About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

1 1 (January 5, 2023)

handle is hein.crs/govekbh0001 and id is 1 raw text is: Con re Won I fles arch Sen/c infrn ingi Ieq t~ved We to 1914 Updated January 5, 2023 Introduction to Financial Services: Financial Cybersecurity Cybersecurity is a major concern of financial institutions and financial regulators. Recent data breaches at large financial institutions have increased concerns about the privacy and security of consumer financial information. For example, in 2019, a data breach at insurance company First American Financial exposed 885 million files with personal and private financial information; in 2020, a data breach at Experian exposed 24 million customers' data; and in 2022, a Block employee downloaded and leaked 8 million customers' data. Research suggests that 25% of malware attacks target financial services companies. Further, the cost of cybercrime at financial institutions outpaces the cost of cybercrime to other industries. For example, according to a 2019 private study, the per-company cost of cybercrime is over $18 million for financial services companies, around 40% higher than the average cost for other sectors, as illustrated in Figure 1. Figure I. Costs of Cybercrime Across Sectors by sector, $ in millions F _..T . - 7e o 11.4 1 1 . 9 >3 oth JQ 3u. . .$13 s e $':l 1 5 Source: Figure created by CRS, adapted from Accenture, Unlocking the Value of Improved Cybersecurity Protection, July 15, 2019. Cybersecurity threats pose operational risk and reputational risk. Operational risk is the threat tat an event-such as a natural disaster, pandemic, or cyberattack-limits or completely obstructs an institution's ability to do business. Reputational risk is the treat that customers will take their business elsewhere based on the actions of or associated with a financial institution. For example, if a financial institution fails to secure a customer's infor ation during a cyberattack, the customer may lose trust in the institution. Cybersecurity protects against some aspects of operational and reputational risk. If te entire system fails to adequately address cybersecurity concerns, this could lead to systemic risk- the risk tat a cybersecurity incident would destabilize the financial system. For example, in a highly interconnected financial system, a cybersecurity incident at one of the major banks or payment networks could adversely affect operations at many other financial institutions. Further, the Financial Stability Oversight Council noted in a recent annual report that systemic risk may have increased as the COVID-19 pandemic has increased reliance on technology, such as remote payment systems. Federai Po.cy Approaches The federal government has increasingly recognized the importance of cybersecurity in the financial services industry, and federal financial regulators each have a role in cybersecurity. Numerous laws cover aspects of cybersecurity for different industries. Some of these laws contain specific provisions that require financial regulators to implement rules that establish cybersecurity standards for financial institutions, and they provide regulators the authority to supervise these institutions for compliance with such standards. Other laws provide broad authority to regulators to regulate and supervise financial institutions for safety and soundness. Financial regulators rely on these broad authorities to shape cybersecurity policies for the institutions they regulate. The Gramm-Leach-Bliley Act of 1999 (GLBA; P.L. 106- 102) is the most comprehensive of these laws and directs financial regulators to implement disclosure requirements and security measures to safeguard private information. GLBA provides a framework for regulating data privacy and security practices for financial institutions. This framework is built upon two pillars: (1) privacy standards that impose disclosure limitations on financial institutions concerning consumers' information and (2) security standards that require institutions to implement certain practices to safeguard information from unauthorized access, use, and disclosure. The rules implementing this framework are known as the Privacy Rule (Regulation P) and the Safeguards Rule. The Sarbanes-Oxley Act of 2002 (P.L. 107-204) contains provisions requiring a corporation that files reports under Sections 13(a) and 15(d) of the Securities Exchange Act of 1934 to also file annual reports with the Securities and Exchange Commission that identify internal and external risks to the business and the ways that the company guards against those risks. Bank and thrift holding companies and insured depositories are required to file similar reports with their regulators. The Fair and Accurate Credit Transactions Act (P.L. 108-159) amended the Fair Credit Reporting Act to require regulatory agencies to develop identity theft guidelines, which outline patterns, practices, and specific forms of

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Already a HeinOnline Subscriber?

Log In

profiles profiles most