The recent ransomware attacks on the energy and meat processing industries are a reminder of the cybersecurity risk facing the banking sector. However, analysts say policymakers do not appear to be interested in safeguarding the financial system.
Appendix A, they say, was a House Financial Services Committee hearing on May 27 with the CEOs of the six largest banks. Four of the executives at the hearing named cybersecurity the most dangerous threat to the banking system.
Although the aftermath of the May 7 ransomware attack on the Colonial Pipeline was still in the news, the CEOs' comments did not spark any follow-up questions or opinions from the panel. The hearing focused more on criticism of overdraft policy and banking diversity practices, corporate taxes and the industry's response to the pandemic.
The lack of discussion of cyber risk is surprising, experts said, given that Congress held hearings in 2017 to address Equifax's data breach.
Citigroup's Jane Fraser and Wells Fargo's Charlie Scharf were asked by a member of the House of Representatives to identify the greatest risk to the financial services industry and were among the CEOs who identified the threat posed by a cyberattack.
"It's amazing how quickly cybersecurity has been slipped out of mind by lawmakers since we only looked at the credit bureaus a few years ago," said Thomas Kost, attorney at Davis Wright Tremaine. “This is not a hypothetical threat. Given the JBM [Meat Processing] ransomware attack and in front of this Colonial Pipeline, there could be so much substantive discussion now. "
The forced shutdowns at the meat processor JBS and the Colonial Pipeline as well as other ransomware attacks have raised questions about the networking of bank networks and their service providers.
Observers say the recent attacks caught the attention of Congress, but protecting the financial sector was not part of the discussion.
The gap between bankers' cyber concerns raised at the hearing and lack of interest from members of Congress could have wider implications, some said. Legislators have been struggling for years to pass meaningful reforms to strengthen cybersecurity standards. In general, Congress only addressed cyber issues after a major attack, but then loses focus.
"The recent incident in the Colonial Pipeline is a good example of how often the federal legislature reacts primarily to major incidents that affect our critical infrastructure and our customers who are its members," said Will Daugherty, partner and Cyber Security Specialist at Norton Rose Fulbright.
Protecting consumer data and the banking system infrastructure is essential to prevent widespread economic disruption. Financial services have been identified as one of 16 critical infrastructures defined by the USA Patriot Act as so vital to the country that inability or destruction would have a debilitating effect on the country's economy and security.
Analysts say the bank chief's two hearings last month – one in the House of Representatives and another in the Senate – provided the usual theatrical rhetoric, with many lawmakers trying to elicit dramatic reactions from executives rather than gathering serious intelligence.
"Congressional hearings are a 20- or 30-episode show, depending on which legislature speaks," said Ian Katz, managing director and policy analyst at Capital Alpha Partners. “It's not a good forum for discussion. For some who are watching, it may feel like there should be a conversation, but there isn't. "
At the House hearing when Rep. Bill Huizenga, R-Mich. Asked the six CEOs to identify the greatest risk to the financial services industry, Jane Fraser of Citigroup, Charlie Scharf of Wells Fargo, David Solomon of Goldman Sachs and James Gorman from Morgan Stanley gave brief replies mentioning cyber risk. But Huizenga didn't ask any more questions than the CEOs quoted cybersecurity, nor did other lawmakers.
Rather than focusing on whether critical infrastructure is protected, at the hearings lawmakers grilled the banks' CEOs about overdraft fees, the response to the pandemic, and the reach of minorities.
"It also shows how far behind legislation is," said Tracy Kitten, director of fraud and security at Javelin Strategy & Research.
Some experts suggested that the discrepancy between lawmakers and others on the severity of financial cyber risk has to do with a general lack of familiarity among Congressmen with technology concepts. One observer even recalled how in 2006 the late Senator Ted Stevens, R-Ala., Famously described the Internet as "a series of tubes."
However, the federal financial supervisory authorities have been integrating cybersecurity checks into exams for years. Banks are also facing one of the toughest security breach reporting requirements proposed.
In January, the Federal Reserve, the Office of the Comptroller of the Currency and Federal Deposit Insurance Corp. stipulate that banks should inform regulators of every "computer security incident" within 36 hours. The deadline for comments on the proposed regulation ended in April.
"Cybersecurity has been and remains a major concern for financial regulators," Daugherty said. "Congress can sometimes be more reactive after an incident that brings the issue to the attention of the general public."
He noted that action is also being taken at the state level, as the Conference of State Banking Regulators released an updated cybersecurity audit tool to assess non-banks in February.
At the hearing in the House of Representatives last month, bank bosses weren't asked how well they can withstand and respond to an attack. Still, large banks routinely conduct extensive vulnerability scans and penetration tests, two practices that analyze IT systems for vulnerabilities, according to a March report by Moody & # 39; s Investors Service on banks' cybersecurity strengths.
"The biggest concern for banks right now is their dependence on third parties, a type of supply chain attack," said Kitten.
The bank's reliance on information technology providers and supply chain partners makes the financial services industry a leading target for cyberattacks, according to a September report by the Government Accountability Office. The Treasury Department and financial regulators have taken several steps to facilitate cyber incident response and recovery. But the Treasury Department isn't pursuing these efforts, the GAO said.
Small and medium-sized banks tend to be more vulnerable because they have less to invest in updated systems, experts said. According to data from Coveware, an analytics firm based in Westport, Connecticut, financial services companies were the target of 4.4% of ransomware attacks in the first quarter, behind professional services, the public sector, healthcare and other sectors.
Employees working from home during the pandemic forced many companies to adopt new technology quickly, creating security concerns.
"It has opened up a new target and opportunities for bad actors," said Daugherty.
Congressional hearings during the pandemic have also been tarnished by technical glitches that only serve to underscore legislature's confusion over the technology. At the House Financial Services Committee hearing last month, MP Maxine Waters, D-California, was forced to shut down the case several times when some members became muted or experienced connectivity issues.
Some experts also point out that because of their format, congressional hearings are often combative, with lawmakers only having five minutes to ask questions, so substantive questions and answers are generally not the norm.
Still, banks spend weeks, if not months, preparing for the hearings. Bank bosses often meet with lawmakers before the hearings. Committee staff also asked about two dozen questions that banks had to answer as part of the Minutes of Congress. The written answers are checked internally for facts and checked by lawyers and compliance experts.
“Does it make sense for lawmakers to be able to interview the CEOs of the country's largest banks? Yeah, I'm sure, "said Katz," but it can also feel like a missed opportunity. "