On May 24, 2018, the U.S. Senate Committee on Banking, Housing, and Urban Affairs (the “Committee”) held a hearing entitled, “Cybersecurity: Risks to the Financial Services Industry and Its Preparedness.” Witnesses from a wide range of financial sector organizations provided testimony on the threats faced by the financial sector, collaboration and information sharing between the private and government sectors, and public disclosure requirements.
Senator Mike Crapo (R-ID), Chairman of the Committee, opened the hearing by noting as follows: As our society increases its reliance on technology and becomes accustomed to immediate access to information and services from companies, the risk of – and the potential damage caused by – data breaches continually increases. Americans are becoming more aware of the amount of information, including personally identifiable information or PII, that is stored by companies and there is a growing realization that this information can be stolen or misused.”
Senator Sherrod Brown (D-OH), Ranking Member of the Committee, questioned the adequacy of the current baseline of protection for consumer PII and public disclosure of breaches and whether additional controls should be added to the market governing how PII is used by the financial sector. Witness were in general agreement that more needed to be done – and is being done – across the board to address these issues.
Senators Mike Rounds (R-SD) and Heidi Heitkamp (D-ND) discussed the idea of a financial sector “umbrella” or “iron dome” of cyber readiness to serve as a means to deter threats. Senator Rounds offered the Department of Defense Science Board’s February 2017 Task Force on Cyber Deterrence report regarding cyber threats to critical infrastructure that explains an across-the-board need to identify where attacks are originating – whether by individuals, criminal organizations, or other nations. Senator Mark Warner (D-VA) suggested individuals with a security clearance be in place at every large and mid-size institution to facilitate better information sharing between the intelligence community and the financial sector. Witnesses were in agreement that increased collaboration and information sharing between the private sector and the government sector would greatly assist with cyber readiness and resiliency. Senator Catherine Cortez Masto (D-NV) asked for viewpoints on information sharing legislation, noting that she is interested in crafting legislation to promote real-time information sharing among financial institutions. While witnesses also agreed that real-time information sharing is critical, the financial industry generally does not share threats in real time due to confidentiality agreements and privacy requirements. Witnesses further discussed that privacy requirements are invaluable but also prevent industry participants from sharing information that could further protect consumers.
Senator Jack Reed (D-RI) discussed his legislation, S. 536, the Cybersecurity Disclosure Act of 2017, which would direct the Securities and Exchange Commission (“SEC”) to require a registered issuer to disclose in its annual filings whether any member of its governing body possesses cybersecurity expertise. The witnesses agreed that more disclosure should be expected from the financial sector, and that cybersecurity experts are critical to bridging the gap between the technological world and the business world. Senator Doug Jones (D-AL) questioned whether organizations should be rated on their level of cybersecurity risks and how to get this information to investors or into the marketplace. Senator Warner further discussed the lack of requirements to disclose a data breach on an SEC filing and noted that he intends to address this going forward. Witnesses offered that, while many disclosures are required in filings, existing requirements could be augmented and more standards are needed in the industry to assess the cybersecurity risks of financial institutions.
Similar hearings are expected in the near future. Indeed, Chairman Crapo stated that “[t]he collection and use of PII will be a major focus of the Banking Committee moving forward, as there is broad-based interest on the Committee in examining th[e topic].”