WASHINGTON — A new conundrum is emerging for cybersecurity-conscious banks: Well-protected information can also be an unwelcome obstacle for regulators.
On Wednesday, the Office of the Comptroller of the Currency sent out guidance to remind banks that its examiners need "timely access to bank records," and warned against encryption programs that quickly self-delete messages sent by bank personnel.
The guidance specifically refers to communication platforms that are encrypted or "have touted an ability to 'guarantee' the deletion of transmitted messages ... within a relatively short time frame."
-
WASHINGTON The Department of Homeland Security and the Department of Justice on Tuesday released guidelines for the implementation of the Cybersecurity Information Sharing Act, prompting some industry skepticism as well as renewed privacy concerns.
February 16 -
The Cybersecurity Information Sharing Act, which has advanced far on Capitol Hill, promises to help businesses and government thwart cybercriminal attacks. But privacy advocates say the bill would make misuse of consumer data even easier.
November 17 -
While cybersecurity has already been part of bank exams for years, the Federal Deposit Insurance Corp. is highlighting it as a separate comment in order to ensure the issue is getting appropriate attention from bank executives and boards.
November 12
Banks have demonstrated a growing interest in encrypted communication software. In September several large banks teamed up to create Symphony, an encrypted messaging program that initially emerged from Goldman Sachs.
By the following month at least five major banks had agreed to store records of their Symphony communications at the request of the New York State Department of Financial Services, which also issued guidance on banks' use of the program.
But the bulletin from the Comptroller's Office was not prompted by any one program or incident, OCC spokesman Bryan Hubbard said. "There was not a catalyzing event that prompted the guidance," Hubbard said. The bulletin was issued "in light of increased use of instant messaging and other communication tools."
Symphony's technology does not obstruct regulators, because banks are given access to the decryption keys, Symphony spokeswoman Samantha Singh said. "If a regulator wants information about bank, they can go directly to that bank for the decryption key to access that information."
Under these conditions, the guidance should not give banks second thoughts about encryption, said Susan Orr, a cybersecurity consultant in Illinois. "If it's encrypted, they need to give it decrypted to" examiners.
But message deletion is likely to be interpreted differently, Orr said. "By implementing that type of deletion of the information, it would be more [about] hiding it" than protecting the information from wrongdoers.
Still, regulatory access is another thorn in the side of financial institutions as they struggle to modernize and secure their operations.
"While promoting efficiency and, presumably, effective management," the use of new electronic communication tools "perhaps increases the burden that an institution is putting on itself," said Kevin Petrasic, a partner at White & Case. "It's sort of two additional headaches. ... Institutions have the responsibility both to make sure that the information is secure, but also that it is available to the regulators."
And as banks are forced to digitize more and more of their infrastructure, these difficulties are not likely to disappear anytime soon.
"There's a tension between the access supervisors need and the protections that everybody wants against hackers and other type of bad actors," an industry source said. "The technology is always evolving. What works now is probably going to be adjusted as things move forward."
Banks would do well to establish clear policies on acceptable communication tools among its employees, said Petrasic. "They have to be mindful of the fact that they can't just suddenly start using a Snapchat."