WASHINGTON — Banks typically respond to pending regulations with a mixture of fear and dread, but new cybersecurity requirements being developed by the banking agencies may be met with relief.
That's because there is a growing awareness of the vulnerabilities banks face not just from direct hacks, but also from attacks on other connected institutions. A new baseline rule for all institutions could shore up weaknesses at banks and elsewhere that could compromise the entire system.
It's "important to issue a rule in order to ensure that all the institutions that comprise the system are up to par," said Walt Mix, a managing director at Berkeley Research Group and a former official at the California Department of Financial Institutions.
Talk of a new proposal comes after a high-profile cyberheist of Bangladesh Bank, in which thieves used the bank to access the Federal Reserve Bank of New York and the Swift network, stealing a total of $81 million.
But banking regulators, led by the Federal Reserve, had already initiated discussions with financial institutions about new cyber rules, according to industry sources.
It "isn't related to any specific recent attack," said one source, who spoke on condition of anonymity. "It's just related more to the recognition that we have an increasingly sophisticated cybersecurity environment."
Individuals familiar with the conversations said regulators are intent on obtaining banks' input to ensure any plan will be appropriately balanced. The proposal will likely be issued as an advance notice of proposed rulemaking, which will allow regulators more time and multiple iterations to get it right.
"This is a full-on dialogue with the banks," said Kevin Petrasic, a partner at White & Case. Examiners are already "gathering all sorts of information," he added.
As it is, banks' cybersecurity measures are an integral part of safety and soundness exams. But
a formal cybersecurity regulation, supporters say, will create explicit and enforceable cybersecurity requirements.
"There probably does need to be some enhanced security in place for systemically important systems," said the industry source. "Systemically important systems are just that. They by their very definition warrant potentially higher levels of security."
The ultimate proposal will likely take inspiration from the Federal Financial Institutions Examination Council's cybersecurity assessment tool — a voluntary resource for banks to test their cybersecurity practices according to the level of risk they present — but with some critical differences.
Critics say the checkbox nature of the tool limits its effectiveness. It "was becoming a compliance process," said the industry source, as opposed to a resource to "encourage cybersecurity on a risk basis."
The tool also does not carry the weight of a formal regulation, even though examiners are known to refer to it when measuring banks' cybersecurity preparedness. It is "quote-unquote voluntary," Petrasic said.
With a formal regulation, regulators could create a more holistic cybersecurity baseline in order to strengthen the financial system as a whole.
Large banks are well equipped to face cybersecurity attacks against them, Petrasic said. But their Achilles' heel remains the network to which they are attached.
"You may have very formidable defenses for the larger banks," Petrasic said. But "malware can infect the payments system through smaller banks. The end result is ultimately the same."
As the payment systems' speed evolves, a regulation could also force providers to keep cybersecurity concerns in mind.
"The Holy Grail is real-time transaction in which literally the money flows simultaneously from one account to another [which] allows little room for air," Petrasic said. "Whatever gets imposed, if all banks are subject to it then by default the payment networks will have to make the adjustment to be compliant."
That's why many third-party bank providers, including online lenders and other fintech companies, could be covered by the proposal.
"The regulators are worried that these companies represent a back door into the bank itself," said a fintech industry representative who spoke on condition of anonymity. "They're worried about the startups not being as secure."
Since 2009, the Office of the Comptroller of the Currency has issued several guidance letters detailing to which cybersecurity standards banks should hold their third-party affiliates.
But a joint rule from the Fed, OCC and Federal Deposit Insurance Corp. would carry more weight, industry observers note.
Still, community banks are wary that a regulation designed for larger banks could end up stifling institutions with fewer resources.
"One of the things that we would definitely want to see that continues is that any rule that's issued is risk-based and is commensurate with the complexity and risks of an institution," said Lilly Thomas, the vice president and senior regulatory counsel at the Independent Community Bankers of America.