- Any federal legislation in the area of cybersecurity must recognize the existing mandates set forth in current federal and state laws, regulations, and guidance relating to securing data, including the Gramm-Leach-Bliley Act, that require community banks to protect customer data and maintain a consumer notification plan in the event of a data breach.
- It is important that information be shared between the federal agencies and community banks to mitigate cyber threat and safeguard banks’ critical systems.
- ICBA supports information sharing among financial institutions for the purpose of identifying, responding to, and mitigating cybersecurity threats and vulnerabilities while maintaining an appropriate balance with securing customer information.
- It is important that regulators recognize community banks’ reliance on third parties and work collaboratively with third parties to ensure community banks are adequately protected by broadening the supervision of technology service providers to include more core, IT service providers.
The financial services industry and community banks are typically on the front lines of defending against cybersecurity threats and take their role in securing data and personal information very seriously. As a result of growing cyber threats and intrusions, the federal government has focused increasingly on cybersecurity. In 2013, the White House issued an executive order designed to improve the cybersecurity of U.S. critical infrastructure, which includes the financial services sector. The Executive Order attempts to enhance security and resiliency of critical infrastructures through voluntary, collaborative efforts involving federal agencies and private owners and operators and calls for the development of a voluntary, risk-based Cybersecurity Framework—a set of existing standards, guidelines and practices to help organizations manage cyber risks. In 2014 the Commerce Department's National Institute of Standards and Technology (NIST) released a Framework as a result of the Executive Order (EO). The framework provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs.
Policymakers Must Recognize Existing Data Security Mandates. Any new legislation, frameworks, or standards policymakers develop should first recognize the existing standards and practices community banks observe to protect the confidentiality and integrity of customer personal data as well as to mitigate cyber threats. The National Institute for Standards and Technology (NIST) framework, for example, and the 2013 Executive Order implementing it, were developed to create a baseline to reduce cyber risk to all critical infrastructure sectors, and the Gramm-Leach-Bliley Act, sets forth rigorous and effective data security protocols for the financial sector. It is important to extend comparable standards to all critical infrastructure sectors, including the commercial facilities sector which incorporates the retail industry and other potentially vulnerable entities.
Threat Information Sharing is Critical. ICBA supports the sharing of advanced threat and attack data between federal agencies and the appropriate financial sector participants, including community banks. Community banks rely on this critical information to help them manage their cyber threats and protect their systems. ICBA supports community banks’ involvement with services such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). The FS-ISAC is a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information. ICBA also supports FS-ISAC efforts to take complex threat information across communities, people and devices and analyze, prioritize, and route it to users in real-time as long as those efforts incorporate community banks and such advancements are cost effective to community banks.
Regulators Should Recognize Third Party Risk. Community banks significantly rely on third parties to support their systems and business activities. While community banks are diligent in their management of third parties, mitigating sophisticated cyber threats to these third parties, especially when they have connections to other institutions and servicers, can be challenging. Regulators must be aware of the significant interconnectivity of these third parties and must collaborate with them to mitigate this risk. This can be done by agencies evaluating the concentration risks of service providers to financial institutions, and broadening supervision of technology service providers to include more core, IT service providers by expanding the Multi-Regional Data Processing Servicer Program (MDPS) to include such providers.