Hackers who relentlessly pursue banks may run into tougher defenses as the Federal Reserve and other US regulators force the biggest lenders to plug any vulnerabilities.
Banking agencies released a proposal Wednesday for rules that would require lenders — and the outside firms that serve them — to better safeguard themselves and their customers. Banks with more than $50 billion in assets and other systemically significant firms would have to establish board-approved protections that make them more aware of what’s happening in their own systems. The proposal also aims to keep successful cyber attacks from spreading damage through the broader financial sector.
Affected companies “would be required to be capable of operating critical business functions in the face of cyber-attacks and continuously enhance their cyber resilience,” the regulators said. The proposal also demands “secure, immutable, off-line storage of critical records.”
Digital breaches have cost the financial industry billions and prompted banks to hire armies of cyber defenders in recent years. So, the Fed, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. devised a plan that sets the minimum each lender must do to show it’s protecting itself. For instance, the banks’ most critical systems that the wider financial system depends on would have to be able to recover from attacks within two hours.
In what could be a windfall for outside companies that provide cyber protection, those systems would also have to be shielded by “the most effective, commercially available controls,” though agency officials gave no further details on how that would be defined.
The outside vendors are also getting more scrutiny. Consumer Financial Protection Bureau Director Richard Cordray, a member of the FDIC’s board, flagged the “utter dependence” of banks on their technology and outside service providers. Risks may develop in those firms, he said, meaning bank customers could have less control over emerging problems.
The agencies approved an advance notice of proposed rulemaking, a preliminary step that means a final measure could still be many months in the making. The public will have 90 days to comment on the initial ideas.
The banking industry has been stunned by recent computer muggings, including a February hack of Bangladesh’s central bank in which thieves made off with $81 million and the 2014 incursion of JPMorgan Chase & Co. that compromised information on millions of customers.
In recent years, regulators’ public responses to hacks have mostly consisted of issuing guidance and industry alerts. The escalating attacks have put pressure on them to do more, and a formal rule could give the government more power to crack down on lenders it thinks aren’t doing enough. New rules would update information-security standards that were issued well before modern threats emerged.
In JPMorgan’s 2015 annual report, Chief Operating Officer Matt Zames said thousands of employees were working from three global security-operations centers to protect the bank. He noted that every month they find more than 200 million malicious e-mails — each the potential foothold for an attack.
Cybersecurity breaches — including the routine hacking of e-mails from government, political and corporate officials — have been a factor in this year’s presidential election. Democratic officials have accused Russia of hacking e-mails and then providing WikiLeaks with sensitive documents aimed at undermining Hillary Clinton’s bid for the White House.
Clinton has said cyber warfare is one of the biggest threats the next administration must deal with, especially those attacks supported by countries including Russia. While Republican candidate Donald Trump has cast some doubt on whether foreign nations may be involved in attacks, he said during a debate last month that “we are not doing the job we should be doing” and “we have to get very, very tough on cyber.”