The Federal Communications Commission last week added Moscow-based cybersecurity software company Kaspersky to a list of companies whose products pose “a threat to national security.”
Although a company spokeswoman declined to say how many U.S. banks the privately owned company serves, the company is known to serve banks internationally, and in 2015 it identified a cyberattack targeting financial institutions. Kaspersky said recently on its website it protects the data of “over 400 million users” and that it has 240,000 corporate clients around the world.
Kaspersky-branded products have long been a top pick among independent reviewers, including AV Test, PC Magazine, TechRadar and Tom’s Guide and a popular choice among U.S. banking consumers. Among the features in its consumer software is Safe Money, a web browser extension designed to protect consumers online where they enter bank or payment information.
Though last week’s announcement from the FCC about Kaspersky is not the first action against the company by the U.S. government, it is a timely message about the government’s stance on the company’s suite of products. According to Reuters, the government began privately warning some companies the day after Russia invaded Ukraine that Moscow could manipulate Kaspersky software to cause harm.
“Today’s action is the latest in the FCC’s ongoing efforts, as part of the greater whole-of-government approach, to strengthen America’s communications networks against national security threats, including examining the foreign ownership of telecommunications companies providing service in the United States and revoking the authorization to operate where necessary,” said FCC Chairwoman Jessica Rosenworcel.
Before the FCC declared that Kaspersky products pose a national security threat, Germany’s Federal Office for Information Security said on March 15 that any Russian IT manufacturer “can conduct offensive operations itself, be forced to attack target systems against its will, be spied on without its knowledge as a victim of a cyber operation or be misused as a tool for attacks against its own customers.”
The Italian Data Protection Authority said on March 18 it had begun a “fact-finding exercise” regarding Kaspersky products in response to alerts from “several IT security agencies both in Italy and in Europe regarding use of the software to wage cyber-attacks against Italian users.”
Kaspersky responded to the German statement by saying it was “not based on a technical assessment of Kaspersky products” but rather “made on political grounds.” The company said it relocated its cyberthreat-related data processing infrastructure to Switzerland in 2018 and that it had other processing operations in Canada, Germany and elsewhere.
“The security and integrity of our data services and engineering practices have been confirmed by independent third-party assessments: through the SOC 2 Audit conducted by a ‘Big Four’ auditor, and through the ISO27001 certification and recent re-certification by TÜV Austria,” a company statement reads.
Kaspersky doubled down on its line about politics after the FCC’s announcement last week, saying the government action was “a response to the geopolitical climate rather than a comprehensive evaluation of the integrity of Kaspersky’s products and services.”
A Kaspersky spokeswoman told American Banker the company’s technologies “are trusted by hundreds of global technology and OEM partners” and that it works together with law enforcement agencies including Interpol and Europol. The spokeswoman also said Kaspersky “does not have any ties to the Russian government.”
Critics pointed out Kaspersky counts the Russian government as one of its clients, attacked company CEO Eugene Kaspersky for his statement on Russia’s invasion of Ukraine and said his Russian employees could become targets of government coercion. Product review publication PC Magazine, which Kaspersky had previously held up as a positive reviewer, said it could “no longer recommend Kaspersky products.”
The FCC’s action last week cited a directive issued by the Department of Homeland Security in 2017, requiring all federal agencies to drop any reliance on Kaspersky products. Congress later passed a law affirming the action, and President Donald Trump signed it. The company responded by suing the government on a claim that it had been deprived of due process.
A judge later dismissed the lawsuit and a second case the company filed questioning the constitutionality of the related law, saying that although the actions could well have an adverse effect on the company, “that does not make them unconstitutional.”
The action rids the Montana bank of a $62.8 million loan that's long been on its watch list. It comes as First Interstate's new CEO looks to put his own stamp on the bank.
The Consumer Financial Protection Bureau issued separate policy statements on "sandbox approvals" and no-action letters for fintechs — measures whose longevity is questionable with the incoming Trump administration.
Texas Capital Bancshares promotes Aimee Williams-Ramey to chief human resources officer; M&T Bank hires Wells Fargo veteran Krista Phillips for newly created post of chief customer officer; Paul Connolly and Paul Speiss age out of their positions on Eastern Bankshares' board; and more in this week's banking news roundup.
In a speech outlining his priorities for the FDIC, Vice Chair Travis Hill stressed the need for a more flexible regulatory approach, addressing capital requirements, digital assets, climate policy, and bank oversight, while emphasizing transparency and timely action.