Small Financial Institutions Say They’re Getting Squeezed by Others’ Bad Cybersecurity Practices

Small banks and financial institutions asked Congress for help maintaining cybersecurity standards.

Small banks and financial institutions asked Congress for help maintaining cybersecurity standards. imagedepotpro/iStock

Representatives from small banks and minority financial institutions told Congress they need help in the form of better, streamlined regulation.

A House subcommittee got an earful from representatives of small banks, credit unions and minority financial institutions at a hearing on improving cybersecurity and customer data privacy.

The House Committee on Financial Services Subcommittee on Consumer Protection and Financial Institutions convened the hearing on “Cyber Threats, Consumer Data and Financial Institutions,” to ask witnesses about their cybersecurity efforts and what additional help they need.

What the subcommittee got was a litany of issues, including small institutions’ needs being neglected by their vendors, the lack of coordination between federal agencies regulating their cyber measure and a near-monopoly by “core processor” providers that handle the vast majority of every financial institution’s back-office functions.

Rep. Ed Perlmutter, D- Colo., chairman of the subcommittee, cited the huge increase in ransomware attacks targeting financial institutions as a motivation for the hearing. 

“In both business and medicine, there are various versions of the Sutton rule,” he said, referring to bank robber Willie Sutton’s famous quip that he robbed banks because “that’s where the money is.”

“They aren’t armed with tommy guns, and they’re not just after cash,” Perlmutter said. 

He cited a Trend Micro report released in September that said financial institutions saw a 1,318% increase in ransomware attacks in the first half of 2021 compared to the same period last year.

Robert E. James II, president and CEO of Carver Financial Corporation in Savannah, Georgia, and current chairman of the American Bankers Association, said minority depository institutions, or MDIs, such as his get very little help from their vendors.

“We are heavily reliant on the big three core processors,” he said. “As the smallest banks, we get the worst service and the least innovation.” In the financial world, core processors provide the back-end systems that process daily banking transactions, such as deposits and withdrawals, loans, and credit processing, along with interfaces to general ledger systems and reporting tools.

Carlos Vazquez, chief information security officer for Canvas Credit Union in Colorado, pointed to workforce limitations in cybersecurity. “A massive shortage exists in skilled professionals,” he said. 

He credited the Cybersecurity and Infrastructure Security Agency, the Homeland Security Department and the Financial Services Information Sharing and Analysis Center with doing “a great job” sharing information about breaches, vulnerabilities and patches, and emerging advanced persistent threats, or APTs, but said that vendors and software suppliers need to do a better job of identifying and repairing flaws early in the software lifecycle.

Vazquez also asked that the National Credit Union Administration be given the same kind of statutory oversight authority for credit union service organizations and third-party vendors serving credit unions that the FDIC, for instance, has over banks. 

“Vendors who have access to our members’ data should have to meet the same standards” as they do for banks, he said.

Jeff Newgard, president and CEO of the Bank of Idaho, speaking on behalf of the Independent Community Bankers of America, noted that both large and small banks wind up bearing the cost for a breach that occurs at another company. 

“Core providers and third party providers, credit agencies, retailers—they’re not subject to the [Gramm-Leach-Bliley Act, or GLBA] federal data security standards and oversight. The cost of the breach should be borne by the party that suffered the breach; too often they evade responsibility” and leave customers and banks to foot the bill, he said.

“The threats are greater than ever and continue to evolve,” he said. “Just three or four [core processor] providers dominate [and] it’s put a target on their backs.”

Samir Jain, director of policy for the Center for Democracy and Technology, focused on three challenges which, while affecting other sectors, are particularly pertinent to the financial sector: financial institutions are highly interconnected, providing the opportunity for a cyberattack to spread rapidly; the gap in cybersecurity resources between large and small institutions; and the industry’s increasing reliance on technology.

Jain said information sharing about cyberattacks is a fundamental part of cyber defense, but “it’s hard to do [because] it has to separate signal from noise. One step Congress should consider is mandating that the sector report cyber incidents.”

He also called for GLBA to cover all financial technology, or fintech, companies, not just banks, in order to provide at least a baseline level of privacy protection. 

“The time has come for Congress to enact comprehensive privacy legislation [to reduce] the amount of data that’s shared,” he said.

During questioning, members of the subcommittee appeared sympathetic to the witnesses’ requests for additional help.

“We must step up our actions to deal with cybersecurity, particularly with regard to community banks, MDIs, etc.,” said Maxine Waters, D-Calif., chair of the full committee. “I think this is a great opportunity to work with the other side of the aisle.”

Blaine Luetkemeyer, R-Mo., agreed this is a topic where both political parties are on common ground. He asked Newgard how third parties evade liability for the impact and cost of breaches.

“Financial institutions are subject to examination, [but] that does not go across the entire sector,” Newgard responded. “When customers receive information about a breach, say, their debit card—there’s very little incentive for a retailer or a processor to help. They don’t bear the cost, consumers don’t bear the cost, but the banks do … There’s such a numbness in the consumer world—so many breaches and no accountability.”

Frank Lucas, R-Okla., asked how the federal government could help. Newgard suggested several ways.

“We are at the whim of the core providers. The contracts are very expensive and long-term. If we go in two or three years [and want to change], it’s very expensive to exit that,” he said. “There are gaps within the regulatory agencies. We have four different regulators to try to cope with, and sometimes they’re not in sync or at cross-purposes. More information sharing across the ecosystem so we can get warning of these threats. And we would like more information about vulnerabilities; we feel about a half-step behind.”

Andy Barr, R-Ky., noted there appears to be “inadequate competition” among the core processors, but expressed concern that additional regulation would encourage further consolidation. The problem is that whenever there’s a new entrant in the core processor field, one of the big players buys it, James said.

In response to questioning by Ayanna Pressley, D-Mass., about data privacy, Jain said he believes companies should not keep using “notice and consent” practices. “We should require them to collect only the information they need for the product or service the customer has signed up for, and if the company wants to use it in another way, it has to come back” and request approval again.

“One action Congress should take is to adopt federal privacy legislation,” Jain said. “I think there’s a really strong link between privacy legislation and better” cybersecurity.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.