Small Financial Institutions Say They’re Getting Squeezed by Others’ Bad Cybersecurity Practices

A House subcommittee got an earful from representatives of small banks, credit unions and minority financial institutions at a hearing on improving cybersecurity and customer data privacy.

The House Committee on Financial Services Subcommittee on Consumer Protection and Financial Institutions convened the hearing on “Cyber Threats, Consumer Data and Financial Institutions,” to ask witnesses about their cybersecurity efforts and what additional help they need.

What the subcommittee got was a litany of issues, including small institutions’ needs being neglected by their vendors, the lack of coordination between federal agencies regulating their cyber measure and a near-monopoly by “core processor” providers that handle the vast majority of every financial institution’s back-office functions.

Rep. Ed Perlmutter, D- Colo., chairman of the subcommittee, cited the huge increase in ransomware attacks targeting financial institutions as a motivation for the hearing. 

“In both business and medicine, there are various versions of the Sutton rule,” he said, referring to bank robber Willie Sutton’s famous quip that he robbed banks because “that’s where the money is.”

“They aren’t armed with tommy guns, and they’re not just after cash,” Perlmutter said. 

He cited a Trend Micro report released in September that said financial institutions saw a 1,318% increase in ransomware attacks in the first half of 2021 compared to the same period last year.

Robert E. James II, president and CEO of Carver Financial Corporation in Savannah, Georgia, and current chairman of the American Bankers Association, said minority depository institutions, or MDIs, such as his get very little help from their vendors.

“We are heavily reliant on the big three core processors,” he said. “As the smallest banks, we get the worst service and the least innovation.” In the financial world, core processors provide the back-end systems that process daily banking transactions, such as deposits and withdrawals, loans, and credit processing, along with interfaces to general ledger systems and reporting tools.

Carlos Vazquez, chief information security officer for Canvas Credit Union in Colorado, pointed to workforce limitations in cybersecurity. “A massive shortage exists in skilled professionals,” he said. 

He credited the Cybersecurity and Infrastructure Security Agency, the Homeland Security Department and the Financial Services Information Sharing and Analysis Center with doing “a great job” sharing information about breaches, vulnerabilities and patches, and emerging advanced persistent threats, or APTs, but said that vendors and software suppliers need to do a better job of identifying and repairing flaws early in the software lifecycle.

Vazquez also asked that the National Credit Union Administration be given the same kind of statutory oversight authority for credit union service organizations and third-party vendors serving credit unions that the FDIC, for instance, has over banks. 

“Vendors who have access to our members’ data should have to meet the same standards” as they do for banks, he said.

Jeff Newgard, president and CEO of the Bank of Idaho, speaking on behalf of the Independent Community Bankers of America, noted that both large and small banks wind up bearing the cost for a breach that occurs at another company. 

“Core providers and third party providers, credit agencies, retailers—they’re not subject to the [Gramm-Leach-Bliley Act, or GLBA] federal data security standards and oversight. The cost of the breach should be borne by the party that suffered the breach; too often they evade responsibility” and leave customers and banks to foot the bill, he said.

“The threats are greater than ever and continue to evolve,” he said. “Just three or four [core processor] providers dominate [and] it’s put a target on their backs.”

Samir Jain, director of policy for the Center for Democracy and Technology, focused on three challenges which, while affecting other sectors, are particularly pertinent to the financial sector: financial institutions are highly interconnected, providing the opportunity for a cyberattack to spread rapidly; the gap in cybersecurity resources between large and small institutions; and the industry’s increasing reliance on technology.

Jain said information sharing about cyberattacks is a fundamental part of cyber defense, but “it’s hard to do [because] it has to separate signal from noise. One step Congress should consider is mandating that the sector report cyber incidents.”

He also called for GLBA to cover all financial technology, or fintech, companies, not just banks, in order to provide at least a baseline level of privacy protection. 

“The time has come for Congress to enact comprehensive privacy legislation [to reduce] the amount of data that’s shared,” he said.

During questioning, members of the subcommittee appeared sympathetic to the witnesses’ requests for additional help.

“We must step up our actions to deal with cybersecurity, particularly with regard to community banks, MDIs, etc.,” said Maxine Waters, D-Calif., chair of the full committee. “I think this is a great opportunity to work with the other side of the aisle.”

Blaine Luetkemeyer, R-Mo., agreed this is a topic where both political parties are on common ground. He asked Newgard how third parties evade liability for the impact and cost of breaches.

“Financial institutions are subject to examination, [but] that does not go across the entire sector,” Newgard responded. “When customers receive information about a breach, say, their debit card—there’s very little incentive for a retailer or a processor to help. They don’t bear the cost, consumers don’t bear the cost, but the banks do … There’s such a numbness in the consumer world—so many breaches and no accountability.”

Frank Lucas, R-Okla., asked how the federal government could help. Newgard suggested several ways.

“We are at the whim of the core providers. The contracts are very expensive and long-term. If we go in two or three years [and want to change], it’s very expensive to exit that,” he said. “There are gaps within the regulatory agencies. We have four different regulators to try to cope with, and sometimes they’re not in sync or at cross-purposes. More information sharing across the ecosystem so we can get warning of these threats. And we would like more information about vulnerabilities; we feel about a half-step behind.”

Andy Barr, R-Ky., noted there appears to be “inadequate competition” among the core processors, but expressed concern that additional regulation would encourage further consolidation. The problem is that whenever there’s a new entrant in the core processor field, one of the big players buys it, James said.

In response to questioning by Ayanna Pressley, D-Mass., about data privacy, Jain said he believes companies should not keep using “notice and consent” practices. “We should require them to collect only the information they need for the product or service the customer has signed up for, and if the company wants to use it in another way, it has to come back” and request approval again.

“One action Congress should take is to adopt federal privacy legislation,” Jain said. “I think there’s a really strong link between privacy legislation and better” cybersecurity.