ICBA Policy Resolutions: Cybersecurity and Data Security, Privacy and Fraud

ICBA Position: Cybersecurity

  • Any federal cybersecurity legislation, regulation, guidance, or framework should recognize existing mandates and standards to ensure community banks are not burdened with the obligation to reassess their critical systems against yet another standard which would yield the same results.
  • Regulators should not mandate the use of any one framework, tool, or assessment, but rather support community banks’ ability to use the framework, tool or assessment that best suits their institution’s size and complexity.
  • ICBA supports voluntary information sharing among financial institutions of all sizes, public-private partnerships, and federal agencies for the purpose of identifying, responding to, and mitigating cybersecurity threats and vulnerabilities while appropriately balancing the need to secure customer information.
  • Prudential regulators must broaden their supervision to include core processors and other third-party technology service providers community banks rely on. Employees and subcontractors of technology service providers must comply with nondisclosure and confidentiality requirements similar to those that apply to banks.
  • Congress must subject credit reporting agencies and other customer financial data collectors/aggregators to banking agency examination and supervision comparable to that which applies to community banks and other financial institutions.
  • ICBA supports sector cybersecurity initiatives such as .BANK and Sheltered Harbor and will work with community bank core processors to ensure equitable and reasonable access to these initiatives.


The financial services industry and community banks are on the front lines defending against cybersecurity threats and take their role in securing data and personal information very seriously. As a result of sophisticated and constantly evolving cyber threats and intrusions, the federal government and private industry are increasingly focused on cybersecurity.

  • Cybersecurity Risk Assessment Tools

  • Threat Information Sharing is Critical

  • Regulators Should Recognize Third Party Risk

  • Examination and Supervision of Credit Rating Agencies

  • Sector Cybersecurity Initiatives

ICBA's Position: Data Security and Fraud

  • All participants in the payments and financial systems, including merchants, aggregators, technology companies, and other entities with access to customer financial information, should be subject to Gramm-Leach-Bliley Act-like data security standards.
  • ICBA supports a national data security breach and notification standard to replace the current patchwork of state laws.
  • Community banks should be notified by impacted entities of a potential and/or actual breach as expeditiously as possible in order to mitigate losses.
  • The costs of data breaches should ultimately be borne by the party that incurs the breach. Barring a shift in liability to the breached entity, community banks should have continued access to various cost-recovery options, including account recovery programs and litigation.
  • All stakeholders must continue to freely innovate to effectively protect consumer data and consumer confidence.
  • ICBA supports stronger data security standards and practices for regulatory agencies and staff.


Data breaches at a national credit bureau, national retail and hotel chains, social media networks, and elsewhere have the potential to jeopardize consumers’ financial integrity and confidence in the financial services industry.

Community banks are strong guardians of the security and confidentiality of customer information as a matter of good business practice and legal and regulatory requirements. Safeguarding customer information is central to maintaining public trust and retaining customers.

However, bad actors will continue to look for weaknesses in the payments and information systems in various industries and breaches will occur.

  • Extend Gramm-Leach-Bliley Act-Like Standards

  • A National Data Security Breach and Notification Standard is Vital

  • Banks Need Timely and Enhanced Breach Notification

  • Breach Liability Should Incentivize Stronger Security

  • Regulators Should Hold Data Safely

ICBA's Position: Privacy

  • ICBA supports privacy measures which hold all entities that handle personal information to the same standards that community banks and other financial institutions are held to through the Gramm-Leach-Bliley Act (GLBA) and other financial regulatory oversight.
  • ICBA supports a national privacy standard as opposed to a patchwork of state privacy acts and standards.
  • ICBA supports GLBA entity-level exemption from proposed state privacy laws.


By their very nature, community banks and other financial institutions must collect sensitive nonpublic personally identifiable information (PII) about customers to meet their needs for financial services, which includes an array of deposit and loan services.

This information is also used to prevent fraud, identity theft and comply with various regulatory requirements. Safeguarding customer information is central to financial institutions maintaining public trust and retaining customers.

  • Third Party and Non-Bank Privacy.

  • Privacy Standards.

  • GLBA Exemption

ICBA Staff Contacts

Joel Williquette, Steven Estep
and Susan Sullivan


Title Content Type Date
ICBA Summaries
ICBA Summaries


Title Committee Presenter Date
House Subcommittee on Financial Institutions and Consumer Credit
Written Statement

Letters to Congress

Title Recipient Date
Senate Committee on Homeland Security

Letters to Regulators

Title Recipient Date
Bureau of Consumer Financial Protection