Data and Cyber Security

Position

• Any new Federal and state legislation, regulation, or guidance should be non-proscriptive and non-duplicative.
• Regulators should not mandate the use of any one framework, tool, or assessment, but rather support community banks’ ability to use the framework, tool or assessment that best suits their institution’s size, complexity, and risk tolerance.
• ICBA supports bi-directional sharing of threat intelligence between the financial sector and the government.
• ICBA supports national data security standards with exemptions for community banks already covered under GLBA.
• ICBA suggests that regulators broadening their supervision to include all companies that have access to consumer financial data.
• ICBA supports stronger cyber security standards and practices for government.
• ICBA supports financial sector initiatives such as .BANK and Sheltered Harbor.

Background

Community banks are on the frontline defending the financial sector and bank customers against cyber threats. As a result of sophisticated and constantly evolving threat landscape the federal government and the financial sector are increasingly focused on cyber security.

To better address the increased threat and provide banks with the ability to implement risk-based security programs, state and Federal legislation, regulation, and guidance should be non-proscriptive and non-duplicative in approach and recognize existing or similar regulatory requirements. The patchwork of state data security laws and requirements increases burdens and costs, fosters confusion, and is detrimental to customers.

ICBA supports national data security standards that include appropriate exemptions for community banks that are already covered under GLBA. Regulators should broaden their supervision to include all third parties that have access to, use, or store consumer financial data. These companies should be regulated to Gramm-Leach-Bliley Act (GLBA) like standards.

ICBA supports bi-directional threat information sharing between the financial sector and the government, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), a non-profit information-sharing forum established by financial sector. ICBA recognizes that the U.S. Government also has a responsibility to safeguard financial and personally identifiable information (PII) and to provide banks with visibility into the government’s business continuity, incident response, and other critical resiliency plans.

ICBA supports the work of .BANK, Sheltered Harbor, and other financial sector efforts to enhance protection for bank customer account data.