ICBA Policy Resolutions: Cybersecurity and Data Security, Privacy and Fraud

ICBA Position: Cybersecurity

Any federal cybersecurity legislation, regulation, guidance, or framework should recognize existing mandates and standards to ensure community banks are not burdened with the obligation to reassess their critical systems against yet another standard which would yield the same results.
Regulators should not mandate the use of any one framework, tool, or assessment, but rather support community banks’ ability to use the framework, tool or assessment that best suits their institution’s size and complexity.
ICBA supports voluntary information sharing among financial institutions of all sizes, public-private partnerships, and federal agencies for the purpose of identifying, responding to, and mitigating cybersecurity threats and vulnerabilities while appropriately balancing the need to secure customer information.
Prudential regulators must broaden their supervision to include core processors and other third-party technology service providers community banks rely on. Employees and subcontractors of technology service providers must comply with nondisclosure and confidentiality requirements similar to those that apply to banks.
Congress must subject credit reporting agencies and other customer financial data collectors/aggregators to banking agency examination and supervision comparable to that which applies to community banks and other financial institutions.
ICBA supports sector cybersecurity initiatives such as .BANK and Sheltered Harbor and will work with community bank core processors to ensure equitable and reasonable access to these initiatives.

Background

The financial services industry and community banks are on the front lines defending against cybersecurity threats and take their role in securing data and personal information very seriously. As a result of sophisticated and constantly evolving cyber threats and intrusions, the federal government and private industry are increasingly focused on cybersecurity.

Expand all

Cybersecurity Risk Assessment Tools

Policymakers must recognize existing cybersecurity frameworks, tools, and assessments, such as the Commerce Department’s National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT).

NIST provides a structure that organizations, regulators, and customers may use to create, guide, assess, or improve comprehensive cybersecurity programs. CAT is a voluntary framework now commonly used by community banks and examiners.
Threat Information Sharing is Critical

The sharing of advanced threat and attack data between federal agencies and financial sector participants helps manage cyber threats and protect critical systems.

ICBA supports community banks’ involvement with services such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), a non-profit information-sharing forum established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information.

ICBA also supports FS-ISAC’s cross-sector information sharing efforts to enhance overall resiliency of the nation’s critical infrastructure.
Regulators Should Recognize Third Party Risk

Community banks significantly rely on third party service providers to support their systems and business activities. While community banks are diligent in their management of third parties, mitigating sophisticated cyber threats against these third parties can be challenging, especially when they have connections to other institutions and servicers.

Regulators must be aware of the significant interconnectivity of these third parties and collaborate with them to mitigate risk. The agencies should evaluate the concentration risks of service providers to financial institutions and broaden supervision of technology service providers to include additional core, IT service providers.

Because employees of technology service providers have access to confidential bank information that could be used to commit fraud, damage a bank’s reputation, or compromise customer privacy, regulators must ensure that these service providers implement nondisclosure and confidentiality requirements which are similar to existing regulatory requirements for banks.
Examination and Supervision of Credit Rating Agencies

The 2017 Equifax data breach demonstrated how important it is that the credit rating agencies (CRAs) and other collectors/aggregators of customer financial data be subject to examination and supervision by prudential regulators.

The release of this information has the potential to adversely affect American consumers for the remainder of their lives and presents unique challenges for all financial institutions in authenticating new and existing customers. Subjecting CRAs and similar organizations to this level of oversight may prevent future breaches.
Sector Cybersecurity Initiatives

The .BANK web domain is a trusted, verified, secure, and easily identifiable location on the Internet for the banking community and the customers it serves. With rigorous security standards in place, users of a .BANK website can be assured they are landing on participants’ actual websites as opposed to being redirected elsewhere such as a malicious or spoofed site. .BANK also provides email authentication to mitigate spoofing and phishing and encryption for internet connections to ensure data privacy and security.

Sheltered Harbor is designed to improve resiliency and provide enhanced protections for financial institution customer accounts and data. Sheltered Harbor enables financial institutions to securely store and rapidly restore account information, making it available to customers through a service provider or another financial institution when an institution is unable to recover from a cyber incident in a timely fashion.

ICBA's Position: Data Security and Fraud

All participants in the payments and financial systems, including merchants, aggregators, technology companies, and other entities with access to customer financial information, should be subject to Gramm-Leach-Bliley Act-like data security standards.
ICBA supports a national data security breach and notification standard to replace the current patchwork of state laws.
Community banks should be notified by impacted entities of a potential and/or actual breach as expeditiously as possible in order to mitigate losses.
The costs of data breaches should ultimately be borne by the party that incurs the breach. Barring a shift in liability to the breached entity, community banks should have continued access to various cost-recovery options, including account recovery programs and litigation.
All stakeholders must continue to freely innovate to effectively protect consumer data and consumer confidence.
ICBA supports stronger data security standards and practices for regulatory agencies and staff.

Background

Data breaches at a national credit bureau, national retail and hotel chains, social media networks, and elsewhere have the potential to jeopardize consumers’ financial integrity and confidence in the financial services industry.

Community banks are strong guardians of the security and confidentiality of customer information as a matter of good business practice and legal and regulatory requirements. Safeguarding customer information is central to maintaining public trust and retaining customers.

However, bad actors will continue to look for weaknesses in the payments and information systems in various industries and breaches will occur.

Expand all

Extend Gramm-Leach-Bliley Act-Like Standards

Under current federal law, retailers, technology companies, and other parties that process or store consumer financial data are not subject to the same federal data security standards and oversight as financial institutions.

Securing financial data at financial institutions is of limited value if it remains exposed at the point-of-sale and other processing points. To effectively secure customer data, all participants in the payments system, and all entities with access to customer financial information, should be subject to and maintain well-recognized standards such as those created by the Gramm-Leach-Bliley Act (GLBA).
A National Data Security Breach and Notification Standard is Vital

Many states have enacted laws with differing requirements for providing notice in the event of a data breach. This patchwork of state notification laws and potentially overly broad notification requirements only increase burdens and costs, foster confusion, and ultimately are detrimental to customers.

While notifying customers is appropriate, any national notification standard needs to be accompanied by GLBA-like data security standards for all participants of the financial services industry to provide consumers a greater level of protection. Federal banking agencies should continue to set the standard for financial institutions.
Banks Need Timely and Enhanced Breach Notification

It is equally important that community banks receive timely notification concerning the nature and scope of any breach when bank customer information may have been compromised so that they may take steps to mitigate the damage. Enhanced breach notifications can save community banks time and money while better serving the impacted consumer.
Breach Liability Should Incentivize Stronger Security

Regardless of where a breach occurs, banks are stewards of the customer financial relationship and take a variety of steps at their own expense to protect the integrity of customer accounts.

These costs should ultimately be borne by the party that incurs the breach. Barring a liability shift, community banks should have access to various cost recovery options. Too often, the breached entity skates by while financial institutions are left to mitigate damages to their customers.
Regulators Should Hold Data Safely

Despite issuing rules, regulations, and guidance, and examining financial institutions for the safekeeping of customer data, regulatory bodies have also been subject to data breaches. During bank examinations, regulators become privy to, and hold, sensitive bank information, including customer information.

Like banks, regulatory agencies have a responsibility to safeguard this sensitive information. Liability from a potential breach into any of the prudential regulators’ systems may be unfairly assigned to community banks that securely submitted their data.

ICBA's Position: Privacy

ICBA supports privacy measures which hold all entities that handle personal information to the same standards that community banks and other financial institutions are held to through the Gramm-Leach-Bliley Act (GLBA) and other financial regulatory oversight.
ICBA supports a national privacy standard as opposed to a patchwork of state privacy acts and standards.
ICBA supports GLBA entity-level exemption from proposed state privacy laws.

Background

By their very nature, community banks and other financial institutions must collect sensitive nonpublic personally identifiable information (PII) about customers to meet their needs for financial services, which includes an array of deposit and loan services.

This information is also used to prevent fraud, identity theft and comply with various regulatory requirements. Safeguarding customer information is central to financial institutions maintaining public trust and retaining customers.

Expand all

Third Party and Non-Bank Privacy.

Information that is gathered by entities outside of the financial services industry is not held to the same standards as it relates to safeguarding information. Once information is shared with permissioned third-parties, consumers may no longer have control of their personal and financial information.

The potential for abuse is real and can be extremely harmful to consumers. This leaves consumers vulnerable to entities that may mislead them about what they do with the information they collect. This places an extraordinary burden on consumers to be vigilant in their research and knowledge of firms to which they may provide their online account credentials.

For this reason, ICBA has profound concerns that non-bank entities which may be authorized by consumers to access their information and store their bank login credentials may not take the same care in protecting consumer privacy and data as community banks.

At a minimum, consumers must have the same GLBA-like privacy protections with permissioned third parties as they have with banks, including limitations on the use of consumer information and limitations on the disclosure of the consumer’s information to third parties.
Privacy Standards.

Community banks are committed to complying with existing standards to protect customer privacy as outlined in the GLBA and the Safeguards Rule. However, many states are establishing privacy requirements to enhance consumer protection.

While ICBA fully supports privacy standards, particularly as it relates to protecting consumer financial information and PII, creating a patchwork of differing state privacy laws and requirements creates unnecessary costs and burdens for community banks and other small businesses.

It is important to maintain one standard as opposed to many complex and potentially competing state-level standards.
GLBA Exemption

Community banks have protected consumer privacy for the last two decades under the Gramm-Leach-Bliley Act. ICBA supports the GLBA and the privacy standards and enforcement it requires.

Given the patchwork of state privacy laws currently in place and being signed into law, ICBA supports an entity-level exemption from proposed laws due to the strict privacy requirements in GLBA and stringent enforcement by federal regulators. Complying to both the GLBA and the various state laws which community banks may fall under, would be both unnecessarily burdensome and duplicative.

The GLBA requires financial institutions to provide protections for consumer’s data and prevents financial institutions from sharing consumers’ personal information under certain circumstances without offering consumers a reasonable opportunity to opt out of such sharing.

Further, the GLBA’s Safeguards Rule requires financial institutions to review their consumer data, identify security risks and develop a comprehensive security program to protect consumer data from unauthorized use and disclosure. Including such an exemption in state privacy laws will continue to protect consumers while avoiding any unnecessary barriers to community banks.

ICBA Staff Contacts

Joel Williquette, Steven Estep,
and Susan Sullivan

Summaries

Title	Content Type	Date
CISA Guidance Summary (?)	ICBA Summaries	11/07/2016
ICBA Summary of Government Accountability Office Report: Cybersecurity – Bank and Other Depository Regulators Need Better Analytics and Depository Institutions Want More Usable Information (?)	ICBA Summaries	11/04/2016
FDIC Financial Institution Letter 43-2016 (?)	ICBA Summaries	07/01/2016

1 2 3 4

Testimony

Title

Committee

Presenter

Date

Letters to Congress

Title

Recipient

Date

Letters to Regulators

Title

Recipient

Date

<< Back to Cyber & Data Security Guide Advocacy Mitigation Training Breach Communication