On Wednesday, the Pennsylvania Department of Banking (“DOBS”) issued a two page letter to the Pennsylvania financial services industry with a succinct, clear message: get your cybersecurity houses in order or else. The DOBS letter specifically highlights the grave risks that accompany the banking industry’s routine, day-to-day handling of some of the most sensitive forms of consumer information.
Despite the grim picture painted in the letter, the DOBS does something rather surprising: rather than announcing a litany of new regulations and requirements, the DOBS instead acknowledges the diverse nature of the evolving threats to regulated entities based on their unique and particularized operations and provides links to key resources to help individual businesses choose how best to develop effective cybersecurity measures and respond to the threats they face. Though this strategy lacks concrete regulations and progress requirements typical in the financial sector, it is actually the best thing for the financial services industry in Pennsylvania. By refusing to adopt a one-size fits all approach to cybersecurity, the DOBS demonstrates that it understands the realities facing all financial services businesses tasked with protecting sensitive data.
The generalized threats to banking that DOBS highlights in the letter and the newly created DOBS Cybersecurity Task Force are nothing new. Federal Banking regulators and private industry groups have long sounded the call for adequate cybersecurity regulations and planning. Though the DOBS Cybersecurity Task Force’s new website includes a litany of links and suggestions for regulated institutions, all are pre-existing resources from other government agencies including the Federal Financial Institutions Examination Council and the Securities and Exchange Commission. Additionally, the DOBS makes clear it is merely continuing the mission for all Commonwealth agencies to safeguard against cyber-attacks and educate the general public on the importance of cybersecurity. If the DOBS letter does not announce a new understanding of Department policy or even make specific demands on the banking industry and, instead simply sets out vague ‘suggested cybersecurity tactics’ the industry should consider, what should financial institutions regulated by the DOBS make of this announcement?
Echoing comments made by our own Steve Grossman, the DOBS letter highlights the importance of having a robust plan in place to deal with cybersecurity threats before a breach occurs. Further, the DOBS letter shows that the Department understands the challenges presented by an ever-changing security landscape, recognizing that a one-size-fits- all approach to cybersecurity simply does not work.
A brick and mortar bank interfacing with customers on a day-to-day basis, for example, is going to confront vastly different threats than an electronic payment processor working behind the scenes in the cloud and should develop significantly different cybersecurity plans to adequately protect sensitive data. As we have previously highlighted on this blog, and as noted in the DOBS letter, many cybersecurity threats come from ‘off-line’ rather than ‘on-line’ sources. A bank with hundreds of employees, countless third-party vendors, and thousands of customers coming and going creates a security environment that is markedly different from a payment processor that exists primarily in the cloud, has few employees, and fewer customer interactions. Though the actual data possessed by the bank and the processor may be identical, it makes sense that the bank has a different cybersecurity plan in place as compared to the payment processor. An individualized and comprehensive plan to prevent and mitigate potential breaches, therefore, is essential for all regulated financial services entities.
While some may be disappointed that the Department of Banking’s initial proclamation on cybersecurity fails to delineate concrete rules to regulate an industry with access to limitless amounts of sensitive data, such an approach would be short sighted. Indeed, though the Department may be relatively late to the game in speaking on these issues, their adaptive approach should be commended.