Congressional Research Service Issues In Focus White Paper on Financial Cybersecurity
Here are excerpts:
* * *
Introduction to Financial Services: Financial Cybersecurity
Cybersecurity is a major concern of financial institutions and financial regulators. Recent data breaches at large financial institutions have increased concerns about the privacy and security of consumer financial information. For example, in 2019, a data breach at insurance company
Research suggests that 25% of malware attacks target financial services companies. Further, the cost of cybercrime at financial institutions outpaces the cost of cybercrime to other industries. For example, according to a 2019 private study, the per-company cost of cybercrime is over
* * *
Figure 1. Costs of Cybercrime Across Sectors by sector, $ in millions
Source: Figure created by CRS, adapted from Accenture, Unlocking the Value of Improved Cybersecurity Protection,
* * *
Cybersecurity threats pose operational risk and reputational risk. Operational risk is the threat that an event - such as a natural disaster, pandemic, or cyberattack - limits or completely obstructs an institution's ability to do business. Reputational risk is the threat that customers will take their business elsewhere based on the actions of or associated with a financial institution. For example, if a financial institution fails to secure a customer's information during a cyberattack, the customer may lose trust in the institution. Cybersecurity protects against some aspects of operational and reputational risk.
If the entire system fails to adequately address cybersecurity concerns, this could lead to systemic risk - the risk that a cybersecurity incident would destabilize the financial system. For example, in a highly interconnected financial system, a cybersecurity incident at one of the major banks or payment networks could adversely affect operations at many other financial institutions. Further, the
Federal Policy Approaches
The federal government has increasingly recognized the importance of cybersecurity in the financial services industry, and federal financial regulators each have a role in cybersecurity. Numerous laws cover aspects of cybersecurity for different industries. Some of these laws contain specific provisions that require financial regulators to implement rules that establish cybersecurity standards for financial institutions, and they provide regulators the authority to supervise these institutions for compliance with such standards. Other laws provide broad authority to regulators to regulate and supervise financial institutions for safety and soundness. Financial regulators rely on these broad authorities to shape cybersecurity policies for the institutions they regulate.
The Gramm-Leach-Bliley Act of 1999 (GLBA; P.L. 106102) is the most comprehensive of these laws and directs financial regulators to implement disclosure requirements and security measures to safeguard private information. GLBA provides a framework for regulating data privacy and security practices for financial institutions. This framework is built upon two pillars: (1) privacy standards that impose disclosure limitations on financial institutions concerning consumers' information and (2) security standards that require institutions to implement certain practices to safeguard information from unauthorized access, use, and disclosure. The rules implementing this framework are known as the Privacy Rule (Regulation P) and the Safeguards Rule.
The Sarbanes-Oxley Act of 2002 (P.L. 107-204) contains provisions requiring a corporation that files reports under Sections 13(a) and 15(d) of the Securities Exchange Act of 1934 to also file annual reports with the
The Fair and Accurate Credit Transactions Act (P.L. 108-159) amended the Fair Credit Reporting Act to require regulatory agencies to develop identity theft guidelines, which outline "patterns, practices, and specific forms of activity that indicate the possible existence of identity theft" (15 U.S.C. Sec.1681).
The Bank Protection Act (P.L. 90-389), as amended, directs the federal bank regulators to establish minimum security standards for banks and savings associations to "discourage robberies, burglaries, and larcenies" (12 U.S.C. Sec.Sec.1881-1884). Although the law does not mention cybersecurity, bank regulators interpret it to include protection against cyber threats.
Other federal laws, such as the Bank Service Company Act of 1962 (P.L. 87-856) and the laws that establish the authorities for financial regulators to conduct safety and soundness examinations, allow regulators to regulate and supervise financial institution activities and partnerships (e.g., with technology service providers).
Regulators rely on these broad authorities to shape and impose cybersecurity requirements on the institutions they regulate. For example, the banking regulators monitor cybersecurity issues by conducting on-site examinations under their authority to examine banks for safety and soundness and can require banks to take remedial action if their cybersecurity policies are deficient. Further, in
Policy Considerations for
Oversight of financial services and bank cybersecurity reflects a complex and sometimes overlapping array of state and federal laws, regulators, regulations, and guidance - many of which predate the emergence of cybersecurity risk. Whether this framework is effective and efficient, resulting in adequate protection against cyberattacks without imposing undue cost burdens on banks, is an open question. Successful hacks of banks and other financial institutions, wherein huge amounts of personal information are stolen or compromised, highlight the importance of ensuring bank cybersecurity. Further, the fact that several regulators implement, supervise, and enforce federal provisions has raised questions over the patchwork of regulatory standards for consumer privacy and security. Some argue that a unified and modernized legislative framework could improve this patchwork approach. Other policy considerations for
Data Security Standards
One area of debate is whether data security standards should be prescriptive and government-defined or flexible and outcome-based. Some argue that a prescriptive approach could be inflexible and harm innovation; others argue that an outcome-based approach might lead to institutions having to comply with a wide range of data standards. For instance, in
Financial Data and Consumer Redress
GLBA covers only nonpublic personal information held by financial institutions significantly engaged in financial activities. As the industry's data use has grown, some have debated whether the law covers all sensitive individual financial information. For example, data brokers can compile public and private data from different sources. Much of these data may not be subject to GLBA's provision, but combining them might reveal sensitive information about a consumer. Further, consumers have a limited ability to control or correct financial data, which can make it difficult to obtain redress for data breaches.
Cloud Service Providers
Banks pay cloud service providers (CSPs) to use CSPs' computing resources (e.g., servers) rather than maintaining their own. Use of CSPs can be emblematic of banks' relationships with a broader base of vendors and how these ties may introduce more cybersecurity risks. Cyber risks change, and may increase, for banks with increased reliance on advanced IT solutions, such as cloud. Also, many banks rely on a few providers. (Three major CSPs account for 60%-70% of market share.) This could transform cyber risk to systemic risk, with FSOC noting that a "cyber event at a critical vendor with a large number of clients could result in widespread disruption in access to financial data and could impair the flow of financial transactions." Concentration risk and operational concerns, such as lock-in risk, may bias banks toward multi-cloud strategies - contracts with and technology postures consisting of multiple CSPs - thereby expanding the relationships for which banks must manage cybersecurity.
Cryptocurrency, Data Privacy, and Illicit Activity
The recent interest in cryptocurrency markets has highlighted a potential policy tradeoff between ensuring the intended privacy of pseudonymous cryptocurrency instruments and ensuring transparency to implement anti-money laundering regulation. Further, as crypto firms partner with fintechs and potentially even banks, the limits of the existing data privacy framework for financial services could be tested.
CRS Resources
CRS Report R44429, Financial Services and Cybersecurity: The Federal Role
CRS Insight IN11199, Big Data in Financial Services: Privacy and Security Regulation
CRS Testimony TE10021, Consumer Data Security and the Credit Bureaus
CRS In Focus IF11985, Bank Use of Cloud Technology
* * *
The white paper is posted at: https://crsreports.congress.gov/product/pdf/IF/IF11717
Congressional Research Service Issues In Focus White Paper on Insurance
California's child care aid misses hundreds of thousands of families who need it [The San Diego Union-Tribune]
Advisor News
- Social cultivation: How to talk with wealthy prospects
- How important is a written financial plan?
- Coalition wants to advise people impacted by policy changes in new administration
- Diagnosing miscommunication in retirement planning
- Election creates an opportunity for advisor/client dialogue
More Advisor NewsAnnuity News
Health/Employee Benefits News
- Doctor’s bills often come with sticker shock for patients – but health insurance could be reinvented to provide costs upfront
- AI usage outpacing regulation, NAIC panel told
- Workers show growing interest in mental health, caregiving and leave benefits
- November Issue of Best’s Review Ranks U.S. Workers’ Compensation and More
- Doctor’s bills often come with sticker shock for patients − but health insurance could be reinvented to provide costs upfront
More Health/Employee Benefits NewsLife Insurance News