On November 18, 2014, several major financial institutions received requests from lawmakers for detailed information about recent data breaches and for briefings from their corporate data security officials. The lawmakers hope that the feedback they receive will be helpful as Congress examines federal cybersecurity laws and considers ways to protect sensitive consumer and government information.
The letters were sent to 16 banks, investment firms and other financial services providers by Senator Elizabeth Warren (D-MA), a member of the Senate Banking Committee, and Representative Elijah Cummings (D-MD), the ranking member of the House Oversight and Government Reform Committee. In the letters, Warren and Cummings cite recent press accounts reporting that “law enforcement officials believe the ‘U.S. financial sector is one of the most targeted in the world,’” and that approximately “80% of hacking victims in the business community didn’t even realize they had been hacked until they were told by investigators.”
According to Warren and Cummings the “increased frequency and sophistication of cyber-attacks on both public and private entities highlights the need for greater collaboration to improve data security,” and, thus, they have called on the financial institutions to provide details about their experience with cyber attacks over the preceding year, as well as identify any recommendations for improvements in cyber security laws or coordination of efforts to identify and respond to cyber security risks.
In particular, the letters request that each financial institution provide details regarding the number of data breaches experienced over the past year, the number of customers affected, the manner in which customers were notified, any findings from forensic investigative analysis or reports, information about who is suspected to have carried out the attacks, a description of new cyber security measures the companies instituted after discovering data breaches, an estimate of the number and value of fraudulent transactions resulting from the data breaches and a description of the data security policies and procedures that govern the financial institution’s relationships with third parties. Finally, the letters request a briefing from each financial institution’s chief information security professional. The financial institutions have until December 8, 2014, to provide the requested briefing and until December 19, 2014, to provide the requested data.
A copy of the press release issued by Sen. Warren and Rep. Cummings is available here.