November 1, 2017
House Financial Services Committee Subcommittee on Financial Institutions and Consumer Credit “Data Security: Vulnerabilities and Opportunities for Improvement”
Key Topics & Takeaways
- Regulatory Harmonization: Regulatory harmonization was a frequent topic of discussion during the hearing. SIFMA CEO Ken Bentsen discussed at length the need for coordination between financial services regulators on cyber regulations and praised the NIST framework as one that would reduce regulatory burdens while protecting consumers.
- Data Breaches: The recent, high-profile data breaches of Equifax and the SEC’s public filing system EDGAR were frequent topics of discussion throughout the hearing. Numerous Members of Congress from both parties asked witnesses for their views on a uniform national standard for breach notification. While one witness defended the current reliance on state-level breach notification laws, others called for the creation of a uniform standard that would create predictability and lighten the regulatory burden on firms. Ken Bentsen also repeatedly stressed the importance of having a flexible notification standard that would require timely notification by firms of data breaches while balancing their needs to conduct audits and determine the scope of the damage of a breach before notifying customers, especially in cases where a cyberattack is ongoing.
- Consolidated Audit Trail (CAT): During the hearing, Ken Bentsen also drew attention to the in-development Consolidated Audit Trail (CAT) which when completed will be one of the largest databases in the country. Bentsen noted that SIFMAs members have concerns about the scope of data collected by the CAT and said there were valid questions about whether or not the personally identifiable information (PII) that is scheduled to be collected by the CAT is necessary for the CAT to fulfil its market surveillance role.
- The Honorable Kenneth Bentsen, Jr., President and Chief Executive Officer, Securities Industry and Financial Markets Association
- Daniel Mennenoh TIP NTP, President, H.B. Wilkinson Title Company, on behalf of the American Land Title Association
- Edmund Mierzwinski, Consumer Program Director, U.S. Public Interest Research Group
- Debra Schwartz, President and Chief Executive Officer, Mission Federal Credit Union, on behalf of the National Association of Federally-Insured Credit Unions (NAFCU)
Subcommittee Chairman Blaine Luetkemeyer (R-Mo.)
In his opening statement, Luetkemeyer discussed the “alarming” number of Americans harmed by cybercrime each year, as well as the recent spate of high profile hacks and data breaches which exposed Americans’ personally identifiable information (PII). Luetkemeyer asked if the current regulatory regime balances effectiveness, innovation, and oversight, and said that regulators and Congress should reduce red tape while ensuring that data breaches are reported in a timely manner. Luetkemeyer also said that he would soon introduce data security reform legislation aimed at doing just that.
Subcommittee Vice Chairman Keith Rothfus (R-Pa.)
In his opening statement, Rep. Keith Rothfus discussed the recent spate of sophisticated cybercrimes that put Americans and the American financial system at risk, and described cybercrime as a national security threat. Rothfus said that the committee needs to address the growing threat and said that it is important that firms promptly notify law enforcement and customers in the event of attacks.
The Honorable Kenneth Bentsen, Jr., President and Chief Executive Officer, Securities Industry and Financial Markets Association
In his testimony, Bentsen said that SIFMA’s members are committed to protecting their customers from data breaches and cyberattacks and noted that as an industry, cybercrime is larger than narcotics. Bentsen also outlined some of SIFMA’s efforts to develop industry best practices on data collection and management and to coordinate with regulators on cyber practices, and discussed the important collaboration between industry and government to protect financial markets and American consumers, cyber exercises that SIFMA organizes. Bentsen closed by discussing the in-development Consolidated Audit Trail (CAT) which will store both trade data and PII, and called for amending H.R. 3973, the Market Data Protection Act of 2017, to require the self-regulatory organizations (SROs) responsible for developing the CAT to create their own risk controls.
Daniel Mennenoh TIP NTP, President, H.B. Wilkinson Title Company, on behalf of the American Land Title Association
In his testimony, Mennenoh discussed title fraud and related phishing attempts, which he called “one of the largest threats” facing consumers and homebuyers. Mennenoh noted that the FBI observed a 480 percent increase in title fraud last year, costing Americans $5.3 billion. Mennenoh noted that the loss of a down payment for a home through title fraud can devastate Americans, and that the problem persists despite attempts by title companies to address it. Mennenoh said that increasing consumer education about the problem, and requiring financial institutions to match account numbers and names for these transactions, could deter the practice.
Edmund Mierzwinski, Consumer Program Director, U.S. Public Interest Research Group
In his testimony, Mierzwinski criticized Equifax for its delayed disclosure of its recent data breach and called for increased scrutiny of the credit bureaus from regulators. Mierzwinski praised a bill introduced by Rep. Maxine Waters (D-Calif.) that would reform the credit bureaus themselves, as well as at transferring data security oversight to the Consumer Financial Protection Bureau (CFPB). Mierzwinski closed by praising the states as “privacy innovators” and “privacy first responders,” saying that Congress should not preempt state data breach notification laws or the ability of states to conduct data examinations.
Debra Schwartz, President and Chief Executive Officer, Mission Federal Credit Union, on behalf of the National Association of Federally-Insured Credit Unions (NAFCU)
In her testimony, Schwartz described data security as “everyone’s responsibility,” and said that NAFCU supports comprehensive, cross-industry data security measures to protect customer data. Schwartz also praised the Gramm-Leach-Bliley Act (GLBA) for creating a scalable set of data security practices. Schwartz outlined NAFCUs principles for data security, including creating national standards for storing data and requiring breached retailers to notify financial institutions. She continued that NAFCU supports a system where the breached entity pays all costs from a hack, subjecting credit bureaus to examinations for data protection, and praised H.R. 2205, the Data Security Act of 2015, for creating national standards for data security and breach notification.
Question & Answer
Luetkemeyer began his questions by asking Bentsen about the importance of harmonization of state and federal data security protections and what role the House Financial Services Committee should play in that. Bentsen said that industry and government are trying to “get to the same place,” but that the jurisdictional issues financial institutions face are major ones, as many deal with banking and securities regulators, SROs and global regulatory bodies. Bentsen said the committee could exercise its oversight ability to push these disparate regulators to agree on a common framework for cyber regulations, and praised the National Institute of Standards and Technology (NIST) framework as a model for creating cybersecurity regulations.
Luetkemeyer then asked Bentsen if the NIST standards were adequate and if there should be a universal notification standard. Bentsen praised the NIST framework again, and said that notification is an important issue, and that firms should provide notification to parties impacted by data breaches in a timely manner. Bentsen hedged by saying that setting “artificial” deadlines for reporting breaches could introduce new risk factors, especially in cases where a cyber event may be ongoing or where audits are needed to uncover the extent of the damage of a cyberattack.
Rep. Roger Williams (R-Texas) asked Bentsen how Congress can create effective rules related to cybersecurity without overburdening industry in compliance costs. Bentsen replied that Congress has an important role to play in coordinating actions by the numerous different financial services regulators.
Rep. David Trott (R-Mich.) asked the panel to describe the most significant barriers to creating effective government-industry partnerships. Bentsen described the financial services industry’s partnership with federal regulators on cybersecurity as “quite good,” and credited the Treasury Department and the Department of Homeland Security (DHS) for their support. Bentsen stressed that all parties are “trying to row in the same direction.” Bentsen discussed the exercises conducted by industry with federal government involvement, as well. Bentsen did note that cooperation can break down when agencies, all of whom have their own individual mandates, do not collaborate with each other. Bentsen also discussed the importance of the NIST framework to create “interchangeability” between the requirements of different regulators.
Rep. Scott Tipton (R-Colo.) noted that a large amount of the cybersecurity activities at financial institutions are focused on compliance instead of security, and asked Bentsen to describe the impact of this. Bentsen said that SIFMA’s members want to dedicate more resources to front-line defense but have costly compliance regimes to navigate. Bentsen also raised concerns about a shortage of cyber defense personnel in the United States. Bentsen discussed the role that the NIST framework could play in reducing compliance costs and noted again that both industry and government want the same goal – a cybersecurity regulatory regime that is effective and protects markets and individuals.
Rep. Robert Pittenger (R-N.C.) asked Bentsen how Congress could mitigate the legitimate privacy concerns that arise when financial institutions share information with the federal government and each other. Bentsen said that the industry is interested in sharing information with government, and would like government agencies to share information with them, as there is an advantage to quickly spreading information about attacks through the financial sector. Bentsen also said that industry and regulators should be forward looking about cyber risks, as new technologies will create new cyber risks.
Luetkemeyer asked the panel if Congress should create guidelines for customer notification of data breaches. Schwartz said that the faster financial institutions are aware of breaches the faster they can respond, including distributing new cards and freezing account activity. Schwartz noted that her credit union found out about the Equifax hack through the news.
Subcommittee Ranking Member Wm. Lacy Clay (D-Mo.) asked the panel for their thoughts on what duties firms owe customers for disclosure of data breaches, and asked if the six weeks Equifax waited to disclose its recent breach was too long. Bentsen said that while people should be notified as soon as possible, he was not familiar with the details of the Equifax breach. Bentsen did say that any notification standard should be appropriately tailored so as not to create risks from disclosing breaches too soon, especially in the case where an attack is ongoing. Mierzwinski said that Equifax probably violated several states’ laws on data breach notification. Schwartz argued that six weeks is “clearly” too long a time to wait for disclosure, as the failure to disclose the breach to banks and credit unions slowed those entities ability to respond with fraud prevention steps.
Williams asked the panel for their views on the type of notification standards that should exist. Schwartz called for notification “as soon as reasonably applicable,” though she also conceded it would be difficult to put firm timeframes around notification. Schwartz stressed the importance of retailers notifying financial institutions quickly, as banks and credit unions play important fraud prevention roles.
Rep. Andy Barr (R-Ky.) expressed concern about the “weakest link” in the cyber defense chain, and asked Schwartz where the weakest link is. Schwartz said that the merchant level is the weakest, because while banks expend much effort on their cybersecurity defenses, some merchants do not have the most “basic level” of cyber defense, and many lack data destruction procedures.
Barr noted that many retailers disliked the idea of “stringent, bank-style” rules on data security, and Schwartz noted that financial institutions are “on the hook” for the monetary costs of data defense. Schwartz praised H.R. 2205 for creating a level playing field in data security. Barr closed by expressing hope that retailers and financial institutions could work with Congress on a solution to data breaches.
Consolidated Audit Trail
Luetkemeyer asked Bentsen if he believes the CAT is a promising idea, and Bentsen said that the concept is appropriate, but that SIFMA’s members are concerned about the amount of data being gathered by the CAT and said there are questions about the use of gathering PII.
Rep. Barry Loudermilk (R-Ga.) expressed his interest in looking at the issue of government regulations requiring firms to collect and store more data than they need, and asked the panel for their thoughts on this. Bentsen noted that the CAT will require firms to report a large amount of PII to a centralized database, and questioned whether that information is needed to accomplish the underlying goal of conducting market surveillance.
Gramm-Leach-Bliley Act (GLBA)
Throughout the hearing, Schwartz (on behalf of NAFCU) repeatedly praised the GLBA for creating a dynamic, scalable, and flexible data security regime that fit the needs of small credit unions and large multinational financial institutions. Schwartz described the GLBA as an “excellent model” for future legislation.
In response to a question from Rep. David Scott (D-Ga.) Schwartz praised the GLBA has a good alternative to a one-size fits all standard, that still provided important minimum standards for data security.
Government Data Security
Rep. Claudia Tenney (R-N.Y.) asked the panel how Congress can help secure data held by regulators. Schwartz noted that data is requested by regulators with the “best intentions,” but that most of the data reported by financial institutions would be available at examinations, potentially eliminating the need for vast amounts of account-by-account or loan-by-loan reporting. Schwartz noted that on-site examinations can allow firms to store data on site and eliminate a risk point by not transmitting it. Bentsen took the opportunity to discuss penetration testing, noting that many large institutions want to conduct these tests to find vulnerabilities, but are concerned about being required to use certain vendors, or to send the results of the test outside the institution. Bentsen suggested that an alternative would be for examiners to view the results of penetration tests on-site, to eliminate a risk point when the data is shared electronically.
Rep. Ed Royce (R-Calif.) noted that failures in cybersecurity systems have occurred in both the public and private sector, and asked Bentsen if the government is doing enough to shore up its own systems. Bentsen praised the Department of Treasury for actively looking at this issue.
Tipton asked Bentsen to discuss the lessons learned from the Quantum Dawn series of exercises. Bentsen described Quantum Dawn, noting that the exercises simulate major attacks on financial services infrastructure and involves industry and regulators. Bentsen said that the exercises allow firms to test their information sharing practices, test their playbooks, and get regulator feedback. Bentsen also described the Sheltered Harbor series of exercises, which aims to help financial institutions recreate damaged or destroyed records. Bentsen said that the exercises improve the resiliency of the financial system.
Throughout the hearing, there was substantial discussion about the impact of title fraud on Americans, and the steps Congress could take to prevent this unique type of fraud. Mennenoh (on behalf of ALTA) repeatedly supported improving consumer education and requiring financial institutions to match account name and number for these transactions. Mennenoh also described the steps that title companies – whose actions are often misunderstood by consumers – take to prevent title fraud, including using encrypted messages and secured platforms for information sharing.
For more information on this hearing, please click here.