Like many other industries, financial institutions that become more technologically reliant are subjected to numerous and repeated cyberattacks. As the former General Counsel for Florida’s financial institution’s regulator (the Florida Office of Financial Regulation), I was amazed at the frequency and complexity of many such cyberattacks. As expressed to me by a cybersecurity expert, “it’s like bugs hitting the windshield while driving down the highway on a summer afternoon.” That is what many businesses, including financial institutions, face daily. To their credit, financial institutions often implement very robust security software to handle the attacks.
The following is a very brief overview of steps being taken in the financial world to address this very real and dangerous threat.
Cybersecurity Assessment Tool
In 2015, the Federal Financial Institutions Examination Council (“FFIEC”) released the Cybersecurity Assessment Tool (“Assessment”) in response to financial institutions’ growing concerns with cyberattacks (including malware and the extortive ransomware) that have increased in frequency and severity. Such attacks can have debilitating effects on a financial institution’s ability to operate and provide services to customers and businesses, not to mention safeguarding confidential account information.
The FFIEC was established in 1979 and is composed of six voting members, one from the Federal Reserve Board (“FRB”), the Chairman of the Federal Deposit Insurance Corporation (“FDIC”), the Comptroller of the Currency (“OCC”), the Chairman of the National Credit Union Administration, the Director of the Consumer Financial Protection Bureau (“CFPB”), and the Chairman of the State Liaison Committee (which itself is comprised of five representatives from various state financial regulators), and which prescribes “uniform principles, standards, and report forms and to promote uniformity in the supervision of financial institutions”.
The Assessment is a voluntary, self-assessment tool that aids an institution in: identifying cybersecurity risk; determining the institution’s cybersecurity preparedness; evaluating whether the preparedness is aligned with the identified and inherent risks; determining risk management controls and practices; and, informing risk management strategies.
The Assessment can also be used to manage an institution’s oversight of third-party providers and is closely aligned with the FFIEC’s IT Examination Handbook, that itself “provides guidance to examiners and financial institutions on the characteristics of an effective information technology audit.”
Financial institutions are required to file Suspicious Activity Reports (“SAR’s”) with the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) to report suspicious transactions. For example, SAR’s are used to report large cash transactions that could be indicative of money laundering. FinCEN is now using SAR’s as a reporting tool for “cyber events.” They require the reporting of even unsuccessful attacks, but due to cost and possibly the volume of attacks, institutions may file numerous incidents in a single report as opposed to filing a report for each incident. It is believed that such reporting and sharing of information could aid in deterring attacks and may assist in identifying attackers. The ultimate goal however, is to safeguard the customers and the integrity of the institution
Advanced Notice of Proposed Rulemaking – the Feds
On October 19, 2016, the OCC, FRB and FDIC issued an advanced notice of proposed rulemaking for possible enhanced risk management standards and resilience standards that would impose standards on “depository institutions and depository holding companies with total consolidated assets of $50 billion or more, the U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more, and financial market infrastructure companies and nonbank financial companies supervised by the FRB.” These standards would also be applicable to third-party providers for the aforementioned. In addition, there would be higher standards for “systems that provide key functionality to the financial sector.”
“Fintech” is a term used to describe “any technological innovation in the financial sector, including innovations in financial literacy and education, retail banking, investment and even crypto-currencies like bitcoin.” There are many fintech firms offering services, and the OCC is currently considering the development of a “federal fintech charter” to establish standards for these firms that provide services to financial institutions.
The OCC also announced that it would be creating “an office of innovation” to spearhead research and communication with fintech to encourage the development of new banking products. The new office will also help financial institutions figure out what to do with the technology brought to them by fintech firms. The office will facilitate communication between the fintech firms and financial institutions, particularly community banks.
This is just a small sampling of an ever growing regulatory scheme designed to protect institutions and consumers, and from the diverse nature of these safeguards it is evident that the cybersecurity issue is one of growing importance and concern. Ultimately, the responsibility to safeguard falls primarily to the financial institution, and could necessitate financial institutions, state regulators and their partners to invest in and recruit technologically-apt employees with the requisite skillsets to meet the demands and threats associated with cyber-events.
All of these methods serve the ultimate purpose of preventing a major disruption of the financial sector that could result from a major cyber event. This is an emerging field and while there are many unknown variables, federal and state regulators, and third-party fintech firms are getting more and more invested to address it, and operators within the field and those who may be affected are well advised to keep abreast of the trends and innovations.