The Green Sheet Online Edition
March 13, 2017 • Issue 17:03:01
Insider's report on payments
Consumers trust bank security, regulators not so much
A new study by the international consultancy Capgemini suggests consumers have more confidence in the ability of banks to protect personal information from cyber-thieves than banks have in themselves. The study – which surveyed 7,600 consumers and more than 180 senior security officers at banking and insurance firms in eight countries – found banks and insurance companies enjoy significantly higher levels of trust from consumes than any other business sector.
Eighty-three percent of the consumers polled said they trusted the cybersecurity protocols of banks and insurers. (Just 28 percent said they trusted ecommerce firms; retailers and telcos each received good trust ratings from 13 percent of the consumers polled.) Yet only 21 percent of the bank executives surveyed were highly confident in their institutions' ability to detect breaches, let alone defend against them, Capgemini noted in a report titled The Currency of Trust: Why Banks and Insurers Must Make Customer Data Safe and More Secure.
The gap between perception and reality is exemplified by the fact that although one in four financial institutions have reported being the victim of a cyber-hack, only 3 percent of consumers believe their own bank has ever been hacked.
"Consumers implicitly trust banks with their money and data, but this faith is rooted in a mistaken belief their provider can be 100 percent secure," said Mike Turner, Global Cybersecurity Business Leader at Capgemini. "While banks are evolving to combat the sophisticated threat cybercriminals pose, public understanding of these threats and challenges remains low."
The number of reported data breaches reached an all-time high in the United States in 2016, according to the Identity Theft Resource Center. In all, 1,093 breaches impacting 36,601,939 personal records were reported in 2016.
With 52 reported cyber-breaches, banks and other financial services firms accounted for just 4.8 percent of total incidences in 2016; the 72,262 records compromised by those breaches were 0.2 percent of all compromised records, the ITRC said, acing that hacking and phishing were the leading causes of reported hacks. The center defines a data breach as a breach that puts personal consumer information at risk, for example, revealing a person's name and Social Security number.
While financial institutions may be faring well against hackers, regulators remain concerned. In September 2016, federal banking regulators proposed new marching orders for the institutions they oversee. And on March 1, New York became the first state to implement a cybersecurity regulation specifically targeting banks, insurance companies and other financial services firms doing business in the state.
"This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible," New York Governor Andrew Cuomo said when the regulation was introduced.
The New York regulation (crafted by the state banking department) places the legal might of the state behind existing industry practices, such as encryption, multifactor authentication, cyber-security training for employees and written cyber-security policies. It also mandates the appointment of chief information security officers at covered institutions, yearly audits, and a 72-hour window for reporting identified breaches of customer data.
New: third-party oversight
Perhaps the biggest news to come out of the New York regulation is that state-regulated financial services firms must assure that third parties (such as merchant acquiring partners) are doing their part to keep safe any nonpublic consumer data they handle. And the regulation requires ongoing risk assessments of vendors.
Cybersecurity is no trifling matter. Any serious effort to get a handle on the problem has to take into account the interconnectedness of businesses in the digital age. This is especially true in financial services, where there is so much personal financial information flowing across so many networks and into and out of so many corporate databases.
Lawmakers addressed this initially with the passage of the Gramm-Leach-Bliley Act in 1999, requiring financial institutions to bind service providers to security standards by contract. Now federal regulators want to turn up the heat. In late 2016, they signaled with an advanced notice of proposed rulemaking (the first step in what often pans out as a protracted rulemaking process).
The October 2016 advance notice of proposed rulemaking (ANPR), published by the Federal Reserve and other federal bank regulators seeks input on "enhanced cyber risk management standards … for large and interconnected entities under their supervision and those entities' service providers." The agencies said they want to apply the rules to banking organizations with consolidated assets of $50 billion or more and are calling for a tiered approach with "an additional set of higher standards for systems that provide key functionality to the financial sector."
Scores of letters from banks and others were submitted during the ANPR public comment period, which ended in February 2017. Several took issue with the proposed third-party oversight requirements and warned against any broad-stroke approach to defining third parties. "As you are aware, third-party service providers perform a wide variety of functions and services for banks, each with different types and levels of risk. Blanketly directing banks to apply the enhanced cybersecurity standards to all third-party providers does the financial services industry and its customers a disservice," the payment processing firm Stripe Inc. wrote.
Mastercard agreed. The card brand stated the rules as articulated in the ANPR would apply only to the largest financial institutions, and few third-party firms are "interconnected" with these large players in ways that are systemically critical. In a nutshell, "the effect of the ANPR is to equate the cybersecurity risks associated with providing a service to a single business line of a covered entity to operating the entire covered entity as a whole," Mastercard wrote.
For now, however, all eyes should be on implementation of New York's new cybersecurity law. New York is considered a bellwether of consumer protection trends and financial transaction laws.
"Given the significant number of financial institutions that will be required to comply, other regulators, clients, customers and counterparties may begin to review these new requirements as a baseline standard for cybersecurity in the financial industry," the law firm Baker & Hostetler LLP stated in a recent post on its website. California, another bellwether state, set in motion a wave of state and federal initiatives after it was first to enact a data breach notification law for businesses operating there back in 2002.
Patti Murphy is Senior Editor of The Green Sheet and President of ProScribes Inc. She is also the founder of InsideMicrofinance.com. Email her at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.