- ICBA supports voluntary information sharing among financial institutions and between federal agencies and community banks for the purpose of identifying, responding to, and mitigating cybersecurity threats and vulnerabilities while appropriately balancing the need to secure customer information.
- Any federal legislation in the area of cybersecurity must recognize the existing mandates set forth in current federal and state laws, regulations, and guidance relating to securing data, including the Gramm-Leach-Bliley Act, which requires community banks to protect customer data and maintain a consumer notification plan in the event of a data breach.
- Any new or proposed cybersecurity frameworks, regulations or guidance should recognize existing frameworks, tools, standards and guidance to ensure community banks are not burdened with having to reassess their critical systems against yet another standard to achieve the same results.
- Regulators must recognize community banks’ reliance on third parties and work to ensure community banks are adequately protected by broadening the supervision of technology service providers to include more core, IT service providers. Regulators also must ensure that employees and subcontractors of technology service providers comply with nondisclosure and confidentiality requirements similar to existing regulatory requirements for banks.
The financial services industry and community banks are on the front lines defending against cybersecurity threats and take their role in securing data and personal information very seriously. As a result of growing cyber threats and intrusions, the federal government has focused increasingly on cybersecurity.
Policymakers Must Recognize Existing Data Security Mandates. In 2014 the Commerce Department's National Institute of Standards and Technology (NIST) released a Framework pursuant to a 2013 Executive Order (EO) designed to improve the cybersecurity of U.S. critical infrastructure, which includes the financial services sector. The framework provides a structure that organizations, regulators, and customers can use to create, guide, assess, or improve comprehensive cybersecurity programs.
In 2015, the Federal Financial Institutions Examination Council (FFIEC) released a Cybersecurity Assessment Tool for use by all banks. While voluntary, examiners have stated their intent to use the Assessment in future examinations. This would force community banks to reassess their critical systems using the Cybersecurity Assessment Tool despite previous assessments using NIST or another industry-approved standard.
Regulators should recognize the unique steps that community banks take to protect their critical systems and customer data. Any new or proposed frameworks or guidance should be consistent with existing frameworks or guidance. Regulators risk “framework fatigue” among community banks, which distracts them from their primary business of serving customers.
Threat Information Sharing is Critical. The sharing of advanced threat and attack data between federal agencies and the appropriate financial sector participants, helps community banks manage cyber threats and protect critical systems. ICBA supports community banks’ involvement with services such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information. ICBA also supports FS-ISAC efforts to take complex threat information across communities, people and devices and analyze, prioritize, and route it to users in real-time as long as those efforts incorporate community banks and such advancements are cost effective to community banks.
Regulators Should Recognize Third Party Risk. Community banks significantly rely on third party service providers to support their systems and business activities. While community banks are diligent in their management of third parties, mitigating sophisticated cyber threats to these third parties, especially when they have connections to other institutions and servicers, can be challenging. Regulators must be aware of the significant interconnectivity of these third parties and collaborate with them to mitigate this risk. The agencies should evaluate the concentration risks of service providers to financial institutions, and broaden supervision of technology service providers to include more core, IT service providers. Employees of third party service providers have access to confidential bank information, including cyber vulnerabilities, that could be used to compromise a community bank’s system. Regulators must ensure that these service providers implement nondisclosure and confidentiality requirements similar to existing regulatory requirements for banks.