The flip side,” he notes, “is that criminals are exploiting this interconnectedness, presenting significant cybersecurity risks to these firms. Consumers are also at risk, as their bank accounts and personal information are often targeted in these cyber-attacks.”
The Fed’s focus on advancing US payment safety, security, and resiliency reflects an understanding of this interconnectedness—and how vital it is to financial stability. The Strategies report outlines the Fed’s intentions to expand its pool of anti-fraud and risk management services. In the near future, the Fed will explore improvements to its publicly available payment-fraud data, conduct research in payment security, and share results with stakeholders. As a federal banking regulator, the Federal Reserve is strengthening its overall supervisory approach to cybersecurity.
To obtain the current status of bills in the 114th Congress, visit www.congress.gov.