Buckle up, bankers: cybersecurity is about to be regulated. Evidence for this conjecture can be found in recent speeches by New York banking regulator Benjamin Lawsky, who announced in October the possible imposition of new, strict cybersecurity rules for financial institutions. Banks could be required to appoint chief information security officers and to undergo quarterly tests for information system vulnerabilities under the regime.
Lawsky's concept is not new. Martin Gruenberg, chairman of the Federal Deposit Insurance Corp., has spoken forcefully about the data breach risk faced by banks. "Cybersecurity is no longer just an issue for the IT department," he said in a September speech at the American Banker Regulatory Symposium. "Instead, it needs to be engaged at the very highest levels of corporate management." The Securities and Exchange Commission, Federal Communications Commission and Federal Trade Commission have also recently made strong statements about the critical importance of data security.
It's undeniably true that cyberintrusions pose a major threat to financial institutions, and no one expects the current onslaught of breaches to diminish. Given that reality, the question is not whether regulatory actions in this area will come, but when. Banks must already maintain basic information protection to comply with the safeguards rule for data security under Gramm-Leach-Bliley Act of 1999. But the law does not provide a standard set of protocols that banks must follow, and the interpretation and application of practices can be as varied as the number of banks regulated.
Laws and regulations are usually enacted because of the lowest common denominator. A company discovers lead in paint, and a regulation shortly follows that says no one is allowed to put lead in the paint anymore. Cybersecurity regulation, however, will address more complicated and intersecting issues. Enormous companies with tremendous information security expenses and protections are breached every week. Regulations can help assign legal duties and responsibility, illuminate investor or shareholder disclosure obligation and clear up many other issues that end up in litigation once a bank's information has been compromised.
Banks' relationships with third-party vendors are also likely to be governed by future regulation, according to recent signals from the New York State Department of Financial Services and the U.S. Treasury. There is good logic behind this proposal. While an individual bank's information security practices may be solid, the same cannot necessarily be said for third-party vendors that may have access to a bank's networks but not the same level of data protection, training or contractual protection. A true information security assessment must include a review of these third-party relationships. Regulation that requires banks to address these considerations is an obvious next step.
Cybersecurity is a continually shifting area. On a daily basis, new threats are discovered and other protections are rendered obsolete. But with more regulations undoubtedly on the way, banks should act now to integrate cybersecurity into every board meeting. They should also update information security policies, review third-party vendors and their contracts, run vulnerability assessments, and create a crisis response team.
Voluntarily taking these basic precautions now will be less costly than waiting for inevitable regulations to mandate a response. And if regulators add incentives for early adopters of cybersecurity precautions as they are expected to, proactive banks can get ahead of the competition.
Shamoil Shipchandler, David Ball and Daniel Meyers are partners at Bracewell & Giuliani.