We all know that cyber-security is a scourge in the financial services industry. What, however, are these firms doing about it?

That was the question posed on Nov. 1 when a subcommittee of the House Financial Services Committee held a hearing on the topic to examine cyber-security gaps and identify where state and federal data security regulation could be improved.

“More than 15 million Americans were victims of cyber-fraud or identify theft last year,” said Subcommittee Chairman Blaine Luetkemeyer (R-Mo.).  “While data security has been a hot topic since the latest breach, Equifax isn’t where the problem started and, if we don’t act, it isn’t where the problem will end. With each attack more dangerous and more advanced than the last, it is crucial that every aspect of data security is examined.”

The hearing, he said after its conclusion, “reiterated that we need to work collaboratively to reduce red tape, create a prompt notification standard, and foster harmonization among federal and state agencies charged with data security regulation.”

He promised that data security reform legislation would emerge in the near future.

“The cyber-security landscape is complex with a wide array of hostile actors, including criminals seeking financial gain, nation states engaged in corporate espionage or worse, and terrorist groups seeking to disrupt markets and create fear,” said Kenneth Bentsen, president and CEO of the Securities Industry and Financial Markets Association. “Cyber-crime is now a bigger criminal enterprise than the global narcotics trade.”

The financial services industry, he said, is a top target facing tens of thousands of attacks each day.

“In simple terms: Financial institutions shouldn’t have to devote limited resources to redundant regulatory and supervisory requirements at the expense of actual security-based activities,” he said. “It is critical that we establish a robust partnership between industry and government to mitigate cyber-threats and their impact.”

Working with its members, along with our sister trade associations, SIFMA has recognized a number of best practices for the protection of sensitive data in the financial services sector,” Bentsen testified. These practices draw on the experience of our member firms and their own policies and procedures, as well as industry standards such as the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cyber-Security.

Data protection “begins with firms taking a risk-based look at what information they collect,” he added. Do they have a business or regulatory purpose that requires them to hold this information? If sensitive information like Social Security Numbers is not directly relevant and necessary, firms should refrain from collecting it.

“Once firms have collected sensitive data, they should ensure that they have controls in place to protect it while it is being used or stored,” Bentsen said. This includes ensuring that access to sensitive data including investor information is restricted only to authorized users who need it to perform their jobs, and making sure that as individuals change their roles and responsibilities, their access to sensitive information is updated as well.

“Keeping access to this data focused only for those who need to use it helps reduce the potential points of risk,” he added. “Firms should also have policies such as data loss prevention controls and multifactor authentication to control access to sensitive data, as well as maintain a detailed audit trail of how sensitive data is handled while in possession to identify any weaknesses or vulnerabilities.”

“While data security has been a hot topic since the latest breach, Equifax isn’t where the problem started and, if we don’t act, it isn’t where the problem will end. With each attack more dangerous and more advanced than the last, it is crucial that every aspect of data security is examined.”
Subcommittee Chairman Blaine Luetkemeyer

Bentsen reminded the panel that the focus on data protection also extends “beyond securities firms themselves to encompass other entities with whom we share information.” The risks posed by third parties have been recognized by regulators in the United States and internationally, such as the Office of the Comptroller of the Currency’s release on third-party relationships and risk management guidance.

Consolidated Audit Trail. Turning to the Securities and Exchange Commission’s ambitious plans for a Consolidated Audit Trail (CAT), Bentsen said that his member firms want to ensure that the development of the CAT “does not introduce new data protection risks.”

Once complete, the CAT will be the world’s largest data repository for securities transactions and one of the world largest databases of any type. Every day the system would ingest 58 billion records (orders, executions, and quotes for the equities and options markets) and would maintain data on over 100 million customer accounts and their unique customer information. This data would grow to an estimated 21 petabytes within five years, the equivalent of over ten times the content of all U.S. academic research libraries, in a single database.

“As currently designed, the CAT could also be a gateway for cyber-criminals to access confidential trading information and the personal information of tens of millions of retail investors,” he said. “The current CAT plan requires reporting firms to provide a significant amount of sensitive customer information, including name, Social Security Number, and address. It will also hold sensitive trade information, which could be used to reconstruct proprietary trading strategies … This information will be held in a single database that creates a high value target, and bad actors will have a strong incentive to find the weakest link to gain access.”

“While our concern existed before the recent breaches, many stakeholders remain skeptical that the CAT, as currently designed, will be able to protect the massive amount of sensitive PII for every investor in America,” he added. “Despite serious data protection concerns, the CAT technical specifications that have been released to date include alarmingly few details on data security and protection.”

Bentsen stressed the value of collaboration. In recognition of the cyber-threat to the financial sector, a coalition of financial services trade associations and the Financial Services Sector Coordinating Council, working with SROs, state regulatory agencies, and members of the Financial and Banking Information Infrastructure Committee agreed to create forums to discuss various guidance, tools, frameworks, regulations, and examination processes, built around the NIST Framework.

Daniel Mennenoh, president of the H.B. Wilkinson Title Company, a title insurance agency headquartered in Illinois, testified that cyber-security is not a problem the industry can fix on its own. “What is so frustrating is that there is no amount of money we can spend to protect our consumers from being targeted by these criminals,” Mennenoh said. “Probably the single biggest preventative measure that real estate and banking professionals can take is to encourage consumers to call the title company or real estate agent to verify wire instructions before transmitting funds,” he added.

As a strike against title fraud, he also urged institutions to match not only the account number of the recipient but also the payee’s name. Oftentimes the fraudulent instructions will say the transfer is to be sent to the title company’s trust account, but instead it goes to the criminal’s personal account.

“Just matching the account number on the request with an account number at the beneficiary bank will not catch this,” Mennenoh said. “Some banks have voluntarily added capabilities to match the payee’s names, and it is proving useful in catching these schemes.”

Edmund Mierzwinski, U.S. PIRG’s consumer program director, cautioned Congress not to move forward on any breach or data security legislation “that would preempt strong state privacy leadership or would endorse closed or non-technology neutral standards.”

“Federal law should never become a ceiling of protection; it should always serve as a minimal floor that allows state experimentation,” he said. “Federal law should not endorse specific solutions that limit innovation.”

The United States, Mierzwinski suggested, should move beyond the “sectoral approach” embodied in the Fair Credit Reporting Act, the Right to Financial Privacy Act, the Electronic Communications Privacy Act, and the Video Privacy Protection Act.

The FCRA, for example limits the use of consumer credit reports only to firms with certain permissible purposes (generally, determinations of a consumer’s eligibility for credit, insurance, and employment); it requires credit bureaus (data collectors) to meet certain accuracy standards, and it allows consumers to review their files, dispute, and demand corrections of mistakes and to control the secondary use of their files by opting out of marketing uses of their reports.

The U.S. sectoral-only privacy laws should be contrasted with the new European General Data Protection Regulation, he said. It provides over-arching privacy rights to European citizens cover corporate usage of their information, including rights to control the use of their information and to seek redress (and compensation) against the infringing company.

“Importantly, the GDPR, when it goes into final effect next year, trumps the existing Privacy Shield applicable to U.S. firms doing business in Europe and provides a roadmap for U.S. companies to improve their treatment of U.S. consumers,” he testified. “In particular, since SIFMA member firms will be subject to the GDPR, it seems that they can import those protections to small investors in the U.S., rather than seek, as they may today, to weaken applicability of existing state data security and identity theft laws.”

That said, Mierzwinski stressed that Congress needed to allow customers to hold firms more accountable—such as by way of civil litigation.

“Data security, ensuring member safety, and how to incentivize and emphasize Congress must address data security issues and “move forward with meaningful legislation that will make a difference to consumers,” testified Debra Schwartz, president and CEO of Mission Federal Credit Union. She testified on behalf of the National Association of FederallyInsured Credit Unions.

Credit unions and other depository institutions already protect data consistent with the provisions of the 1999 Gramm-Leach-Bliley Act and are examined by a regulator for compliance with these standards.

“Unfortunately, there is no comprehensive regulatory structure similar to what GLBA put in place for depository institutions for other entities that may handle sensitive personal and financial data,” Schwartz said. “Too often, credit unions are left cleaning up the mess and helping their members restore their personal financial information after another entity has suffered a breach.”