Community banks in the U.S. are struggling to bear the cost of a rapid increase in ransomware attacks against them in recent years, and industry leaders say that a lack of vigilance on the part of retailers and bank technology providers is putting Americans’ financial data at risk.
“Cyber threats have evolved in recent years from criminal actors seeking profit to nation states with massive resources and technological sophistication whose goal is data gathering on our customers and businesses, systemic disruption and political damage” said Jeff Newgard, CEO of Bank of Idaho, a $700 million community bank, during a House Financial Services subcommittee hearing Wednesday. “The threats are greater than ever and continue to mount and evolve.”
The banking industry saw a 1,318% increase in the number of ransomware attacks waged against it the first half of 2021, compared to the same period a year ago, according to a September report from cybersecurity company Trend Micro, and this growing challenge is helping drive consolidation in the industry as smaller players struggle to afford the cost of protecting their customers’ data, community bankers told the panel.
A complaint shared by each witness at the hearing on cyber threats, consumer data and the financial system is that small banks are at the mercy of technology vendors whom they increasingly turn to for help in combatting cyber threats.
“These companies have no incentives to help us adapt to the changing competitive landscape,” said Robert James, CEO of Carver Financial Corp., a Georgia-based community bank and minority depository institution. James and the other panelists lamented that degree of concentration in the industry, as three firms — Fiserv Inc.
FISV,
Fidelity National Information Services Inc.
FIS,
and Jack Henry & Associates
JKHY,
— dominate the market for so-called “core” banking services.
Carlos Vasquez, chief information security officer at Canvas Credit Union, echoed other panelists when he called on lawmakers to give federal regulators, including the Federal Deposit Insurance Corp. and the National Credit Union Administration, greater oversight responsibility over these companies to make sure their cybersecurity practices are adequate.
“The vendors seem to have a playbook where they know a breach is coming, but know all they have to do is wait for the next news cycle” for the issue to pass, Vasquez said. “There’s nothing to prevent them from doing so.”
Bank of Idaho’s Newgard called on Congress to extend federal data security standards that apply to the financial sector so that it covers retailers and technology companies as well.
“Securing data at financial institutions is of limited value if it remains exposed at the point-of-sale and other processing points,” said Newgard. “To effectively secure customer data, all participants in the payments system, and all entities with access to customer financial information, should be subject to and maintain well-recognized standards.”
The 1999 Gramm-Leach-Bliley Act requires financial services companies to ensure the security and confidentiality of customer information, but the law was written before the growth of online commerce and financial technology led to a wider array of businesses handling sensitive consumer financial information.
Newgard also endorsed pending legislation that would require private companies to report cyberattacks to the government, but also called on the government to step up its efforts to share information with the private sector.
“We don’t have information as it becomes available on the government side. We feel like we’re about a half step behind,” Newgard said.
This post was originally published on Market Watch