Compliance

09:00 AM
Jonathan Camhi
Jonathan Camhi
News
Connect Directly
Facebook
Twitter
Google+
RSS
E-Mail
50%
50%

State Governments & the Future of Cyber Security Regulation

With Washington deadlocked by partisanship, it's falling to states to inspect banks' cyber security practices, and that could mean trouble for some small institutions.

Government regulators' interest in banks' IT security practices has spiked recently in the wake of increasingly sophisticated cyber attacks, like the data breaches that stole credit card data from millions of consumers last December. In the last couple of months, the SEC released new cyber security guidelines for brokerages and investment firms, and New York became the first state to audit the cyber security defenses of financial institutions.

"We're seeing these big cyber attacks, and a regulatory framework is always part of the discussion in security. So we expect to see more regulatory attention on this," Roel Schouwenberg, principal security researcher at Kaspersky Lab, told us.

Carl Herberger, vice president of security solutions at Radware, said that, with no national cyber security legislation coming from Washington, states are forced to act to protect consumer data from hackers.

[For more on this topic: Why Congressional Legislation Is Still Needed on Cyber Security]

"It makes sense for states to conduct their own cyber security assessments where financial services is relevant, like in New York," Herberger said. "With regulations regarding data leakage, we already see California and Massachusetts taking the lead."

How cyber security standards are developed and implemented will determine how state-level regulations could impact banks. Schouwenberg said some companies are already shying away from doing direct business in Massachusetts because of its strict data privacy laws.

As the first state to conduct cyber security audits of banks, New York has provided an example of what banks can expect from regulators assessing this area. In a May report, New York's Department of Financial Services outlined several "pillars" of a compliant information security framework for banks under its jurisdiction, including having a written information security policy and training staff on the latest cyber security risks.

A 2013 Department of Financial Services survey found that more than 90% of large banks in the state have a security framework that meet the requirements. However, small banks (those with less than $1 billion in assets) were found to be lagging behind their larger counterparts in key areas. Only 62% of small banks conducted security audits of their IT vendors and partners, compared to 80% of large and midsized ones. And less than 25% of small banks participated in a threat information-sharing organization like the Financial Services Information Sharing and Analysis Center (FSISAC).

"I was surprised by the participation in FSISAC. I thought it would be much higher," Schouwenberg said. "Everyone should join that, and if some small financial institutions aren't doing that, then it makes me wonder what else they're not doing."

Paul Smocer, president of BITS, the technology arm of the Financial Services Roundtable, told us small banks often have fewer resources to throw at security issues, but they also have fewer risks, because attackers tend to target large institutions. But that doesn't dismiss the need for small banks to stay up to date on risks and best practices by engaging with the FSISAC. These banks often rely heavily on outsourcing IT services to vendors, so auditing those vendors is of particular importance for them.

"Smaller banks need to understand what their vendors and service providers are doing for them securitywise," he said. "You can outsource a service, but you can't outsource the risk."

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
7/10/2014 | 12:01:30 PM
Re: Low hanging fruit
It's my understanding that this is already starting to happen to some extent. More attacks are aimed at mid-size banks right now as the largest ones have really upped their security measures. Eventually the mid-size banks will similarly improve and then the fraudsters will likely turn to community banks and credit unions.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
7/10/2014 | 11:59:52 AM
Re: State Governments & the Future of Cyber Security Regulation
No matter what the cost of compliance is here, it won't be nearly as much as the cost of a breach. So that approach wouldn't make that much sense dollars-wise, especially if you figure that the fraudsters would probably start to target banks in the states with the least strict regulations. And they definitely would do so eventually. They're pretty clever that way.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
7/9/2014 | 4:52:52 PM
Re: Low hanging fruit
Good point. The ability to fly under the radar was also seen during the credit crisis. Following the credit crisis, there were many dozens of small banks that were shut down because of bad debt. No one ever really thought to look at these small banks at the beginning of the crisis. But as their balance sheets got worse, they had to be closed.
Rodney Brown
50%
50%
Rodney Brown,
User Rank: Author
7/9/2014 | 3:33:03 PM
Re: Low hanging fruit
I have a relative who consults for banks on risk, and he agrees that poor oversight is one of the greatest risk factors for small bank failure. The feds have very strict guidelines about percentages of bad debt outstanding, and without that being checked regularly, the smaller banks often get way out of line with those guidelines. The same could easily be true of cyber security regulations.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Apprentice
7/9/2014 | 2:30:57 PM
Re: State Governments & the Future of Cyber Security Regulation
Do you worry that a lack of uniformity will result in a "race to the bottom" where institutions decide to put their HQs in states with weak regulations and lax enforcement? That's a reasonable business decision in the short term, which is what investors seem to look for.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
7/9/2014 | 10:17:12 AM
Low hanging fruit
Although Paul Smocer, president of BITS, says that small banks have fewer risks, because attackers tend to target large institutions, small bank CIOs (or CISOs, if they have them) need to realize that hackers and cybercriminals will always target the banks with the weakest security -- no matter the bank's size.

As the larger banks step up their cyber preparedness, the smaller banks need to keep pace, or the criminals will go after the smaller, but easier to obtain, targets at small banks.
Byurcan
50%
50%
Byurcan,
User Rank: Author
7/9/2014 | 9:12:05 AM
State Governments & the Future of Cyber Security Regulation
This makes sense, states can and should be allowed to take the lead in a  wide range of issues affecting them without having to wait for any direction from the federal gobernment.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology Dec. 2, 2014
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Slideshows
Video
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.