Small banks facing greater cyber risks urge Congress to act

Smaller banks lack robust resources and are dependent on third-party security providers

“We must step up action to deal with cybersecurity, particularly with our community banks,” said Rep. Maxine Waters, D-Calif., who chairs the House Financial Services Committee.  (Tom Williams/CQ Roll Call file photo)
“We must step up action to deal with cybersecurity, particularly with our community banks,” said Rep. Maxine Waters, D-Calif., who chairs the House Financial Services Committee. (Tom Williams/CQ Roll Call file photo)
Posted November 9, 2021 at 6:30am

Community banks, minority lending institutions and credit unions face greater risks of cyberattacks and damage from data breaches, a group of experts told lawmakers recently. The smaller institutions are asking Congress to plug holes in laws that exempt retailers and other entities that handle financial information for smaller banks from data security regulations.

While large financial institutions, including Wall Street banks, have poured resources into beefing up cybersecurity, hiring in-house professionals and operating 24/7 security operations centers, smaller banks lack such resources and are dependent on third-party providers, experts told the House Financial Services Subcommittee on Consumer Protection and Financial Institutions last week.

Since financial institutions connect with one another and a vast web of companies — including retailers, suppliers, software vendors and other companies that handle customers’ financial information — an attack on one small bank could easily spread to others, experts said.

“As a result, any realistic assessment of cyber risks to the financial system cannot simply look to the bigger banks but must assess the full range of financial institutions,” said Samir Jain, director of policy at the Center for Democracy and Technology.

Laws governing data protection should cover all the entities that handle consumer financial information, including credit rating agencies, retailers and third-party tech providers, Jain said.

Ransomware and other cyberattacks targeting critical infrastructure are growing worldwide, and financial institutions are particularly vulnerable. The cybersecurity firm Trend Micro recently reported that ransomware attacks on the banking industry grew 1,318 percent in the first half of 2021 compared with the first half of 2020.

“Tech companies, financial institutions and many other businesses are collecting and storing more consumer data than ever before,” Rep. Ed Perlmutter, D-Colo., chairman of the consumer protection panel, said at last week’s hearing. “Issues of cybersecurity and consumer data rights are intertwined, and this makes cybersecurity critical for all financial institutions, large and small.”

Complicated jurisdictions

Regulation and oversight of financial institutions is spread across multiple agencies, including the Federal Reserve, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation and the National Credit Union Administration, said Jeffrey Newgard, president and CEO of the Bank of Idaho.

“Unfortunately, these disparate agencies do not adequately coordinate their data security efforts,” Newgard told lawmakers. He testified on behalf of the Independent Community Bankers of America.

Financial institutions and banks, for example, are governed by the Gramm-Leach-Bliley Act and are required to protect their customers’ data and comply with data security standards.

But retailers, tech companies and other entities that process and store financial data are not subject to standards that apply to banks, Newgard said.

“Securing data at financial institutions is of limited value if it remains exposed at the point of sale and other processing points,” Newgard said.

The rapid pace of technological change has meant that small banks are no longer able to manage their tech needs in-house. To remain competitive, they have to provide such services as mobile and internet banking but are forced to turn to so-called core processors that offer such services to multiple banks, Newgard said.

Such third-party tech providers that offer services to multiple banks could be highly vulnerable to cyberattacks, Newgard said.

Reliant on a few firms

Small banks also are highly dependent on a handful of core processors, according to Robert James, chairman of the National Bankers Association.

“Because of this concentration, our institutions are saddled with complex, onerous, long-term contracts that stifle innovation in all areas, including security and identify verification,” said James, whose group represents minority depository institutions. “Contracts are punitive if we want to terminate, and if we do, the extraction of our data for conversion is cost prohibitive.”

Some lawmakers said they would consider legislation to address the gaps.

“We must step up action to deal with cybersecurity, particularly with our community banks,” as well as minority lending institutions that are at the “mercy of core processors,” said Rep. Maxine Waters, D-Calif., chairwoman of the House Financial Services Committee.

The committee has proposed three bills, including one that would expand the scope of the Gramm-Leach-Bliley Act’s provisions and give the Consumer Financial Protection Bureau powers to enact and enforce rules governing data aggregators and other financial institutions.

Two other proposed bills would regulate third-party vendors providing services to credit unions and clarify that CFPB has authority to supervise credit rating agencies.

Newgard said retailers and other point-of-sale operators who suffer a data breach that results in a customer’s credit or debit card being exposed don’t bear any costs for restoring a customer’s financial access.

Banks often bear the cost and burden of restoring financial services to a customer, Newgard said.

Pressed by Missouri Rep. Blaine Luetkemeyer, the top Republican on the consumer protection panel, to offer a solution, Newgard said, “The retailers … the entities that are breached need to bear the cost, so they need to be responsible for that breach.”