-
New York regulator Benjamin Lawsky may use the cybersecurity rules he's proposed for virtual-currency companies as a model for traditional banks. That would subject the financial institutions his agency supervises to the most stringent data-security rules anywhere.
October 17 -
Rather than wait until after a data breach to increase information-security investments, banks should put into place practices that help prevent cyberattacks in the first place.
October 29 -
WASHINGTON Federal regulators released a document summarizing their general findings from recent cybersecurity assessments at community-size financial institutions.
November 3 -
Senate Banking Committee leaders are raising concerns about continued cyberattacks on the financial system and pressing regulators about their plans for fostering greater security.
October 21
Buckle up, bankers: cybersecurity is about to be regulated. Evidence for this conjecture can be found in recent speeches by New York banking regulator Benjamin Lawsky, who announced in October the
Lawsky's concept is not new. Martin Gruenberg, chairman of the Federal Deposit Insurance Corp., has spoken forcefully about the data breach risk faced by banks. "Cybersecurity is no longer just an issue for the IT department," he said in a September
It's undeniably true that cyberintrusions pose a major threat to financial institutions, and no one expects the current onslaught of breaches to diminish. Given that reality, the question is not whether regulatory actions in this area will come, but when. Banks must already maintain basic information protection to comply with the safeguards rule for data security under Gramm-Leach-Bliley Act of 1999. But the law does not provide a standard set of protocols that banks must follow, and the interpretation and application of practices can be as varied as the number of banks regulated.
Laws and regulations are usually enacted because of the lowest common denominator. A company discovers lead in paint, and a regulation shortly follows that says no one is allowed to put lead in the paint anymore. Cybersecurity regulation, however, will address more complicated and intersecting issues. Enormous companies with tremendous information security expenses and protections are breached every week. Regulations can help assign legal duties and responsibility, illuminate investor or shareholder disclosure obligation and clear up many other issues that end up in litigation once a bank's information has been compromised.
Banks' relationships with third-party vendors are also likely to be governed by future regulation, according to recent signals from the New York State Department of Financial Services and the U.S. Treasury. There is good logic behind this proposal. While an individual bank's information security practices may be solid, the same cannot necessarily be said for third-party vendors that may have access to a bank's networks but not the same level of data protection, training or contractual protection. A true information security assessment must include a review of these third-party relationships. Regulation that requires banks to address these considerations is an obvious next step.
Cybersecurity is a continually shifting area. On a daily basis, new threats are discovered and other protections are rendered obsolete. But with more regulations undoubtedly on the way, banks should act now to integrate cybersecurity into every board meeting. They should also update information security policies, review third-party vendors and their contracts, run vulnerability assessments, and create a crisis response team.
Voluntarily taking these basic precautions now will be less costly than waiting for inevitable regulations to mandate a response. And if regulators add incentives for early adopters of cybersecurity precautions as they are expected to, proactive banks can get ahead of the competition.
Shamoil Shipchandler, David Ball and Daniel Meyers are partners at Bracewell & Giuliani.
