US regulators should avoid using punishing fines as a first response to data breaches at banks and focus on building prevention solutions, say security experts.
Doug Wick, vice president at data security firm ALTR, believes that regulators have been successfully affecting change at banks for decades. “But they aren't good at telling banks what will work and what won't, so actually regulating the right change and impacting breaches directly is difficult. For instance, I would argue that key-based encryption is not a very effective and functional technology for protecting data but there are numerous regulations that specifically require it. Companies think in those situations that they are protected, but they aren't.”
Federal Deposit Insurance Corporation (FDIC) chair Jelena McWilliams, attending an investors conference for KBW Community Bank, said the regulator could fine banks that suffer major cybersecurity breaches after warnings.
Speaking to CNBC, she added poor cybersecurity could lead to regulators downgrading the ratings of certain banks and their management teams.
The FDIC is one of two agencies that provides deposit insurance. Created during the Great Depression, its role is was initially to restore trust in the US banking system and prevent damaging runs on banks. The agency oversees around 5,000 lenders.
Mayra Rodriguez Valladares, principal consultant at MRV Associates, says that regulators can affect the cybersecurity protocols of banks in several ways. “Regulators can send in specialized IT and data teams to do specialty exams of banks to see how they are strengthening their controls against cyber-attacks.
“They can also ask banks to increase their capital requirements for operational risk. This would make banks think twice about the attention and resources that they should allocate to cybersecurity threats. They can also fine banks as part of an enforcement action which would also make bank executives focus on how to improve operational risk management. If banks repeatedly have cybersecurity challenges, bank regulators can also close business lines which are more at risk of hacking and other types of cyber-attacks”
Wick adds that “any company, in banking and beyond, that stores personal data of its customers has to take responsibility for the protection of that asset from theft and exposure to privacy concerns. Though many enterprises are very responsible and set the bar for security and privacy high, it does make sense to have data security and privacy regulated as a consumer protection - which unfortunately means large fines for those who have failed to provide the necessary protections.”
The Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC) have fined firms for large-scale data breaches in the past. In July the two regulators reached a global settlement figure with credit scoring firm Equifax worth $700m over the latter’s 2017 breach affecting 147m customers.
A breach at Capital One in late July saw a hacker reportedly exploit a misconfigured firewall to gain access to 140,000 social security numbers in the US and 1m social insureance numbers in Canada, as well as 80,000 bank accounts. The FDIC chief later told CNN that cybersecurity is the main risk facing large banks and the industry.
For Wick, where the fault lies for breaches like Capital One can be a difficult thing to pin down. “This can be very complicated and is more of a legal question, in that banks like Capital One might have established very clear agreements with outside providers of software, infrastructure, and services where liability is shared or delegated to those providers for data security and privacy. Banks have to partner with providers who are leading the industry in embedding security and privacy into their solutions by design, in specific demonstrable ways.”