Introduction to Financial Services: Financial Cybersecurity V. 1

1 1 (January 4, 2021)

$handle is hein.crs/goveadm0001 and id is 1 raw text is: Congressional Research Service lnforning the legislative debate since 1914 0 January 4, 2021 Introduction to Financial Services: Financial Cybersecurity Cybersecurity is a major concern of financial institutions and federal financial regulators. Recent data breaches at large financial institutions have increased concerns about the privacy and security of consumer financial information. For example, in 2019, insurance company First American Financial experienced a breach that exposed 885 million files, including Social Security numbers and driver's license and account information. Financial institutions seek to prevent electronic theft of money and other assets, as cyberspace disruptions, such as denial-of-service attacks, could interrupt or shut down their businesses. According to a private study, the per-company cost of cybercrime is over $18 million for financial services companies, around 40% higher than the average cost for other sectors, as illustrated in Figure 1. Figure I. Costs of Cybercrime Across Sectors by sector, $ in millions F nam $1 5 Autcrk e.$S st s Cron Tm u dni_: fb & I\..... . J 1 .7 T~w Other Pubic Sec m $79 5 S s $is 20 Source: Figure created by CRS, adapted from Accenture, Unlocking the Value of Improved Cybersecurity Protection, July 15, 2019. Cybersecurity threats pose operational risk and reputational risk. Operational risk is the threat that an event, such as a natural disaster, pandemic, or cyberattack, limits or completely obstructs an institution's ability to do business. Reputational risk is the threat that customers will take their business elsewhere based on the actions of or associated with a financial institution. For example, if a financial institution fails to secure a customer's information during a cyberattack, the customer may lose trust in the institution. Cybersecurity is a way to protect against some aspects of operational and reputational risk. If the entire system fails to adequately address cybersecurity concerns, this could lead to systemic risk- the risk that a cybersecurity incident would destabilize the financial system. For example, in a highly interconnected financial system, a cybersecurity incident at one of the major banks or payment networks could adversely affect operations at many other financial institutions. The Financial Stability Oversight Council (FSOC) has identified three channels through which a cybersecurity event could threaten the stability of the U.S. financial system: * An incident could disrupt a key financial service or a financial market utility for which there are few substitutes (e.g., the central bank, exchanges, and payment clearing and settlement institutions). * An incident could cause a loss of confidence among a broad set of customers or market participants. * An incident could compromise the integrity of critical data, rendering information critical to financial firms either inaccurate or unusable. Further, FSOC's 2020 Annual Report notes that systemic risk may have increased as the Coronavirus Disease 2019 (COVID-19) pandemic has increased reliance on technology, such as remote payment systems. Federal Policy Approaches The federal government has increasingly recognized the importance of cybersecurity in the financial services industry, and federal financial regulators each have a role in cybersecurity. Numerous laws cover aspects of cybersecurity for different industries. Some of these laws contain specific provisions that require financial regulators to implement rules that establish cybersecurity standards for financial institutions, and they provide regulators the authority to supervise these institutions for compliance with such standards. Other laws provide broad authority to regulators to regulate and supervise financial institutions for safety and soundness. Financial regulators rely on these broad authorities to shape cybersecurity policies for the institutions they regulate. The Gramm-Leach-Bliley Act of 1999 (GLBA; P.L. 106- 102) is the most comprehensive of these laws and directs financial regulators to implement disclosure requirements and security measures to safeguard private information. GLBA provides a framework for regulating data privacy and security practices for financial institutions. This framework is built upon two pillars: (1) privacy standards that impose disclosure limitations on financial institutions concerning consumers' information; and (2) security standards that require institutions to implement certain practices to safeguard information from unauthorized access, use, and disclosure. The rules implementing this framework are known as the Privacy Rule (Regulation P) and the Safeguards Rule. ps://crsreports.congress.go$

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.

Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

What Is HeinOnline?

Purchase Access

Contact Us

Log In

NEED HELP?

CONTACT US

Get started

Subscribe to our Newsletter