link to page 1
Updated January 13, 2022
Introduction to Financial Services: Financial Cybersecurity
Cybersecurity is a major concern of financial institutions
major banks or payment networks could adversely affect
and federal financial regulators. Recent data breaches at
operations at many other financial institutions. The
large financial institutions have increased concerns about
Financial Stability Oversight Council (FSOC) has identified
the privacy and security of consumer financial information.
three channels through which a cybersecurity event could
For example, in 2019, insurance company First American
threaten the stability of the U.S. financial system:
Financial experienced a breach that exposed 885 million
files, including Social Security Numbers and driver’s
1. An incident could disrupt a key financial service or
license and account information.
a financial market utility for which there are few
substitutes (e.g., the central bank, exchanges, and
Financial institutions seek to prevent electronic theft of
payment clearing and settlement institutions).
money and other assets, as cyberspace disruptions, such as
2. An incident could cause a loss of confidence
denial-of-service attacks, could interrupt or shut down their
among a broad set of customers or market
businesses. According to a private study, the per-company
participants.
cost of cybercrime is over $18 million for financial services
3. An incident could compromise the integrity of
companies, around 40% higher than the average cost for
critical data, rendering information critical to
other sectors, as illustrated i
n Figure 1.
financial firms either inaccurate or unusable.
Figure 1. Costs of Cybercrime Across Sectors
Further, FSOC’s 2020 Annual Report notes that systemic
by sector, $ in millions
risk may have increased as the COVID-19 pandemic has
increased reliance on technology, such as remote payment
systems.
Federal Policy Approaches
The federal government has increasingly recognized the
importance of cybersecurity in the financial services
industry, and federal financial regulators each have a role in
cybersecurity. Numerous laws cover aspects of
cybersecurity for different industries. Some of these laws
contain specific provisions that require financial regulators
to implement rules that establish cybersecurity standards for
financial institutions, and they provide regulators the
authority to supervise these institutions for compliance with
such standards. Other laws provide broad authority to
regulators to regulate and supervise financial institutions for
Source: Figure created by CRS, adapted from Accenture,
Unlocking
safety and soundness. Financial regulators rely on these
the Value of Improved Cybersecurity Protection, July 15, 2019.
broad authorities to shape cybersecurity policies for the
Cybersecurity threats pose
operational risk and
institutions they regulate.
reputational risk. Operational risk is the threat that an
event—such as a natural disaster, pandemic, or
The
Gramm-Leach-Bliley Act of 1999 (GLBA; P.L. 106-
cyberattack—limits or completely obstructs an institution’s
102) is the most comprehensive of these laws and directs
ability to do business. Reputational risk is the threat that
financial regulators to implement disclosure requirements
customers will take their business elsewhere based on the
and security measures to safeguard private information.
actions of or associated with a financial institution. For
GLBA provides a framework for regulating data privacy
example, if a financial institution fails to secure a
and security practices for financial institutions. This
customer’s information during a cyberattack, the customer
framework is built upon two pillars: (1) privacy standards
may lose trust in the institution. Cybersecurity is a way to
that impose disclosure limitations on financial institutions
protect against some aspects of operational and reputational
concerning consumers’ information and (2) security
risk.
standards that require institutions to implement certain
practices to safeguard information from unauthorized
If the entire system fails to adequately address
access, use, and disclosure. The rules implementing this
cybersecurity concerns, this could lead to
systemic risk—
framework are known as the Privacy Rule (Regulation P)
the risk that a cybersecurity incident would destabilize the
and the Safeguards Rule.
financial system. For example, in a highly interconnected
financial system, a cybersecurity incident at one of the
The
Sarbanes-Oxley Act of 2002 (P.L. 107-204) contains
provisions requiring a corporation that files reports under
https://crsreports.congress.gov
Introduction to Financial Services: Financial Cybersecurity
Sections 13(a) and 15(d) of the Securities Exchange Act of
Other policy considerations for Congress are listed below.
1934 to also file annual reports with the Securities and
Exchange Commission that identify internal and external
Data Security Standards
risks to the business and the ways that the company guards
One area of debate is whether data security standards
against those risks. Bank and thrift holding companies and
should be prescriptive and government-defined or flexible
insured depositories are required to file similar reports with
and outcome-based. Some argue that a prescriptive
their regulators.
approach could be inflexible and harm innovation; others
argue that an outcome-based approach might lead to
The
Fair and Accurate Credit Transactions Act (P.L.
institutions having to comply with a wide range of data
108-159) amended the Fair Credit Reporting Act to require
standards. For instance, in October 2021, the Federal Trade
regulatory agencies to develop identity theft guidelines,
Commission (FTC) issued a rule that updates the
which outline “patterns, practices, and specific forms of
Safeguards Rule with more specific criteria for what
activity that indicate the possible existence of identity theft”
financial institutions must implement.
(15 U.S.C. §1681).
Financial Data and Consumer Redress
The
Bank Protection Act (P.L. 90-389), as amended,
GLBA covers only nonpublic personal information held by
directs the federal bank regulators to establish minimum
financial institutions significantly
engaged in financial
security standards for banks and savings associations to
activities. As the industry’s data use has grown, some have
“discourage robberies, burglaries, and larcenies” (12 U.S.C.
debated whether the law covers all sensitive individual
§§1881-1884). Although the law does not mention
financial information. For example, data brokers can
cybersecurity, bank regulators interpret it to include
compile public and private data from different sources.
protection against cyber threats.
Much of these data may not be subject to GLBA’s
provision, but combining them might reveal sensitive
Other federal laws, such as the
Bank Service Company
information about a consumer. Further, consumers have a
Act of 1962 (P.L. 87-856) and the laws that establish the
limited ability to control or correct financial data, which can
authorities for financial regulators to conduct safety and
make it difficult to obtain redress for data breaches.
soundness examinations, allow regulators to regulate and
supervise financial institution activities and partnerships
Vendors, Cloud Providers, and Systemic Risk
(e.g., with technology service providers). Regulators rely on
Banks pay cloud service providers (CSPs) to use CSPs’
these broad authorities to shape and impose cybersecurity
computing resources (e.g., servers) rather than maintaining
on the institutions they regulate. For example, the banking
their own. Use of CSPs can be emblematic of banks’
regulators monitor cybersecurity issues by conducting on-
relationships with a broader base of vendors and how these
site examinations under their authority to examine banks for
ties may introduce more cybersecurity risks. Cyber risks
safety and soundness and can require banks to take
change, and may increase, for banks with increased reliance
remedial action if their cybersecurity policies are deficient.
on advanced IT solutions, such as cloud. Also, many banks
Further, in November 2021, the banking agencies
rely on a few providers (three major CSPs account for 60%-
implemented new requirements for financial institutions to
70% of market share), and this could transform cyber risk
notify their primary regulators within 36 hours of a
to systemic risk, with FSOC noting that a “cyber event at a
cybersecurity incident and for bank service providers to
critical vendor with a large number of clients could result in
notify any affected banks as soon as possible. Additionally,
widespread disruption in access to financial data and could
the Federal Financial Institutions Examination Council
impair the flow of financial transactions.” Concentration
(FFIEC) has developed the Cybersecurity Assessment Tool
risk and operational concerns, such as lock-in risk, may bias
to help institutions identify their risks and determine their
banks toward multi-cloud strategies—contracts with and
cybersecurity preparedness.
technology postures consisting of multiple CSPs—thereby
expanding the relationships for which banks must manage
Policy Considerations for Congress
cybersecurity.
Oversight of financial services and bank cybersecurity
reflects a complex and sometimes overlapping array of state
CRS Resources
and federal laws, regulators, regulations, and guidance—
CRS Report R44429,
Financial Services and
many of which predate the emergence of cybersecurity risk.
Cybersecurity: The Federal Role, by M. Maureen Murphy
Whether this framework is effective and efficient, resulting
and Andrew P. Scott
in adequate protection against cyberattacks without
imposing undue cost burdens on banks, is an open question.
CRS Insight IN11199,
Big Data in Financial Services:
The occurrence of successful hacks of banks and other
Privacy and Security Regulation, by Andrew P. Scott
financial institutions, wherein huge amounts of personal
information are stolen or compromised, highlights the
CRS Testimony TE10021,
Consumer Data Security and the
importance of ensuring bank cybersecurity. Further, the fact
Credit Bureaus, by Chris Jaikaran
that several regulators implement, supervise, and enforce
federal provisions has raised questions over the patchwork
CRS In Focus IF11985,
Bank Use of Cloud Technology, by
of regulatory standards for consumer privacy and security.
Paul Tierno
Some argue that a unified and modernized legislative
framework could improve this patchwork approach.
Andrew P. Scott, Analyst in Financial Economics
Paul Tierno, Analyst in Financial Economics
https://crsreports.congress.gov
Introduction to Financial Services: Financial Cybersecurity
IF11717
Disclaimer This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF11717 · VERSION 3 · UPDATED