- Any federal legislation in the area of cyber security must recognize the existing mandates set forth in current federal and state laws, regulations, and guidance relating to securing data, including the Gramm-Leach-Bliley Act, that require community banks to protect customer data, and maintain a consumer notification plan in the event of a data breach.
- It is important that information be shared between the federal agencies and community banks to mitigate cyber threat and safeguard banks’ critical systems.
- It is important that regulators recognize community banks reliance on third parties and work collaboratively with third parties to ensure community banks are adequately protected.
The Financial services industry and community banks are typically on the front lines of defending against cyber security threats and take their role in securing data and personal information very seriously. As a result of growing cyber threats and intrusions, the federal government has focused increasingly on cyber security. In February 2013, the White House issued an executive order designed to improve the cyber security of U.S. critical infrastructure, which includes the financial services sector. The Executive Order attempts to enhance security and resiliency of critical infrastructures through voluntary, collaborative efforts involving federal agencies and private owners and operators.
Legislation, frameworks, and standards should recognize the standards and practices community banks use to protect the confidentiality and integrity of personal data as well as to mitigate risks associated with cyber threats. Additionally, ICBA supports the sharing of advanced threat and attack data between federal agencies and the appropriate financial sector participants, including community banks. Community banks rely on this critical information to help them manage their cyber threats and protect their systems.
Community banks significantly rely on third parties to support their systems and business activities. While community banks are diligent in their management of third parties, mitigating sophisticated cyber threats to these third parties, especially when they have connections to other institutions and servicers, can be challenging. Regulators must be aware of the significant interconnectivity of these third parties and must collaborate with them to mitigate this risk.
Staff Contact: Lilly Thomas