Why it matters

Reflecting continued regulatory focus on the issue of cybersecurity, Comptroller of the Currency Thomas Curry said in recent remarks, retailers must be held accountable for data breaches, urging federal lawmakers to adopt legislation that would alleviate the burden currently shouldered by banks. “The same expectations for security of customer information and customer notification when breaches occur should apply to all institutions,” he said at the Tenth Annual Community Bankers Symposium in Chicago. “And when breaches occur in merchant systems, it seems only fair to me that they should be responsible for some of the expenses that result.” Multiple bills addressing cybersecurity that would shift some level of responsibility to retailers are currently pending in Congress, leaving Curry “hopeful” for a change, he added. While he advocated for a more reasonable burden for financial institutions, Curry also reminded banks to remain vigilant with regard to data security. “Clearly, our expectations as supervisors are high in the area of cybersecurity. But the stakes are high as well,” he said.

Detailed discussion

Cybersecurity is a topic much in the headlines recently, Curry acknowledged to an audience of community bankers. Additionally, he said even if community banks themselves have not been named in a high-profile breach, they also suffer from data thefts.

“Financial institutions are often on the hook to compensate customers for fraudulent charges, and replace credit and debit cards and monitor account activity for fraud at significant cost,” he said. “That’s not easy for any bank, but it’s a burden that falls especially heavy upon community institutions. At a cost of $5 or more per card and covering the related fraud charges, the costs can run up very quickly.”

The spate of recent data breaches highlights two pressing points, Curry explained. First, all entities can improve their cybersecurity.

Secondly, the incidents “also demonstrate why we need to level the playing field between financial institutions and merchants,” he told attendees. “The same expectations for security of customer information and customer notification when breaches occur should apply to all institutions. And when breaches occur in merchant systems, it seems only fair to me that they should be responsible for some of the expenses that result.”

Having called for a more equal playing field, Curry reiterated the importance of cybersecurity for community institutions. Recognizing that smaller institutions have limited resources, he encouraged attendees to take advantage of other options, including the Financial Services Information Sharing and Analysis Center (FS-ISAC).

Curry also voiced support for the Federal Financial Institutions Examination Council’s (FFIEC) efforts to provide guidance on the issue of cybersecurity, citing alerts issued by the group on technological vulnerabilities like the “Heartbleed” bug as well as an “instructive” report with observations on a Cybersecurity Assessment of community institutions.

The report “will help member agencies make informed decisions about ways to enhance the effectiveness of cybersecurity-related supervisory programs, guidance and examiner training,” Curry explained, such as suggesting the incorporation of cyber-incident scenarios into business continuity and disaster recovery planning and consideration of “external dependency management,” or keeping a close eye on third-party connections.

“[W]e expect management at every institution we supervise to monitor and maintain sufficient awareness of cybersecurity threats and vulnerabilities,” Curry counseled his audience. “For an industry in which reputation means everything, a single data breach involving confidential customer information can be extremely costly.”

Banks should expect heightened regulatory concerns to be expressed about their cybersecurity planning, as part of the regular bank examination process.

In addition, on December 10, New York’s Department of Financial Services (DFS) Superintendent Benjamin Lawsky issued new cybersecurity guidance for New York banks. To read Superintendent Lawsky’s letter on the cyber security assessment, click here.

To read Comptroller Curry’s remarks, click here.