HFSC Cyber Security Hearing
House Financial Services Subcommittee on Consumer Protection and
Financial Institutions
Cyber Threats, Consumer Data, and the Financial System
Wednesday, November 3, 2021
Witnesses
- Samir Jain, Director of Policy, Center for Democracy & Technology
- Robert E. James, II, President & CEO, Carver Financial Corporation
- Carlos Vazquez, Chief Information Security Officer, Canvas Credit Union
- Jeff Newgard, President and Chief Executive Officer, Bank of Idaho, on behalf of the Independent Community Bankers of America
Opening Statements
Chair Ed Perlmutter (D-Colo.)
In his opening statement, Perlmutter discussed the threat of cyber criminals to financial institutions and the vulnerability of consumer data at these institutions.
Vice Ranking Member David Kustoff (R-Tenn.)
In his opening statement, Kustoff explained the importance of private entities, threats posed by China, and the threats of cyber-attacks like the Colonial Pipeline attack. He explained how a cyber-attack on financial institutions would impact consumers and threaten the financial system. Kustoff highlighted the importance of private sector innovation, not government mandates, in guarding against cyber threats.
Chairwoman of the Full Committee Maxine Waters (D-Calif.)
In her opening statement, Waters explained that financial institutions are experiencing an increase in ransomware attacks and new innovations in the cyber threats they face.
Testimony
Samir Jain, Director of Policy, Center for Democracy & Technology
In his opening statement, Jain made observations about the cyber threat environment, highlighting three challenges in addressing cyber threats in the financial sector, including (1) interdependence with vendors, third parties, and other sectors, (2) the gap between large and small institutions, and (3) increasing reliance on technology. He then discussed several potential areas for progress to better protect consumers and their data, including (1) information sharing, (2) baseline privacy legislation, and (3) finding points of leverage in the ecosystem. He also stated that the financial services industry overall has responded earlier and more proactively than most sectors and with greater investment to cybersecurity challenges but that the industry remains highly vulnerable to cyber threats.
Robert E. James, II, President & CEO, Carver Financial Corporation
In his opening statement, James discussed how the ability to adapt technologically to meet customer demands is a critical component of the resilience of the banking sector and impacts its ability to assist underserved communities. He stated that core processing service companies create no incentives to help small firms adapt to the changing competitive landscape, and they often offer poor quality service, citing the Paycheck Protection Program. James also highlighted the need for regulatory help where investments result in criticism when earnings do not meet regulatory expectations. He concluded that cultural shifts inside the financial services industry, including the core processors and regulators, are necessary to help Minority Depository Institutions (MDI) better orient themselves to meet new customer demands.
Carlos Vazquez, Chief Information Security Officer, Canvas Credit Union
In his opening statement, Vazquez discussed evolving cybersecurity and consumer protection challenges, including hiring and training skilled workers, regulatory burdens on small credit unions, and vendor management. He also highlighted efforts by government agencies to strengthen cyber security defenses and the strengths and weaknesses of the current legal framework governing data security and privacy in the financial sector.
Jeff Newgard, President and Chief Executive Officer, Bank of Idaho, on behalf of the Independent Community Bankers of America
In his opening statement, Newgard discussed the need to extend Gramm-Leach-Bliley Act-like standards to all participants in the payments system and all entities with access to customer financial information to close gaps in regulation and oversight. He also highlighted the importance of core providers and other large third-party service and technology providers and acknowledged their vulnerability. Newgard said regulators to be aware of the significant interconnectivity of these third parties and collaborate with them to mitigate risk. He also talked about the examination and supervision of credit rating agencies, data breaches in government departments and agencies, and the need for a national data security breach and notification standard. Newgard added that there should also be uniformity in data and cyber security regulation, examiners acting as partners in cyber security, and more information sharing.
Question & Answer
Third Party Providers, Vendors, and Processors
Waters asked James whether he agreed with Newgard’s recommendations to address cyber security. James said yes and discussed the need to get the same level of service for small institutions that large institutions receive from big core processors, adding that those processors need to be subject to examinations. Rep. Blaine Leutkemeyer (R-Mo.) asked about small banks not being able to afford higher levels of cyber protection. James explained how small institutions are at the mercy of third-party core processors.
Luetkemeyer asked how retailers escape liability for cyber criminals accessing consumer data and what costs are associated with it. Newgard explained that retail processors are not subject to examination and that when consumer data is compromised, there is no incentive for processors to help protect that data. He added that the retailers and entities breached need to bear the cost and be responsible for breaches.
Perlmutter asked what challenges credit unions face in vendor management. Vazquez emphasized the institutional size needed to provide the proper vendor data security. He added that vendors need to take the same level of care of consumer data that smaller credit unions take.
Perlmutter asked how many institutions would be affected by a third-party service provider breach. James said 80 percent of regulated banks insured by the Federal Deposit Insurance Corporation (FDIC) could be affected.
Rep. Brad Sherman (D-Calif.) asked if retailers would better safeguard data if they had to pay the costs of the breach. James said yes and that large retailers are currently not subject to any responsibilities for protecting consumer data.
Cost of Cyber Security
Rep. Al Green (D-Texas) asked how much funding a small bank needs to protect itself against cyber threats. James reaffirmed the high cost of core processor technology and suggested that regulators could help institutions do due diligence on fintech companies and new technology providers. Newgard said the cost depends on size and other add-ons from the service and that the cost could be tens to hundreds of thousands of dollars, possibly around $20,000. Rep. Roger Williams (R-Texas) asked Newgard how his bank is reacting to compliance costs. Newgard said his institution is hiring new staff to comply with regulations and that high costs are causing consolidation in the industry.
Rep. Ritchie Torres (D-N.Y.) asked if small banks have sufficient resources for cybersecurity. Newgard said the industry has done a good job but that it relies on its core providers. He added that a small bank might spend over $50,000 per month. Vazquez said credit unions are doing the best they can but that their cybersecurity can cost close to one million dollars.
Technology and Innovation
Perlmutter asked what quantum computing might do to enhance or harm security. Jain said the technology may exacerbate the divide in levels of data security we see between large and small institutions. Rep. Andy Barr (R-Ky.) asked for an example of private sector innovation that has improved cyber security. Newgard referenced core provider innovation and fintechs but stated that fintechs are new, unproven, and unregulated. Barr asked how to level the playing field between large and small institutions to access cyber security technology. James said to encourage competition and examine processor contracts.
Rep. Juan Vargas (D-Calif.) asked why innovation has not brought down the cost of cyber security and the growth of new processors. Newgard said processors are slow to innovate, which has prompted the growth of unregulated fintech. He added that new processors are often purchased and consolidated by larger processors.
Rep. Bill Foster (D-Ill.) asked if digital identification has proven useful to financial institutions. James and Vazquez responded that the technology is still in its infancy.
Regulation and Legislation
Rep. Frank Lucas (R-Okla.) asked what regulators expect from banks in terms of cyber security practices. Newgard said community banks are regulated by the FDIC and state regulators, that some banks have different regulators, and that there should be harmonization to ensure best-in-class regulation. Rep. Bill Posey (R-Fla.) asked if the right balance is being achieved with regulation. Newgard said there needs to be more harmonization between regulators to police cyber threats and recognize that the cyber threat world is an ecosystem with interconnected institutions.
Foster asked about the need for stronger regulation of service providers. Vazquez said the National Credit Union Association (NCUA) should have greater authority to regulate its vendors, that providers have developed a playbook to avoid accountability for breaches, and that providers need to protect consumer data.
Rep. Al Lawson (D-Fla.) asked how federal policy can help financial institutions recover from cyber-attacks. Jain said incentivizing providers to improve their security would benefit the whole ecosystem and added that Congress should adopt federal privacy legislation. Rep. William Timmons (R-S.C.) asked if Congress should preempt states and pass a cyber security standard. Jain said yes but that the preemption question is hard to answer. Jain added that legislation should set forth basic duties and principles and then pick agencies to fill those duties. Reps. Barry Loudermilk (R-Ga.) and Williams asked about the benefits of a uniform data security standard. Newgard said he is not in favor of one-size-fits all but does support harmonization between regulators and information sharing.
Timmons asked if General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) have gone too far. Jain said they have not gone too far but that we need to go in a slightly different direction. Torres asked Jain to assess the state of cyber security with respect to data aggregators. Jain emphasized the unregulated nature of data aggregators.
Cyber Workforce
Lucas asked about the challenges associated with training and preparing employees for cyber threats. Vazquez said employees are part of an institution’s tool chest to address cyber threats and emphasized the importance of training employees to recognize cyber threats. Rep. John Rose (R-Tenn.) asked Newgard about the challenges of recruiting cyber security professionals. Newgard said the demand is high but that financial institutions cannot pay the salaries needed to attract talent. Jain emphasized the challenge of drawing from our entire citizenry, referencing a history of discrimination against women and minorities. Lucas asked how the pandemic has exacerbated cyber security threats. Newgard stated that the biggest challenge has been the mobility of the work force.
Small Institutions and Credit Unions
Loudermilk asked what credit unions are doing to enhance the security of digital payments. Vazquez said credit unions spend money to address fraud, utilize real-time tools, and work with vendors to make sure available data is real-time. Rep. Ayana Pressley (D-Mass.) asked what challenges small financial institutions face in cyber security. Jain said there is a shortage of talent in the cyber workforce, an information sharing challenge, and an overreliance on vendors.
House Financial Services Subcommittee on Consumer Protection and
Financial Institutions
Cyber Threats, Consumer Data, and the Financial System
Wednesday, November 3, 2021
Witnesses
- Samir Jain, Director of Policy, Center for Democracy & Technology
- Robert E. James, II, President & CEO, Carver Financial Corporation
- Carlos Vazquez, Chief Information Security Officer, Canvas Credit Union
- Jeff Newgard, President and Chief Executive Officer, Bank of Idaho, on behalf of the Independent Community Bankers of America
Opening Statements
Chair Ed Perlmutter (D-Colo.)
In his opening statement, Perlmutter discussed the threat of cyber criminals to financial institutions and the vulnerability of consumer data at these institutions.
Vice Ranking Member David Kustoff (R-Tenn.)
In his opening statement, Kustoff explained the importance of private entities, threats posed by China, and the threats of cyber-attacks like the Colonial Pipeline attack. He explained how a cyber-attack on financial institutions would impact consumers and threaten the financial system. Kustoff highlighted the importance of private sector innovation, not government mandates, in guarding against cyber threats.
Chairwoman of the Full Committee Maxine Waters (D-Calif.)
In her opening statement, Waters explained that financial institutions are experiencing an increase in ransomware attacks and new innovations in the cyber threats they face.
Testimony
Samir Jain, Director of Policy, Center for Democracy & Technology
In his opening statement, Jain made observations about the cyber threat environment, highlighting three challenges in addressing cyber threats in the financial sector, including (1) interdependence with vendors, third parties, and other sectors, (2) the gap between large and small institutions, and (3) increasing reliance on technology. He then discussed several potential areas for progress to better protect consumers and their data, including (1) information sharing, (2) baseline privacy legislation, and (3) finding points of leverage in the ecosystem. He also stated that the financial services industry overall has responded earlier and more proactively than most sectors and with greater investment to cybersecurity challenges but that the industry remains highly vulnerable to cyber threats.
Robert E. James, II, President & CEO, Carver Financial Corporation
In his opening statement, James discussed how the ability to adapt technologically to meet customer demands is a critical component of the resilience of the banking sector and impacts its ability to assist underserved communities. He stated that core processing service companies create no incentives to help small firms adapt to the changing competitive landscape, and they often offer poor quality service, citing the Paycheck Protection Program. James also highlighted the need for regulatory help where investments result in criticism when earnings do not meet regulatory expectations. He concluded that cultural shifts inside the financial services industry, including the core processors and regulators, are necessary to help Minority Depository Institutions (MDI) better orient themselves to meet new customer demands.
Carlos Vazquez, Chief Information Security Officer, Canvas Credit Union
In his opening statement, Vazquez discussed evolving cybersecurity and consumer protection challenges, including hiring and training skilled workers, regulatory burdens on small credit unions, and vendor management. He also highlighted efforts by government agencies to strengthen cyber security defenses and the strengths and weaknesses of the current legal framework governing data security and privacy in the financial sector.
Jeff Newgard, President and Chief Executive Officer, Bank of Idaho, on behalf of the Independent Community Bankers of America
In his opening statement, Newgard discussed the need to extend Gramm-Leach-Bliley Act-like standards to all participants in the payments system and all entities with access to customer financial information to close gaps in regulation and oversight. He also highlighted the importance of core providers and other large third-party service and technology providers and acknowledged their vulnerability. Newgard said regulators to be aware of the significant interconnectivity of these third parties and collaborate with them to mitigate risk. He also talked about the examination and supervision of credit rating agencies, data breaches in government departments and agencies, and the need for a national data security breach and notification standard. Newgard added that there should also be uniformity in data and cyber security regulation, examiners acting as partners in cyber security, and more information sharing.
Question & Answer
Third Party Providers, Vendors, and Processors
Waters asked James whether he agreed with Newgard’s recommendations to address cyber security. James said yes and discussed the need to get the same level of service for small institutions that large institutions receive from big core processors, adding that those processors need to be subject to examinations. Rep. Blaine Leutkemeyer (R-Mo.) asked about small banks not being able to afford higher levels of cyber protection. James explained how small institutions are at the mercy of third-party core processors.
Luetkemeyer asked how retailers escape liability for cyber criminals accessing consumer data and what costs are associated with it. Newgard explained that retail processors are not subject to examination and that when consumer data is compromised, there is no incentive for processors to help protect that data. He added that the retailers and entities breached need to bear the cost and be responsible for breaches.
Perlmutter asked what challenges credit unions face in vendor management. Vazquez emphasized the institutional size needed to provide the proper vendor data security. He added that vendors need to take the same level of care of consumer data that smaller credit unions take.
Perlmutter asked how many institutions would be affected by a third-party service provider breach. James said 80 percent of regulated banks insured by the Federal Deposit Insurance Corporation (FDIC) could be affected.
Rep. Brad Sherman (D-Calif.) asked if retailers would better safeguard data if they had to pay the costs of the breach. James said yes and that large retailers are currently not subject to any responsibilities for protecting consumer data.
Cost of Cyber Security
Rep. Al Green (D-Texas) asked how much funding a small bank needs to protect itself against cyber threats. James reaffirmed the high cost of core processor technology and suggested that regulators could help institutions do due diligence on fintech companies and new technology providers. Newgard said the cost depends on size and other add-ons from the service and that the cost could be tens to hundreds of thousands of dollars, possibly around $20,000. Rep. Roger Williams (R-Texas) asked Newgard how his bank is reacting to compliance costs. Newgard said his institution is hiring new staff to comply with regulations and that high costs are causing consolidation in the industry.
Rep. Ritchie Torres (D-N.Y.) asked if small banks have sufficient resources for cybersecurity. Newgard said the industry has done a good job but that it relies on its core providers. He added that a small bank might spend over $50,000 per month. Vazquez said credit unions are doing the best they can but that their cybersecurity can cost close to one million dollars.
Technology and Innovation
Perlmutter asked what quantum computing might do to enhance or harm security. Jain said the technology may exacerbate the divide in levels of data security we see between large and small institutions. Rep. Andy Barr (R-Ky.) asked for an example of private sector innovation that has improved cyber security. Newgard referenced core provider innovation and fintechs but stated that fintechs are new, unproven, and unregulated. Barr asked how to level the playing field between large and small institutions to access cyber security technology. James said to encourage competition and examine processor contracts.
Rep. Juan Vargas (D-Calif.) asked why innovation has not brought down the cost of cyber security and the growth of new processors. Newgard said processors are slow to innovate, which has prompted the growth of unregulated fintech. He added that new processors are often purchased and consolidated by larger processors.
Rep. Bill Foster (D-Ill.) asked if digital identification has proven useful to financial institutions. James and Vazquez responded that the technology is still in its infancy.
Regulation and Legislation
Rep. Frank Lucas (R-Okla.) asked what regulators expect from banks in terms of cyber security practices. Newgard said community banks are regulated by the FDIC and state regulators, that some banks have different regulators, and that there should be harmonization to ensure best-in-class regulation. Rep. Bill Posey (R-Fla.) asked if the right balance is being achieved with regulation. Newgard said there needs to be more harmonization between regulators to police cyber threats and recognize that the cyber threat world is an ecosystem with interconnected institutions.
Foster asked about the need for stronger regulation of service providers. Vazquez said the National Credit Union Association (NCUA) should have greater authority to regulate its vendors, that providers have developed a playbook to avoid accountability for breaches, and that providers need to protect consumer data.
Rep. Al Lawson (D-Fla.) asked how federal policy can help financial institutions recover from cyber-attacks. Jain said incentivizing providers to improve their security would benefit the whole ecosystem and added that Congress should adopt federal privacy legislation. Rep. William Timmons (R-S.C.) asked if Congress should preempt states and pass a cyber security standard. Jain said yes but that the preemption question is hard to answer. Jain added that legislation should set forth basic duties and principles and then pick agencies to fill those duties. Reps. Barry Loudermilk (R-Ga.) and Williams asked about the benefits of a uniform data security standard. Newgard said he is not in favor of one-size-fits all but does support harmonization between regulators and information sharing.
Timmons asked if General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) have gone too far. Jain said they have not gone too far but that we need to go in a slightly different direction. Torres asked Jain to assess the state of cyber security with respect to data aggregators. Jain emphasized the unregulated nature of data aggregators.
Cyber Workforce
Lucas asked about the challenges associated with training and preparing employees for cyber threats. Vazquez said employees are part of an institution’s tool chest to address cyber threats and emphasized the importance of training employees to recognize cyber threats. Rep. John Rose (R-Tenn.) asked Newgard about the challenges of recruiting cyber security professionals. Newgard said the demand is high but that financial institutions cannot pay the salaries needed to attract talent. Jain emphasized the challenge of drawing from our entire citizenry, referencing a history of discrimination against women and minorities. Lucas asked how the pandemic has exacerbated cyber security threats. Newgard stated that the biggest challenge has been the mobility of the work force.
Small Institutions and Credit Unions
Loudermilk asked what credit unions are doing to enhance the security of digital payments. Vazquez said credit unions spend money to address fraud, utilize real-time tools, and work with vendors to make sure available data is real-time. Rep. Ayana Pressley (D-Mass.) asked what challenges small financial institutions face in cyber security. Jain said there is a shortage of talent in the cyber workforce, an information sharing challenge, and an overreliance on vendors.