The recent ransomware attacks on energy and meat processing industries are a reminder of the cybersecurity risk facing the banking sector. But analysts say policymakers seem disengaged from securing the financial system.
Exhibit A, they say, was a May 27 House Financial Services Committee hearing with the CEOs of the six largest banks. Four of the executives at the hearing cited cybersecurity as the most dangerous threat to the banking system.
Even though the aftermath of the May 7 ransomware attack of the Colonial Pipeline was still in the news, the CEOs’ comments elicited no follow-up questions or statements from the panel. The hearing focused more on criticism of overdraft fee policies and bank diversity practices, corporate taxes and the industry’s response to the pandemic.
The lack of discussion about cyber risks was surprising, experts said, given that Congress had held hearings in 2017 to address the Equifax data breach.
Asked by a House member to name the biggest risk facing the financial services industry, Jane Fraser of Citigroup and Charlie Scharf of Wells Fargo were among the CEOs who cited the threat of a cyberattack.
“It is amazing how quickly cybersecurity fell out of lawmakers’ consciousness given we just dealt with this with the credit bureaus a few years ago,” said Thomas Kost, an attorney at Davis Wright Tremaine. “It’s not a hypothetical threat. There could be so many substantive discussions now given the JBM [meat processing] ransomware attack and before that Colonial Pipeline.”
The forced stoppages at the meat processor JBS and the Colonial Pipeline as well as other ransomware attacks have raised questions about the interconnectivity of bank networks and their service providers.
Observers say the recent attacks have drawn the attention of Congress, but safeguarding the financial sector has not been part of the discussion.
The gulf between bankers’ cyber-related concerns raised at the hearing and the lack of interest from members of Congress could have wider implications, some said. Lawmakers have struggled for years to pass meaningful reforms to strengthen cybersecurity standards. In general, Congress has only paid attention to cyber issues after a big attack, but then loses focus.
“The recent Colonial Pipeline incident is a good example of how oftentimes the federal legislative branch is primarily reactive to significant incidents that have an impact on our critical infrastructure and impact customers, who are their constituents,” said Will Daugherty, a partner and cybersecurity expert at Norton Rose Fulbright.
Protecting consumer data and the infrastructure of the banking system is essential to preventing a widespread economic disruption. Financial services has been identified as one of 16 critical infrastructures defined in the USA Patriot Act as so vital to the country that an incapacity or destruction would have a debilitating impact on the nation’s economy and security.
Analysts say the two bank CEO hearings last month — one in the House and another in the Senate — provided the usual theatrics with many lawmakers seeking to elicit dramatic responses from the executives rather than engaging in serious information-gathering.
“Congressional hearings are a show, with 20 or 30 episodes depending on which lawmaker is speaking,” said Ian Katz, managing director and policy analyst at Capital Alpha Partners. “It isn’t a good forum for conversation. It may feel to some watching that there’s supposed to be a conversation, but there isn’t.”
At the House hearing, when Rep. Bill Huizenga, R-Mich., asked the six CEOs to name the biggest risk facing the financial services industry, Jane Fraser of Citigroup, Charlie Scharf of Wells Fargo, David Solomon of Goldman Sachs and James Gorman of Morgan Stanley gave brief responses mentioning cyber risk. But Huizenga did not ask any follow-up questions when the CEOs cited cybersecrity, nor did any other lawmaker.
Rather than focus on whether critical infrastructure is protected, lawmakers at the hearings instead grilled bank CEOs about overdraft fees, the pandemic response and minority outreach.
“It goes to show too how far behind the lawmakers are,” said Tracy Kitten, director of fraud and security at Javelin Strategy & Research.
Some experts suggested the disconnect between lawmakers and others on the severity of financial cyber risks has to do with a general lack of familiarity members of Congress have about technology concepts. One observer even recalled how in 2006 the now-deceased Sen. Ted Stevens, R-Ala., famously referred to the internet as “a series of tubes.”
Federal financial regulators, however, have for years incorporated cybersecurity checks into exams. Banks also face one of the strictest proposed notification requirements for security breaches.
In January, the Federal Reserve, Office of the Comptroller of the Currency and Federal Deposit Insurance Corp. proposed that banks notify regulators within 36 hours of any “computer-security incident.” The comment period on the proposed rulemaking closed in April.
“Cybersecurity has been and remains a top concern of financial regulators,” said Daugherty. “Congress can be more reactive at times after an incident that brings the issue to the full public’s attention.”
He noted there also is action at the state level with the Conference of State Bank Supervisors issuing an updated cybersecurity exam tool in February to assess nonbanks.
At the House hearing last month, bank CEOs weren’t asked about how well they can withstand and respond to an attack. Yet large banks routinely perform extensive vulnerability scans and penetration testing, two practices that analyze IT systems for vulnerabilities, according to a March report by Moody’s Investors Service abut banks’ cybersecurity strengths.
“The biggest worry for banks right now is their reliance on third parties, a supply-chain type of attack,” Kitten said.
Bank’s reliance on information technology providers and supply chain partners makes the financial services industry a leading target for cyber-based attacks, according to a September report from the Government Accountability Office. The Treasury Department and financial regulators have taken multiple steps to provide cyber incident response and recovery. But the Treasury does not track those efforts, the GAO said.
Small and medium-sized banks tend to be more vulnerable because they have less to invest in updated systems, experts said. Financial services firms were the targets of 4.4% of ransomware attacks in the first quarter, behind professional services, the public sector, health care and other sectors, according to data from Coveware, a Westport, Connecticut, analytics firm.
Employees working from home during the pandemic forced many companies to rapidly deploy new technology, adding to security issues.
“By doing so, it opened up a new attack surface and opportunities for bad actors to exploit,” Daugherty said.
Congressional hearings during the pandemic also have been marred by technical glitches that only serve to underscore lawmakers’ confusion about technology. At the House Financial Services committee hearing last month Rep. Maxine Waters, D-Calif., had to halt the proceedings several times when some members appeared to have their sound muted or encountered connectivity problems.
Some experts also note that congressional hearings often are combative because of their format, with lawmakers each given just five minutes to ask questions, so substantive questions and answers generally are not the norm.
Yet banks spend weeks if not months preparing for the hearings. Bank CEOs often meet with lawmakers leading up to the hearings. Committee staff also provided about two dozen questions that banks had to submit responses to as part of the congressional record. The written responses are fact-checked and reviewed internally by lawyers and compliance experts.
“Is it useful for lawmakers to be able to question the CEOs of the nation’s largest banks? Yes, I’m sure it is,” said Katz. “But it can also feel like a missed opportunity.”