Washington Watch


Cyber Security Showdown

Security will be top Washington priority in 2015

By Lilly Thomas and Aaron Stetter

The rising visibility of data breaches and the pervasiveness of hacking ensure that cybersecurity and data protection will be top Washington priorities in 2015. Despite the public’s apparent apathy to the seemingly daily reports of cyberthreats, Congress and the regulators want to act in the aftermath of breaches at Home Depot, Target Corp. and other major retailers.

For ICBA and community banks, this represents a new set of opportunities and challenges—to improve the nation’s cyberdefenses and require greater data protections among retailers without incurring additional and unnecessary regulatory burdens. By supporting cybersecurity information-sharing and consistent data-security standards for all payments system participants, ICBA is looking to reduce security risks for community banks by bringing others up to their standard.

Bipartisan opportunity

While 2015 will have no shortage of Washington partisanship, Republicans and Democrats appear to share common ground in pursuing data-security and cybersecurity reform in the 114th Congress. Following an executive order from President Obama, the National Institute of Standards and Technology last year released a cybersecurity framework that is voluntary and focused on aligning policy, business and technological approaches to address cyber-risks in all critical infrastructure sectors. Similarly, a Republican task force recently issued an innovation agenda for the new Congress that emphasized public-private partnership, individual rights and a non-regulatory approach.

Several congressional committees will have a hand in crafting legislation. If policymakers stick to these core principles of voluntary standards and collaboration, community banks will have ample opportunity to achieve successful reforms of both data-security and cybersecurity policies.

Data duties

Data security is front and center in Washington due to the onslaught of massive data breaches at major retailers. ICBA’s data-security objectives focus on ensuring all participants in the payments system—including merchants—are required to play by the same kinds of rules and regulations. That means applying Gramm-Leach-Bliley standards on all participants and requiring the costs of data breaches to be borne by the breached party.

ICBA also will continue to support a national data-security breach and notification standard that will replace the current patchwork of state laws. Further, ICBA opposes efforts to make banks liable for losses incurred by business customers as a result of their poor security practices. And while community banks continue to move to chip technology for debit and credit cards, policymakers and other stakeholders should understand that these technologies alone would not prevent future data breaches and do not protect against fraud in card-not-present transactions, such as online purchases.

Community banks had to reissue more than 4 million payments cards following the data breaches at Target and Neiman Marcus at a cost of more than $40 million, ICBA found. This doesn’t begin to include the subsequent breaches at Home Depot, Kmart, P.F. Chang’s and countless other merchants. Together, ICBA’s data-security initiatives are designed to reduce the cost of retailer data breaches for community banks while ensuring the breached merchants pay their fair share. With the power that the lightly regulated retail sector wields in Washington, increasing merchant accountability will not be easy. But ICBA and community banks will do everything we can to promote a fairer system for our industry.

Information sharing

In the realm of cybersecurity, ICBA is working to ensure Washington recognizes that community banks take the issue seriously and already comply with a bevy of mandates under existing federal and state laws, regulations and guidance. Community banks and others in the financial sector are on the frontlines in defending against cyberthreats. Protecting the confidentiality and integrity of consumer data and mitigating the risks of hacking and cyberfraud are part of the community bank business.

To improve how we as a nation combat this persistent threat, the public and private sectors must be willing and able to share advanced threat and attack data in a timely manner and among financial institutions of all sizes. This principle of equitable information-sharing is a central part of ICBA’s cybersecurity platform, and fortunately it is a top issue for policymakers as they consider legislation to encourage two-way information-sharing among the public and private sectors including liability protections for private-sector institutions that would encourage them to share cyberthreat information with the government.

Further, ICBA opposes efforts to make banks liable for losses stemming from the poor security practices of their business customers and is working with the industry to enhance card security by implementing chip technology, tokenization and end-to-encryption. While community banks are diligent in managing these vendors, mitigating cyberthreats to these outside parties is a challenge. As a result, we’re calling on regulators to be aware of the significant interconnectivity of these third parties and to actively collaborate to mitigate their risks.

Tools of the trade

The impact of the upcoming Washington action on cybersecurity and data security remains to be seen, but there are available resources to help community banks protect themselves and their customers from persistent threats. For instance, banking regulators are encouraging all financial institutions to participate in the Financial Services Information Sharing and Analysis Center.

FS-ISAC provides alerts and real-time information on security threats at nominal fees. Meanwhile, ICBA continues to offer data- and cybersecurity resources on its website, including a toolkit to help community banks respond to retail data breaches.

The cybercrime that plagues the public and private sectors has put the onus on Washington to act in 2015. ICBA and community banks will work diligently to maximize the effectiveness of our nation’s response while mitigating the potential for negative consequences for our industry and the communities we serve.

Lilly Thomas (lilly.thomas@icba.org) is ICBA vice president and senior regulatory counsel, and
Aaron Stetter (aaron.stetter@icba.org) is ICBA senior vice president of congressional relations and advocacy.