link to page 1

January 4, 2021
Introduction to Financial Services: Financial Cybersecurity
Cybersecurity is a major concern of financial institutions
operations at many other financial institutions. The
and federal financial regulators. Recent data breaches at
Financial Stability Oversight Council (FSOC) has identified
large financial institutions have increased concerns about
three channels through which a cybersecurity event could
the privacy and security of consumer financial information.
threaten the stability of the U.S. financial system:
For example, in 2019, insurance company First American
Financial experienced a breach that exposed 885 million
 An incident could disrupt a key financial service or a
files, including Social Security numbers and driver’s license
financial market utility for which there are few
and account information.
substitutes (e.g., the central bank, exchanges, and
payment clearing and settlement institutions).
Financial institutions seek to prevent electronic theft of
money and other assets, as cyberspace disruptions, such as
 An incident could cause a loss of confidence among a
denial-of-service attacks, could interrupt or shut down their
broad set of customers or market participants.
businesses. According to a private study, the per-company
cost of cybercrime is over $18 million for financial services
 An incident could compromise the integrity of critical
companies, around 40% higher than the average cost for
data, rendering information critical to financial firms
other sectors, as illustrated in Figure 1.
either inaccurate or unusable.
Figure 1. Costs of Cybercrime Across Sectors
Further, FSOC’s 2020 Annual Report notes that s ystemic
by sector, $ in millions
risk may have increased as the Coronavirus Disease 2019
(COVID-19) pandemic has increased reliance on
technology, such as remote payment systems.
Federal Policy Approaches
The federal government has increasingly recognized the
importance of cybersecurity in the financial services
industry, and federal financial regulators each have a role in
cybersecurity. Numerous laws cover aspects of
cybersecurity for different industries. Some of these laws
contain specific provisions that require financial regulators
to implement rules that establish cybersecurity standards for
financial institutions, and they provide regulators the
authority to supervise these institutions for compliance with
such standards. Other laws provide broad authority to

Source: Figure created by CRS, adapted from Accenture, Unlocking
regulators to regulate and supervise financial institutions for
the Value of Improved Cybersecurity Protection, July 15, 2019.
safety and soundness. Financial regulators rely on these
broad authorities to shape cybersecurity policies for the
Cybersecurity threats pose operational risk and
institutions they regulate.
reputational risk. Operational risk is the threat that an
event, such as a natural disaster, pandemic, or cyberattack,
The Gramm-Leach-Bliley Act of 1999 (GLBA; P.L. 106-
limits or completely obstructs an institution’s ability to do
102) is the most comprehensive of these laws and directs
business. Reputational risk is the threat that customers will
financial regulators to implement disclosure requirements
take their business elsewhere based on the actions of or
and security measures to safeguard private information.
associated with a financial institution. For example, if a
GLBA provides a framework for regulating data privacy
financial institution fails to secure a customer’s information
and security practices for financial institutions. This
during a cyberattack, the customer may lose trust in the
framework is built upon two pillars: (1) privacy standards
institution. Cybersecurity is a way to protect against some
that impose disclosure limitations on financial institutions
aspects of operational and reputational risk.
concerning consumers’ information; and (2) security
standards that require institutions to implement certain
If the entire system fails to adequately address
practices to safeguard information from unauthorized
cybersecurity concerns, this could lead to systemic risk—
access, use, and disclosure. The rules implementing this
the risk that a cybersecurity incident would destabilize the
framework are known as the Privacy Rule (Regulation P)
financial system. For example, in a highly interconnected
and the Safeguards Rule.
financial system, a cybersecurity incident at one of the
major banks or payment networks could adversely affect
https://crsreports.congress.gov

Introduction to Financial Services: Financial Cybersecurity
The Sarbanes-Oxley Act of 2002 (P.L. 107-204) contains
Data Security Standards
provisions requiring corporations that file reports under
One area of debate is whether data security standards
Sections 13(a) and 15(d) of the Securities Exchange Act of
should be prescriptive and government-defined or flexible
1934 to also file annual reports with the Securities and
and outcome-based. Some argue that a prescriptive
Exchange Commission (SEC) that identify internal and
approach could be inflexible and harm innovation; others
external risks to the business and the ways that the company
argue that an outcome-based approach might lead to
guards against those risks . Bank and thrift holding
institutions having to comply with a wide range of data
companies and insured depositories are required to file
standards. For instance, the Federal Trade Commission
similar reports with their regulators.
(FTC) recently published proposed amendments to the
Privacy and Safeguards Rules to provide more certainty to
The Fair and Accurate Credit Transactions Act (FACT
financial institutions and better protect consumers. Two
Act; P.L. 108-159) amended the Fair Credit Reporting Act
commissioners dissented over the amendments to the
to require regulatory agencies to develop identity theft
Safeguards Rule, raising caution about the impact more
guidelines, which outline “patterns, practices, and specific
prescriptive cybersecurity standards might have on
forms of activity that indicate the possible existence of
innovation.
identity theft” (15 U.S.C. §1681).
Financial Data and Consumer Redress
The Bank Protection Act (P.L. 90-389), as amended,
GLBA covers only nonpublic personal information held by
directs the federal bank regulators to establish minimum
financial institutions significantly engaged in financial
security standards for banks and savings associations to
activities. As the industry’s data use has grown, some have
“discourage robberies, burglaries, and larcenies” (12 U.S.C.
debated whether the law covers all sensitive individual
§§1881-1884). Although the law does not mention
financial information. For example, data brokers can
cybersecurity, bank regulators interpret it to include
compile public and private data from different sources.
protection against cyber threats.
Much of these data may not be subject to GLBA’s
provision, but combining them might reveal sensitive
Other federal laws, such as the Bank Service Company
information about a consumer. Further, consumers have a
Act of 1962 (P.L. 87-856) and the laws that establish the
limited ability to control or correct financial data, which can
authorities for financial regulators to conduct safety and
make it difficult to obtain redress for data breaches.
soundness examinations, allow regulators to regulate and
supervise financial institution activities and partnerships
Systemic Risk and Cybersecurity Management
(e.g., with technology service providers). Regulators rely on
As mentioned, cybersecurity events could affect the broader
these broad authorities to shape and impose cybersecurity
financial system. Some federal regulators have taken
on the institutions they regulate. For example, the banking
measures to address this potential risk by assessing the risks
regulators monitor cybersecurity issues by conducting on-
posed to the eight systemically important financial market
site examinations under their authority to examine banks for
utilities (SIFMUs), as designated by the FSOC and
safety and soundness and can require banks to take
supervised by the SEC, Federal Reserve, and Commodity
remedial action if their cybersecurity policies are deficient.
Futures Trading Commission (CFTC). These organizations
Additionally, the Federal Financial Institutions Examination
are known as “self-regulatory organizations” (SROs) and
Council (FFIEC) has developed the Cybersecurity
can propose rules to their supervisors for adoption. For
Assessment Tool to help institutions identify their risks and
instance, the National Securities Clearing Corporation
determine their cybersecurity preparedness.
(NSCC), an SIFMU that plays a prominent role in
providing clearance, settlement, risk management, and
Policy Considerations for Congress
central counterparty services, proposed a rule to the SEC in
Oversight of financial services and bank cybersecurity
2019 requiring NSCC members and organizations that
reflects a complex and sometimes overlapping array of state
report trade data to NSCC to implement new and significant
and federal laws, regulators, regulations, and guidance—
safeguards in their cybersecurity programs. The SEC
many of which predate the emergence of cybersecurity risk.
approved the rule; however, to date, the remaining SIFMUs
Whether this framework is effective and efficient, resulting
have not submitted similar rules to their supervisors.
in adequate protection against cyberattacks without
imposing undue cost burdens on banks, is an open question.
CRS Resources
The occurrence of successful hacks of banks and other
CRS Report R44429, Financial Services and
financial institutions, wherein huge amounts of personal
Cybersecurity: The Federal Role, by M. Maureen Murphy
information are stolen or compromised, highlights the
and Andrew P. Scott
importance of ensuring bank cybersecurity. Further, the fact
that several regulators implement, supervise, and enforce
CRS Insight IN11199, Big Data in Financial Services:
federal provisions has raised questions over the patchwork
Privacy and Security Regulation, by Andrew P. Scott
of regulatory standards for consumer privacy and security.
Some argue that a unified and modernized legislative
CRS Report R46332, Fintech: Overview of Innovative
framework could improve this patchwork approach.
Financial Technology and Selected Policy Issues,
coordinated by David W. Perkins
Other policy considerations for Congress are listed below.
CRS Testimony TE10021, Consumer Data Security and the
Credit Bureaus, by Chris Jaikaran
https://crsreports.congress.gov

Introduction to Financial Services: Financial Cybersecurity

IF11717
Andrew P. Scott, Analyst in Financial Economics

Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permissio n of the copyright holder if you
wish to copy or otherwise use copyrighted material.

https://crsreports.congress.gov | IF11717 · VERSION 1 · NEW