- Any federal cybersecurity legislation, new or proposed cybersecurity frameworks, regulations, or guidance must recognize existing mandates, frameworks, tools, standards, and guidance to ensure community banks are not burdened with the obligation to reassess their critical systems against yet another standard which yields the same results.
- ICBA supports voluntary information sharing among financial institutions of all sizes, public-private partnerships and between federal agencies for the purpose of identifying, responding to, and mitigating cybersecurity threats and vulnerabilities while appropriately balancing the need to secure customer information.
- Prudential regulators must broaden their supervision to include core processors and other third-party technology service providers community banks rely on. Employees and subcontractors of technology service providers must comply with nondisclosure and confidentiality requirements similar to those that currently apply to banks.
- Congress must subject credit reporting agencies and other customer financial data collectors/aggregators to banking agency examination and supervision comparable to that which applies to community banks and other financial institutions.
- ICBA supports sector cybersecurity initiatives such as .BANK and Sheltered Harbor and will work with community bank core processors to ensure equitable and reasonable access to these initiatives.
The financial services industry and community banks are on the front lines defending against cybersecurity threats and take their role in securing data and personal information very seriously. As a result of growing cyber threats and intrusions, the federal government is increasingly focused on cybersecurity.
Cybersecurity Risk Assessment Tools
Policymakers must recognize existing cybersecurity frameworks, tools and assessments, such as the Commerce Department’s National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT). NIST provides a structure that organizations, regulators, and customers may use to create, guide, assess, or improve comprehensive cybersecurity programs. CAT is a voluntary framework now commonly used by community banks and examiners.
Members of the Financial Services Sector Coordinating Council are developing a new sector profile that seeks to create a voluntary cybersecurity tool for financial institutions. The proposed profile melds together cybersecurity frameworks, tools, and assessments - both voluntary and mandatory – into one new framework. Some of the informative references being used in the development of the framework do not reflect the negligible risk posed by community banks to the financial services system.
Regulators should not mandate the use of any one framework, tool, or assessment, but rather support community banks’ ability to use the framework, tool or assessment that best suits their institution’s size and complexity.
Threat Information Sharing is Critical
The sharing of advanced threat and attack data between federal agencies and financial sector participants helps manage cyber threats and protect critical systems. ICBA supports community banks’ involvement with services such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), a non-profit information-sharing forum established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information. ICBA also supports FS-ISAC’s cross-sector information sharing efforts to enhance overall resiliency of the nation’s critical infrastructure.
Regulators Should Recognize Third Party Risk
Community banks significantly rely on third party service providers to support their systems and business activities. While community banks are diligent in their management of third parties, mitigating sophisticated cyber threats against these third parties can be challenging, especially when they have connections to other institutions and servicers. Regulators must be aware of the significant interconnectivity of these third parties and collaborate with them to mitigate this risk. The agencies should evaluate the concentration risks of service providers to financial institutions and broaden supervision of technology service providers to include additional core, IT service providers. Because employees of technology service providers have access to confidential bank information that could be used to commit fraud, damage a bank’s reputation, or compromise customer privacy, regulators must ensure that these service providers implement nondisclosure and confidentiality requirements similar to existing regulatory requirements for banks.
Examination and Supervision of Credit Rating Agencies
With the recent Equifax data breach, it is also important that the credit rating agencies (CRAs) and other collectors/aggregators of customer financial data be subject to examination and supervision by prudential regulators. The release of this information has the potential to affect American consumers for the remainder of their lives and presents unique challenges for all financial institutions in authenticating new and existing customers. Subjecting CRAs and similar organizations to this level of oversight may prevent future breaches.
Sector Cybersecurity Initiatives
The .BANK web domain is a trusted, verified, secure, and easily identifiable location on the Internet for the banking community and the customers it serves. With rigorous security standards in place, users of a .BANK website can be assured they are landing on participants’ actual websites as opposed to being redirected elsewhere such as malicious or spoofed sites. .BANK also provides email authentication to mitigate spoofing and phishing and encryption for Internet connections to ensure data privacy and security.
Sheltered Harbor is designed to improve resiliency and provide enhanced protections for financial institutions’ customer accounts and data. Sheltered Harbor enables financial institutions to securely store and rapidly reconstitute account information, making it available to customers through a service provider or another financial institution if an institution is unable to recover from a cyber incident in a timely fashion.
Staff Contacts: Jeremy Dalpiaz, Lilly Thomas, Amy Roberti, and Aaron Stetter