Cybersecurity

Position

  • Community banks should not be required by regulators to use one framework, tool or assessment over another to identify and mitigate cybersecurity risk. Community banks should maintain their existing flexibility to use the framework, tool or assessment that best fits their size and complexity.
  • ICBA supports voluntary information sharing among financial institutions of all sizes, public-private partnerships and between federal agencies for the purpose of identifying, responding to, and mitigating cybersecurity threats and vulnerabilities while appropriately balancing the need to secure customer information.
  • Any federal cybersecurity legislation, new or proposed cybersecurity frameworks, regulations or guidance must recognize existing mandates, frameworks, tools, standards and guidance to ensure community banks are not burdened with having to reassess their critical systems against yet another standard to achieve the same results.
  • Regulators must recognize community banks’ reliance on third party technology service providers and work to ensure community banks are adequately protected by broadening the supervision of service providers to include additional core, IT service providers. Regulators also must ensure that employees and subcontractors of technology service providers comply with nondisclosure and confidentiality requirements similar to existing regulatory requirements for banks.
  • ICBA supports community bank use of the .BANK web domain, a trusted, verified, more secure and easily identifiable location on the Internet for the banking community and the customers it serves.
  • ICBA supports the adoption of Sheltered Harbor by member banks and their core vendors to protect consumer account data in the event of a significant cyber or other disruptive event.
  • ICBA will work with community bank core providers to ensure equitable and reasonable access to sector cybersecurity initiatives for community banks.

Background

The financial services industry and community banks are on the front lines defending against cybersecurity threats and take their role in securing data and personal information very seriously. As a result of growing cyber threats and intrusions, the federal government has focused increasingly on cybersecurity.

Policymakers Must Recognize Existing Cyber Security Frameworks, Tools and Assessments. In 2014 the Commerce Department’s National Institute of Standards and Technology (NIST) released a Framework pursuant to a 2013 Executive Order (EO) designed to improve the cybersecurity of U.S. critical infrastructure, which includes the financial services sector. A revised version of the draft Framework was released in early 2017. The framework provides a structure that organizations, regulators, and customers may use to create, guide, assess, or improve comprehensive cybersecurity programs.

In 2015, the Federal Financial Institutions Examination Council (FFIEC) released a Cybersecurity Assessment Tool (CAT) specifically for financial institutions. While voluntary for banks to complete, examiners have begun using the CAT.

In late 2016, Treasury and the Federal Reserve announced adoption of the G-7 Fundamental Elements of Cybersecurity for the Financial Sector, which provide a concise set of principles on best practices in cybersecurity for public and private entities in the financial sector.

Regulators should recognize the unique steps that community banks take to protect their critical systems and customer data. Regulators should not mandate the use of any one framework, tool or assessment, but rather support community banks’ ability to use the framework, tool or assessment that best suits their institution’s size and complexity.

Harmonization of Regulatory Requirements. Any new or proposed frameworks or guidance should be voluntary and consistent with existing frameworks or guidance. A consistent regulatory framework avoids the risk of framework fatigue among community banks, which distracts from their primary business of serving customers. The New York Department of Financial Services was the first state regulatory authority to issue a proposed cyber security regulation for state-chartered banks which differed from the federal standards. Different requirements throughout the country will create a burden on small institutions. Moreover, requiring differing standards may serve to do little by way of cybersecurity preparedness.

Threat Information Sharing is Critical. The sharing of advanced threat and attack data between federal agencies and financial sector participants helps manage cyber threats and protect critical systems. ICBA supports community banks’ involvement with services such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information. ICBA also supports FS-ISAC’s cross-sector information sharing efforts to enhance overall resiliency of the nation’s critical infrastructure.

Regulators Should Recognize Third Party Risk. Community banks significantly rely on third party service providers to support their systems and business activities. While community banks are diligent in their management of third parties, mitigating sophisticated cyber threats against these third parties, especially when they have connections to other institutions and servicers, can be challenging. Regulators must be aware of the significant interconnectivity of these third parties and collaborate with them to mitigate this risk. The agencies should evaluate the concentration risks of service providers to financial institutions and broaden supervision of technology service providers to include additional core, IT service providers. Because employees of technology service providers have access to confidential bank information that could be used to commit fraud, damage a bank’s reputation, or compromise customer privacy, regulators must ensure that these service providers implement nondisclosure and confidentiality requirements similar to existing regulatory requirements for banks.

.BANK Web Domain. The .BANK web domain is a trusted, verified, secure and easily identifiable location on the Internet for the banking community and the customers it serves. With several security standards in place, users of a .BANK website can be assured they are landing on participants’ actual websites as opposed to being redirected elsewhere such as malicious or spoofed sites. .BANK also provides email authentication to mitigate spoofing and phishing and encryption for Internet connections to ensure data privacy and security. ICBA will work with the .BANK registry to promote .BANK registration and implementation among ICBA member banks.

Sheltered Harbor. This financial services sector initiative is designed to improve resiliency and provide enhanced protections for financial institutions’ customer accounts and data. Sheltered Harbor enables financial institutions to securely store and rapidly reconstitute account information, making it available to customers, whether through a service provider or another financial institution, if an institution is unable to recover from a cyber incident in a timely fashion.

Staff Contacts: Jeremy Dalpiaz, Lilly Thomas, and Aaron Stetter