Cybersecurity is a major concern for financial institutions and financial regulators. Recent data breaches at large financial institutions have raised concerns about the privacy and security of consumer financial information.For example, a data breach at an insurance company in 2019
Research shows that 25% of malware attacks target financial services firms. Moreover, the cost of cybercrime on financial institutions exceeds the cost of cybercrime on other industries. For example, a 2019 private study found that the cost of cybercrime per company is zero.
* * *
Figure 1. Cybercrime costs by sector ($ millions)
Source: Diagram prepared by CRS, Accenture, Unlocking the Value of Improvement Cybersecurity Protection,
* * *
Cybersecurity threats pose operational and reputational risks. Operational risk is the threat that events such as natural disasters, pandemics, and cyber-attacks limit or completely disrupt an organization’s business capabilities. Reputational risk is the threat that customers will conduct business elsewhere based on the behavior of, or in relation to, a financial institution. For example, if a financial institution fails to protect customer information during a cyberattack, customers may lose trust in the financial institution. Cybersecurity protects against several aspects of operational and reputational risk.
If the system as a whole fails to adequately address cybersecurity concerns, it could lead to systemic risk, the risk that a cybersecurity incident could destabilize the financial system. For example, in a highly interconnected financial system, a cybersecurity incident at one of the major banks or payment networks could adversely affect the operations of many other financial institutions. moreover,
federal policy approach
The federal government is increasingly recognizing the importance of cybersecurity in the financial services industry, and each federal financial regulator has a role in cybersecurity. Numerous laws cover cybersecurity aspects of various industries. Some of these laws contain specific provisions that require financial regulators to implement rules that establish cybersecurity standards for financial institutions and require those institutions to comply with those standards. It gives regulators powers of oversight. Other laws give regulators broad powers to regulate and supervise financial institutions for their safety and soundness. Financial regulators rely on these broad authorities to shape the cybersecurity policies of their regulated entities.
The Gramm-Leach-Bliley Act of 1999 (GLBA; PL 106102) is the most comprehensive of these laws, requiring financial regulators to implement disclosure requirements and security measures to protect personal information. is instructing. GLBA provides a framework for regulating data privacy and security practices of financial institutions. This framework establishes (1) privacy standards that impose disclosure restrictions on financial institutions regarding consumer information and (2) the implementation of specific practices to protect information from unauthorized access, use, and disclosure. It is built on two pillars of security standards demanding financial institutions. The rules that implement this framework are known as the Privacy Rule (Regulation P) and the Safeguard Rule.
The Sarbanes-Oxley Act of 2002 (PL 107-204) mandates annual reporting requirements for companies filing reports under Sections 13(a) and 15(d) of the Securities Exchange Act of 1934. It also includes a requirement to submit
The Fair and Accurate Credit Transactions Act (PL 108-159) amended the Fair Credit Reporting Act to require regulatory agencies to develop identity theft guidelines. It outlines “patterns, practices, and specific forms of activity that indicate potential identity theft.” (15 USC Sec. 1681).
The Bank Protection Act, as amended (PL 90-389), directs federal banking regulators to establish minimum security standards for banks and savings associations to “deter robbery, robbery, and theft.” (12 USC Sec.Sec.Sec.1881-1884). Although the law does not mention cybersecurity, banking regulators interpret it to include protection against cyberthreats.
Other federal laws, such as the Banking Services Companies Act of 1962 (PL 87-856), and laws establishing financial regulators’ powers to conduct safety and Partnerships (e.g. with technical service providers).
Regulators rely on these broad authorities to develop and impose cybersecurity requirements on regulated entities. For example, banking regulators monitor cybersecurity issues by conducting on-site investigations under their mandate to inspect the safety and soundness of banks, and encourage banks to take corrective action if their cybersecurity policies are inadequate. can be requested to take moreover,
Policy considerations
Oversight of financial services and banking cybersecurity reflects a complex and sometimes overlapping set of state and federal laws, regulators, regulations, and guidance. Many of these predate the emergence of cybersecurity risks. Whether this framework will be effective and efficient, providing adequate protection against cyber-attacks without imposing undue cost burdens on banks is an open question. The successful hacking of banks and other financial institutions, resulting in the theft or compromise of large amounts of personal information, highlights the importance of ensuring bank cybersecurity. Additionally, the fact that several regulators implement, oversee, and enforce federal regulations raises questions about the patchwork of consumer privacy and security regulatory standards. Some argue that a unified and modernized legal framework could improve this patchwork approach.Other policy considerations
data security standards
One area of debate is whether data security standards should be prescriptive and government-defined or flexible and results-based. Some argue that prescriptive approaches are inflexible and can hurt innovation. Some argue that an outcome-based approach may force institutions to comply with a wide range of data standards. for example,
Financial data and consumer relief
GLBA only covers non-public personal information held by financial institutions that are significantly involved in financial activities. As the industry’s use of data grows, some debate whether the law covers all sensitive personal financial information. For example, data brokers can compile public and private data from various sources. Many of these data may not be subject to GLBA provisions, but when combined they may reveal sensitive information about consumers. Additionally, consumers have limited ability to control or correct their financial data, which can make it difficult to obtain data breach relief.
cloud service provider
Banks pay a cloud service provider (CSP) to use the CSP’s computing resources (such as servers) instead of maintaining them themselves. The use of CSPs can symbolize a bank’s relationships with wider vendors and how these relationships pose cybersecurity risks. Cyber risks can change and grow for banks that rely more and more on advanced IT solutions such as the cloud. Also, many banks rely on a small number of providers. (Three major CSPs account for 60%-70% market share.) This can turn cyber risk into systemic risk. It can affect financial data and impair the flow of financial transactions. Operational concerns such as concentration and lock-in risks have pushed banks toward multi-cloud strategies (contracts with multiple CSPs and technology regimes consisting of multiple CSPs) and forced banks to manage cybersecurity. Relationships that do not work may expand.
Cryptocurrencies, data privacy, and fraud
Recent interest in the cryptocurrency market has created a potential conflict between ensuring the intended privacy of pseudonymous cryptocurrency instruments and ensuring transparency to enforce anti-money laundering regulations. highlighted the significant policy trade-offs. Additionally, crypto companies may partner with fintechs and banks, which could test the limits of existing data privacy frameworks in financial services.
CRS resource
CRS Report R44429, Financial Services and Cybersecurity: The Federal Role
CRS Insight IN11199, Big Data in Financial Services: Privacy and Security Regulations
CRS Testimony TE10021, Consumer Data Security and Credit Bureaus
CRS In Focus IF11985, Banks’ Use of Cloud Technology
* * *
The white paper is posted at https://crsreports.congress.gov/product/pdf/IF/IF11717.
