[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]





  SMALL BUSINESS, BIG THREAT: PROTECTING SMALL BUSINESSES FROM CYBER 
                                ATTACKS

=======================================================================


                                HEARING

                               before the

                      COMMITTEE ON SMALL BUSINESS
                      
                             UNITED STATES
                             
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              HEARING HELD
                              
                             APRIL 22, 2015

                               __________

                               [GRAPHIC] [TIFF OMITTED] 
                               

            Small Business Committee Document Number 114-009
              Available via the GPO Website: www.fdsys.gov
              
              
                                  ________
                                  
                        U.S. GOVERNMENT PUBLISHING OFFICE 

94-346 PDF                     WASHINGTON : 2015 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001            
              
                   HOUSE COMMITTEE ON SMALL BUSINESS

                      STEVE CHABOT, Ohio, Chairman
                            STEVE KING, Iowa
                      BLAINE LUETKEMEYER, Missouri
                        RICHARD HANNA, New York
                         TIM HUELSKAMP, Kansas
                        TOM RICE, South Carolina
                         CHRIS GIBSON, New York
                          DAVE BRAT, Virginia
             AUMUA AMATA COLEMAN RADEWAGEN, American Samoa
                        STEVE KNIGHT, California
                        CARLOS CURBELO, Florida
                          MIKE BOST, Illinois
                         CRESENT HARDY, Nevada
               NYDIA VELAZQUEZ, New York, Ranking Member
                        YVETTE CLARKE, New York
                          JUDY CHU, California
                        JANICE HAHN, California
                     DONALD PAYNE, JR., New Jersey
                          GRACE MENG, New York
                       BRENDA LAWRENCE, Michigan
                       ALMA ADAMS, North Carolina
                      SETH MOULTON, Massachusetts
                           MARK TAKAI, Hawaii

                   Kevin Fitzpatrick, Staff Director
            Stephen Dennis, Deputy Staff Director for Policy
            Jan Oliver, Deputy Staff Director for Operation
                      Barry Pineles, Chief Counsel
                  Michael Day, Minority Staff Director
                  
                  
                            C O N T E N T S

                           OPENING STATEMENTS

                                                                   Page
Hon. Steve Chabot................................................     1
Hon. Nydia Velazquez.............................................     2

                               WITNESSES

Mr. Steve Grobman, Intel Security Group, Intel Corporation, Santa 
  Clara, CA......................................................     4
Mr. Todd McCracken, President, National Small Business 
  Association, Washington, DC....................................     5
Mr. B. Dan Berger, President and Chief Executive Officer, 
  National Association of Federal Credit Unions, Arlington, VA...     7
Mr. Dane LeClair, National Cybersecurity Institute, Excelsior, 
  Washington, DC.................................................     8

                                APPENDIX

Prepared Statements:
    Mr. Steve Grobman, Intel Security Group, Intel Corporation, 
      Santa Clara, CA............................................    22
    Mr. Todd McCracken, President, National Small Business 
      Association, Washington, DC................................    38
    Mr. B. Dan Berger, President and Chief Executive Officer, 
      National Association of Federal Credit Unions, Arlington, 
      VA.........................................................    43
    Dr. Jane LeClair, National Cybersecurity Institute, 
      Excelsior, Washington, DC..................................    60
Questions for the Record:
    None.
Answers for the Record:
    None.
Additional Material for the Record:
    None.

 
  SMALL BUSINESS, BIG THREAT: PROTECTING SMALL BUSINESSES FROM CYBER
  
                                ATTACKS

                              ----------                              


                       WEDNESDAY, APRIL 22, 2015

                  House of Representatives,
               Committee on Small Business,
                                                    Washington, DC.
    The Committee met, pursuant to call, at 11:00 a.m., in Room 
2360, Rayburn House Office Building. Hon. Steve Chabot 
[chairman of the Committee] presiding.
    Present: Representatives Chabot, Hanna, Rice, Gibson, Brat, 
Hardy, Velazquez, Clarke, Meng, Lawrence, Adams, and Moulton.
    Chairman CHABOT. The Committee will come to order.
    I want to thank everyone for being here today. A special 
thanks to our witnesses for coming to share their insights and 
expertise with this Committee on the very timely and very 
important subject matter that we will be discussing here this 
morning.
    Cyber security is one of the most pressing but least 
understood challenges of our time. The American government, 
American businesses, and Americans themselves are attacked over 
the Internet on a daily basis. Sometimes they know; sometime 
they do not. These attacks come from criminal syndicates, 
activists, and foreign nations. They are after intellectual 
property, bank accounts, social security numbers, and anything 
else that they can use for financial gain or for a competitive 
edge.
    The increasing number of attacks come as more people are 
using the Internet than ever before. In the past five years, 
global Internet traffic has increased more than fivefold, and 
in the next five years this number will triple. This is not the 
Internet of 1995 when most Americans simply got online to check 
their email. Today, we are using the Internet in increasingly 
innovative and practical ways. Some pay for coffee with their 
phones, request ride-sharing service to an exact location, 
stream live video, and even bank online.
    Just two years ago, the average amount stolen from small 
business bank accounts was around $7,000, and in just two 
years--last year--that nearly tripled to $20,000.
    This technology, and our use of it, is the underpinning of 
our modern economy and the foundation of our future. That is 
why we must address cyber security now, so that as a country 
and as the leader in the global marketplace we can operate 
without fear of attack. We need the peace of mind that we have 
adequately prepared, we are protected, and we are constantly 
learning and adapting and strengthening those systems to 
protect against cyber attacks.
    When hackers affect large corporations, it is a breaking 
news alert on television and probably on our smartphones. But 
the majority of cyber attacks happen at small businesses. In 
fact, 71 percent of cyber attacks occur at businesses with 
fewer than 100 employees. These are our family businesses and 
small manufacturers with fewer resources to combat security 
threats which make them even bigger targets. A cyber attack on 
a big box store will be reported by the media and probably dent 
their bottom line; an unreported attack on a small firm may put 
them out of business, and those Americans who work at that 
small business lose their jobs.
    So today, we are here to examine these issues through the 
lens of an everyday American. How do we protect ourselves and 
our businesses? Is it as simple as using a more complicated 
password, or does it require much more than that? And what is 
the appropriate level of the federal government's involvement 
in all of this? Not long ago, an enemy would attack us with 
bombs, or guns, or ammunition; today they use malware and 
Trojan horses.
    I look forward to hearing from our witnesses here this 
morning, and I now would like to yield to Nydia Velazquez, the 
ranking member.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman.
    Over the past 15 years, the Internet and associated 
technologies have changed the way business is conducted. From 
the mobile banking apps on our phones, to the shopping 
experience offered by companies like Amazon, activities that 
once took place in corner stores now take place online. The 
Internet also affords America's 23 million small businesses a 
unique opportunity to sell their products not only across the 
country but around the world. Today, Internet shopping is a 
$319 billion marketplace, and the Census Bureau estimates 58 
percent of all U.S. shoppers will make an online purchase in 
the next year.
    As more consumers and businesses participate in ecommerce, 
protecting our financial information from cyber attacks is 
critical. Unfortunately, recent data breaches at Target, T.J. 
Maxx, and Home Depot compromise financial data of millions of 
consumers and cost each company tens of millions of dollars in 
damages and lost sales. It also exposes the weaknesses of the 
current cyber security landscape.
    While these examples highlight some of the largest 
breaches, the small business community is not immune to the 
risks of a cyber attack. Over 40 percent of attacks are 
companies with less than 400 employees and nearly three-
quarters of small businesses report being targeted in the past 
year. Yet, 53 percent of small business owners claim that the 
high cost in both time and money to secure the business from 
cyber attacks was not justified by the threat. Unfortunately, 
the consequences of forgoing investment in proactive cyber 
security are high. The small business that loses customer 
information is punished twofold by the direct monetary toll of 
the breach and by the marketplace when customers leave. A data 
breach costs upwards of $200,000 per incident and surveys show 
20 percent of customers will immediately terminate their 
relationship with a compromised business. As a result one study 
found a 60 percent of small businesses closed permanently 
within six months of a cyber attack.
    Clearly, cyber security should be a priority to protect our 
national security and economy. As we move forward, 
comprehensive reforms must balance a number of priorities, 
including being able to adapt to evolving technologies, 
preventing undue costs and regulations on small businesses, and 
protecting our sensitive information.
    During today's hearing, we will explore the critical issues 
facing small businesses that operate online. For millions of 
small firms, the Internet is critical to their success, yet 
fewer than 15 percent have plans in place to respond to a cyber 
attack. I look forward to hearing your recommendations to 
better educate and inform the small business community on cyber 
issues and how the federal government can facilitate a more 
robust and efficient cyber security environment.
    I would like to take this opportunity to thank all the 
witnesses for being here today. With that, I yield back.
    Chairman CHABOT. Thank you very much. The gentlelady yields 
back.
    If Committee members have opening statements prepared, I 
would ask that they submit them for the record.
    I would now like to inform our panel of the five-minute 
rule, which basically means you get five minutes to testify, 
and we will all have five minutes to ask questions. There is a 
lighting system. The green light will stay on for four minutes. 
The yellow light will come on to let you know you have a minute 
to wrap up. When the red light comes on, we ask that you finish 
up as close to that time as possible. We will give you a little 
bit of leeway but not a whole lot.
    And now we will introduce the panel. Our first witness will 
be Steve Grobman, who is the chief technology officer with 
Intel Security Group at Intel Corporation. In this role, Mr. 
Grobman sets the technical strategy and direction for the 
company's security business across hardware and software 
platforms. Mr. Grobman holds 20 U.S. and international patents 
in the field of cyber security, software, and computer 
architecture. He earned his bachelor's degree in Computer 
Science from North Carolina State University. We welcome you 
here this morning.
    Our second witness will be Todd McCracken, who serves as 
President of the National Small Business Association (NSBA). 
NSBA is the nation's oldest small business organization, having 
been founded all the way back in 1937. Mr. McCracken is a 
graduate of Trinity University with a B.A. in Economics. We 
welcome you.
    And our third witness will be B. Dan Berger, who is 
President and CEO of the National Association of Federal Credit 
Unions. Mr. Berger earned a Master's degree in Public 
Administration from Harvard University and a Bachelor of 
Science degree in Economics from Florida State University, and 
we welcome you here as well, Mr. Berger.
    I now yield to our ranking member to introduce our fourth 
witness.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman.
    Dr. Jane LeClair is the chief operating officer for the 
National Cyber Security Institute at Excelsior College here in 
Washington, D.C., where she focuses on cyber security training, 
social engineering, and women in cyber. Previously, she served 
as dean of the School of Business and Technology at Excelsior 
College, and worked in the nuclear energy sector for over 20 
years. She is a vocal advocate for attracting and retaining 
more women in the technology fields and established the Dr. 
Jane LeClair Scholarship Fund for Women in Technology at 
Excelsior College in 2012. Dr. LeClair holds a number of 
degrees, notably an EdD from Syracuse University and a MBA from 
City University. Welcome.
    Chairman CHABOT. Thank you very much.
    Now we will hear from our very distinguished panel here 
this morning. Mr. Grobman, you are recognized for five minutes.

 STATEMENTS OF STEVE GROBMAN, CHIEF TECHNOLOGY OFFICER, INTEL 
 SECURITY GROUP, INTEL CORPORATION; TODD MCCRACKEN, PRESIDENT, 
NATIONAL SMALL BUSINESS ASSOCIATION; DAN BERGER, PRESIDENT AND 
CHIEF EXECUTIVE OFFICER, NATIONAL ASSOCIATION OF FEDERAL CREDIT 
    UNIONS; JANE LECLAIR, NATIONAL CYBER SECURITY INSTITUTE

                   STATEMENT OF STEVE GROBMAN

    Mr. GROBMAN. Good morning, Chairman Chabot, Ranking Member 
Velazquez, and other members of the Committee. Thank you for 
the opportunity to testify today. I am Steve Grobman, Intel 
fellow and chief technology officer for Intel Security Group at 
Intel Corporation.
    Intel is a world leader in computing innovation. The 
company designs and builds the essential technologies that 
serve as the foundation for the world's computing devices.
    Security, along with power-efficient performance and 
connectivity are key elements of our innovation efforts. As 
chief technology officer for Intel Security Group, I set the 
technical strategy and direction for the company's security 
business across hardware and security platforms.
    Intel and I appreciate the Committee's interest in the 
importance of protecting small business from cyber security 
threats. My testimony will focus on three main areas--the 
threat landscape and its implication for small business; how 
best practices and education can help small business; and how 
industry can deliver innovative security solutions to help 
small business.
    The threat landscape and specific implications for small 
business are very unique. Small businesses need to comprehend a 
wide-range of threats, including attacks from criminals, 
hacktivists, state actors, and bulk malware that we see 
targeting consumers. But they also have some very unique 
challenges. They typically have insufficient cyber defenses, 
thus becoming an attractive prospective for criminal actors, 
but yet make up a major portion of the GDP. The other element 
with small business is small business can act as a conduit or 
element of a larger breach focused on large enterprise or 
government.
    The latter example is not a hypothetical. Elements of a 
2014 major breach compromised a small business as one of the 
key elements to land on the network of a large enterprise and 
thus became a key factor in that enterprise's overall loss. 
Understanding how small business impacts supply chain and other 
elements of large business and government is something that we 
must comprehend when looking at small business.
    Attacks are not only technological; they take advantage of 
both social engineering and a wide range of attacks on varying 
platforms from PCs, mobile devices, new cloud architectures, 
embedded devices, and even hardware.
    The challenge with cyber security defense is that the 
attack has an inherent advantage. It is an asymmetric 
environment where a target attack against a small business 
gives the advantage to the attacker. The attacker understands 
what tools and defensive measures are deployed generally at 
small business. They also understand that the pragmatic cost 
complaints of a small business will be such that they cannot 
afford the same degree of a cyber-operation staff that you 
would see in some large enterprises or governments. But the 
most profound reason that we see the asymmetry in the attack 
advantage being to the attacker is the attacker only needs to 
be right once, whereas, to defend against cyber attacks, you 
need to be right always. And this is extremely challenging, 
especially in a small business environment.
    To counteract the cyber security risks of small business, a 
few key actions need to be taken. Small business, along with 
all enterprise, need to be thinking about how security evolves. 
The concept of protection against all cyber threats is not 
possible today, and we need to shift our thinking to more of a 
thought process that cyber attacks will occur and be able to 
not only defend against them but detect them when they occur 
and correct back to a known good state. This concept of not 
only comprehending protection but detection and correction is 
key to the way the industry should develop our next generation 
of architectures.
    It is also important that we understand education for all 
organizations, regardless of whether you are a small business 
or a large enterprise. A key educational tool is the cyber 
security framework, which Intel has been a proponent of and has 
been a strong advocate in integrating into its own systems.
    The final point that I would like to make is new 
technologies are at the cusp of enabling small businesses to be 
successful in the emerging threat landscape. Things such as 
software as a servicing cloud and we will see small businesses 
shifting to these types of technologies as we move forward.
    Thank you again for the opportunity to address the 
Committee. I will be happy to answer any questions as well.
    Chairman CHABOT. Thank you very much.
    Mr. McCracken, you are recognized for five minutes.

                  STATMEENT OF TODD MCCRACKEN

    Mr. MCCRACKEN. Thank you, Mr. Chairman. It is good to be 
here this morning. Thanks for inviting me. Thank you, Chairman 
Chabot, Ranking Member Velazquez, and the rest of the members 
of the Committee, to be here to testify on the impact of cyber 
security and credit card fraud issues on the health and growth 
potential of millions of small businesses.
    I want to focus today a little bit on the overall threat of 
cyber security on small companies, but then also focus a little 
bit more specifically on the credit card issue since there is a 
lot of talk about small companies and the conversion to EMV and 
the liability shift this year that probably is worthy of a 
little bit of attention.
    In the last few years, cyber security has emerged as a 
significant problem and concern for the small business 
community. By the end of 2014, according to our Year-End 
Economic Report, fully half of small companies reported having 
been the victim of a cyber attack (up from 44 percent in 2013). 
And of those, 61 percent say an attack has occurred within the 
last year.
    While a 14 percent increase in the number of small 
businesses becoming victims is significant, we believe the real 
story is the increasing impact those attacks are having on 
small businesses in terms of the interruption of normal 
business operations and the direct financial cost of the 
attacks
    In 2013, only 12 percent of companies reported that the 
resolution of the cyber attack required more than one week; by 
late 2014, more than one in five such attacks were still 
unresolved in one week, with 13 percent of them requiring more 
than two weeks. Three in five companies experienced a service 
interruption, and a third had their websites go down for some 
period.
    A significant problem for small companies, as Mr. Grobman 
just talked about, is many small companies are not in a 
position to have a dedicated IT department, and many either 
outsource IT functions or assign such duties to an employee who 
has other responsibilities, often the owner him/herself. You 
can read the results for yourself. We found in our surveys, 
significant numbers of companies, between 25 and 40 percent in 
the last four years, report that the owner him/herself is the 
primary technical support person. They do it themselves, in 
addition to being the chief marketing officer and chief product 
development officer and everything else. And so this is an 
enormous constraint on how they can respond.
    And in the case of another significant share of companies, 
they outsource the IT function to some other company. Of 
course, the difficulty there is these small businesses, in the 
event of a crisis, those smaller clients typically are not the 
first priority for those IT firms. They have other clients, and 
some of the bigger clients pay them more money will get a 
quicker response. So those are unique challenges for small 
companies.
    The big eye opener in our last survey is the increasing 
cost of these cyber attacks. We look specifically at what money 
had been stolen from them from bank accounts, and we found in 
two years the amount that was stolen went from about $7,000 to 
about $20,000 on average, a 188 percent increase in that amount 
of time, which is staggering. We think that is largely the 
result of not only the increase, the total increase in the 
amount of fishing scams out there, and malware, but also the 
increasing effectiveness of those. They have become much more 
real to people. They believe them in a way that they did not 
two or three years ago for a variety of reasons.
    So this is clearly a national problem, and these attacks 
are coming from outside the country. We have got to find a way 
to limit those attacks, while increasing the education of small 
companies on how to avoid them.
    The next issue I want to talk about briefly is credit cards 
and small companies. Various forms of credit card fraud have 
become more prevalent. We see in the desire to shift to EMV or 
the chip-based cards. This October 1st we are going to see a 
shift in liability for credit card fraud, whichever company has 
the least advanced technology essentially. So if you do not 
have an EMV reader, then the company could be liable.
    So those companies really think about what kind of charges 
they have actually have, what kind of company they run, what 
kind of products they well, who their customers are, do they 
know their customers, to decide if they need to invest now in 
those more up-to-date readers or whether they will not see a 
significant increase in fraud if they stay where they are now. 
But we clearly think that shifting to a more secure credit card 
environment ultimately has got to be the solution for overall 
credit card fraud because we do not think to rely on magnetic 
stripe technology is like to be our future; we have to make the 
shift and make it fairly quickly because there are too many 
incentives to shift that data there.
    So again, with those highlights, you can read the rest of 
my statement as it is written, but I appreciate the time to be 
here today. I stand ready to answer your questions when it is 
time. Thank you.
    Chairman CHABOT. Thank you very much.
    Mr. Berger, you are recognized for five minutes.

                    STATEMENT OF DAN BERGER

    Mr. BERGER. Good morning, Chairman Chabot, Ranking Member 
Velazquez, Members of the Committee. My name is Dan Berger, and 
I am testifying today on behalf of the NAFCU, where I serve as 
president and CEO.
    NAFCU and our member credit unions, small businesses 
themselves, appreciate the opportunity to testify before the 
Committee today on cyber and data security. Cyber and data 
security needs to be everyone's responsibility. More can and 
must be done to protect small businesses and consumers on this 
very important issue.
    NAFCU has long supported comprehensive and cyber security 
measures to protect consumers' sensitive data. Credit unions 
and other financial institutions already protect data 
consistent with the provisions of the 1999 Gramm-Leach-Bliley 
Act. Unfortunately, there is no similar regulatory structure 
for other entities that may handle sensitive personal and 
financial data.
    Gramm-Leach-Bliley, in its implementing regulations, has 
successfully limited data breaches among financial 
institutions. This standard has a proven track record and 
should be recognized in any future requirements. Gramm-Leach-
Bliley requires financial institutions to address the risks 
presented by the complexity and scope of their business. This 
allows flexibility, ensures the regulatory framework is 
workable for the largest and smallest financial institutions. 
Gramm-Leach-Bliley is an example of how scalability is 
achievable for varying sized businesses.
    A data security breach can have a huge impact on consumers, 
from waiting for new cards to be issued, to updating all 
existing accounts connected with a compromised card. Breaches 
can also result in fraud losses, damaged credit ratings, and 
even identity theft. Over 23 percent of Americans had their 
financial identities compromised by a data breach in 2014.
    A recent survey of NAFCU-member credit unions found that 
the respondents were alerted to potential breaches an average 
of 164 times in 2014, a huge increase from 2013. It is 
important to remember when credit unions are alerted to 
breaches, they take action to respond to their members and to 
protect their members. Our survey also found that in 2014, the 
average credit union spent $136,000 on new data security 
measures, in addition to spending $226,000 in costs associated 
with merchant data breaches. The three main elements of these 
costs were card reissuance, fraud losses, and account 
monitoring. Ultimately, this takes away from providing other 
services and products to their members.
    Smaller credit unions, such as Diebold Federal Credit Union 
in North Canton, Ohio, are especially feeling the impact. Since 
the beginning of 2014, Diebold has had over $32,000 in losses 
from data breaches from retailers. While that might not seem 
like much, for a small business like them, it is a huge burden 
on that institution.
    Unfortunately, credit unions rarely see any reimbursement 
for these costs. Even when there are recoupment opportunities, 
such as the recent Target settlement with MasterCard, it is 
usually only pennies on the dollar in terms of real costs and 
losses incurred.
    Recognizing that a legislate solution is a very complex 
issue, NAFCU has established a set of guiding principles we 
would like to see in data security legislation including 
reimbursement of all costs by the breach entity, national 
standards for safekeeping of consumer information, breach 
notification to financial institutions, disclosure of the 
breached entity to consumers, and of course, enforcement of 
data retention prohibitions.
    Enforcement of the prohibition on data retention cannot be 
overstated. It is a common sense way to cut down on emerging 
threats. If there is no financial data to steal, it is not 
worth the effort of the cyber criminals. In essence, if there 
is no treasure, there is no private.
    NAFCU believes that a possible solution on this issue is a 
bipartisan legislation introduced by Senators Blunt and Carper. 
Their bill, the Data Security Act of 2015, sets a strong 
national data security standard based on Gramm-Leach-Bliley 
that would be extended to all entities who handle consumer 
data. We urge the House to take a similar approach.
    We would also like to recognize and thank the House 
leadership, as well as this Committee, for the ongoing focus on 
cyber and data security issues, including the cyber bills you 
have on the floor this week. A safer system ultimately benefits 
all participants, including consumers, financial institutions, 
and of course, small businesses.
    Thank you for the opportunity to appear before you today on 
behalf of NAFCU. I welcome any questions you may have.
    [The statement of Mr. Berger follows:]
    Dr. LeClair, you are recognized for five minutes.

                   STATEMENT OF JANE LECLAIR

    Ms. LECLAIR. Mr. Chairman and members of the Committee, on 
behalf of the National Cyber Security Institute at Excelsior 
College, I appreciate the opportunity to address you and 
provide a statement for today's hearing. The National Cyber 
Security Institute is dedicated to increasing knowledge in the 
cyber security discipline and assists small businesses to 
better understand and meet the challenges in today's digital 
world. My name is Dr. Jane LeClair, and I am the chief 
operating officer of the National Cyber Security Institute 
located in Washington, D.C.
    Small businesses are challenged both by the ability and the 
desire to secure themselves against cyber threats, which makes 
them uniquely vulnerable to cyber attacks. Fifty percent of 
small businesses have been the victims of cyber attack and over 
60 percent of those receiving a significant attack go out of 
business. Often, small businesses do not even know they have 
been breached until it is too late. Small businesses are under 
attack from many avenues, including social engineering, the 
Internet of things, insider threat, weak passwords, and cyber 
theft through weak payment systems. Mobile devices and the lack 
of formal cyber plans and policies spell trouble. Infections 
brought in through browsers pose a threat, and finally, 
outdated technology and poor maintenance top the list of 
problems.
    Small businesses are characterized by central management 
focused around the owner, with lack of a specialized IT or 
cyber staff, inadequate control systems, and day-to-day, rather 
than long-term planning for asset protection. Almost 70 percent 
of small businesses manage their own websites, use the Internet 
for sales, social media, marketing, and a host of other needs. 
Small businesses have resource constraints and often ignore 
cyber security in favor of day-to-day operations or other 
financial needs.
    Yet, small businesses remain a gateway to gain access to 
clients, business partners, donors, and contractors working 
with the small business, a backdoor into many large 
organizations. These organizations frequently lack the 
knowledge to develop and implement a cyber-policy or the 
expertise to develop a response strategy. Surprisingly, 96 
percent of the attacks on small businesses were fundamentally 
basic attacks. Small businesses need employees trained in 
networking, operating systems, and multiple layers of security. 
Otherwise, who is watching for the signs of an attack and 
making sure the operating systems are properly patched? Who is 
responsible for regular backups and reviewing system logs?
    There are several ways that the National Cyber Security 
Institute is offering assistance to the small businesses. An 
affordable package that provides a targeted cyber security 
plan, basic training for owners, IT staff and employees, and 
ensures that the basics of antivirus software and firewall 
protection are in place is under development. Our media 
campaign raises awareness through quarterly webinars and weekly 
blogs. The National Cyber Security Institute is publishing two 
short books on Cyber security for small business and cyber 
insurance, and is partnering to offer a small business workshop 
in medium-sized cities around the country that is affordable 
and aimed at small business owners and their IT staff.
    Cyber security is without a doubt one of the prime concerns 
of the small business community in America today. The efforts 
of this Committee in seeking ways to help alleviate those 
concerns cannot be understated.
    Mr. Chairman and members of this Committee, thank you for 
your interest in this important area, and I thank you for the 
opportunity to address you today.
    Chairman CHABOT. Thank you very much. We want to thank all 
the witnesses for their very excellent testimony here, and I 
will recognize myself for five minutes now to begin the 
questioning.
    I will begin with you, Mr. Grobman, if I can. I appreciated 
your comment particularly about the attackers only have to be 
right once and we, the business community, has to be right 
every time or you are going to undergo some serious damage. You 
heard that a lot after September 11th, too, in dealing with 
overall terrorism. We have to be very secure all the time and 
it only takes a terrorist one time to really wreak havoc and I 
think that is certainly the case here because this is really a 
form of terrorism in many ways.
    Could you kind of walk us through the various stages of a 
modern cyber attack on, say, a small business, for example?
    Mr. GROBMAN. Sure. What would typically happen is if it is 
a targeted attack, they would focus first on what we call 
reconnaissance. So understanding what capabilities the small 
business is actually running so that they can craft an attack 
that would be able to be successful in that environment. Once 
they have that information, they can customize a capability 
that would be able to work through standardized defenses if the 
small business has them in order to get into the environment 
and then they focus on perpetrating whatever their actual 
objective is, typically the theft of information or in the case 
of either hacktivism or nation state, it might be more of a 
destructive nature. So it is really a well-formed set of steps 
that is well understood by the attack community on how to 
perpetrate such an attack. The thing that is unique here is it 
can be customized for the target, which makes it very difficult 
to protect with standard technology.
    Chairman CHABOT. Thank you very much.
    Mr. Berger, let me turn to you. On behalf of the credit 
unions, you know, as far as the banking community, are the 
attacks that you see on the credit unions similar to what you 
see in say the community banks? Are there similarities? Are 
there differences? What would you say?
    Mr. BERGER. The attacks that we are seeing are very similar 
across the board. It does not matter what size the entity is. 
It is the old phrase, `` they attack where the money is.'' But 
because we have Gramm-Leach-Bliley, we have some serious 
protocols in place that we have to deal with as a financial 
institution to make sure that the consumer's information is 
protected. But the attacks are the same, no matter what size 
the entity is.
    Chairman CHABOT. Thank you.
    Mr. McCracken and Dr. LeClair, I will address the next 
question to the two of you. What steps are being taken to level 
the playing field to more effectively defend against cyber 
attacks, and how important is information sharing to those 
efforts? Either one of you.
    Ms. LECLAIR. I would say information sharing is key today. 
We cannot silo ourselves, and we need to work both jointly with 
government and private industry to ensure the information is 
shared and that we are able to protect as we need to.
    Chairman CHABOT. Thank you.
    Mr. McCracken?
    Mr. MCCRACKEN. Yeah. I agree with that. It is very 
important to get the information out there so that companies 
can understand what the real threats are and how they can 
protect themselves. And then share it up within the supply 
chain. We think there is a significant role that various 
members of the supply chain need to play in helping each other 
deal with these attacks because all those companies are 
interlinked is very clear.
    Chairman CHABOT. There are various things that we, as 
members of Congress, and our staff deal with in trying to keep 
attacks--cyber attacks on the government. Such things as 
changing our passwords, and they have improved the passwords so 
it is a little harder to get them in and you have to remember 
them with a little more difficulty. It cannot just be your 
cat's name or your dog's name and that sort of thing. You have 
got to put question marks after the cat's name now or whatever. 
So it is a bit more complicated.
    And they are also changed periodically, and I do not 
necessarily want to give out government secrets here as to how 
often we have to change them, but it was a certain number of 
months, and now that has been shortened to a fewer number of 
months. What is the private sector doing along those lines, and 
what would you recommend to small businesses in that area?
    Mr. Grobman?
    Mr. GROBMAN. Chairman, I think one of the things that Intel 
Security is investing in is solving or helping to provide key 
assets for this problem by making biometrics available to a 
much broader audience, including small business and consumers. 
So when you prove that you really are you to another entity, 
you are doing it not just with a password, which can be 
transferred to somebody else, but you actually need to use 
something like facial recognition in order to do that. And I 
think as these technologies become more consumable, they will 
be a key part of the strategy to solve the problem you 
articulate.
    Chairman CHABOT. Thank you very much.
    Just for the record, we do not have a cat. We have a turtle 
and I am not going to tell you what his name is.
    I will now yield to the ranking member for five minutes.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman.
    Dr. LeClair, as we heard today, financial data security is 
becoming a priority for small businesses, given the fact that 
more small businesses are offering online mobile buying 
options. Many of the firms, as Mr. McCracken stated, cannot 
hire an IT staff. Can you elaborate on the cyber security 
package that NCI is working on or developing to offer small 
businesses that opportunity?
    Ms. LECLAIR. One of the things that we have under 
development is a package that would work for small businesses 
because of the financial constraints they have. That package 
would allow them to get the basic training for the organization 
owner, as well as their employees. But special training if they 
have their own IT person, or if they have another person in the 
organization who they have selected to do their IT work, to 
give them the basic training they need to be able to know about 
to secure their systems. Ensuring that they have basic anti-
virus firewall protection as well, and that they are able to 
develop a policy with us. We have a template, basically a 
starter template for them that we would work with them to 
develop their policy, as well as a risk assessment plan for 
them. So kind of an all-in-one package for them to be able to 
work with.
    Ms. VELAZQUEZ. Thank you.
    How important do you think it is to create national 
notification standards to replace the existing 49 separate 
state laws governing breach notification?
    Ms. LECLAIR. We feel that is very important. We have spoken 
about that a couple of places because right now there are 47 
states that have different rules and policies. The ability to 
clarify for organizations the overall requirements would not 
only simplify but it would allow people to better be able to 
know what they have to do in that timeframe. In some people's 
case they feel it will be difficult to meet, but I think 
overall in a short time people will adjust and it will help us 
in the long term.
    Ms. VELAZQUEZ. Thank you.
    Mr. Grobman, there has been much emphasis recently on cloud 
computing, and this new model is gaining great traction within 
the business community and the government. How does cloud 
computing impact cyber security , particularly for small 
businesses?
    Mr. GROBMAN. So cloud computing is a major asset to helping 
small business, both as providing the means to execute 
functions that they are ill-equipped to do as a traditional IT 
organization would, especially in the area of cyber security 
defense, cloud computing, and specifically what we call 
Software as a Service allows a service-based capability to 
provide security solutions to a small business.
    In our submitted testimony, we gave an example where the 
City of Kenosha with an IT staff of three is able to use a 
cloud-based solution to provide email protection for all of its 
government workers, and I think that is a good example of how 
cloud technology can be a key asset to small business.
    Ms. VELAZQUEZ. Thank you.
    Mr. Berger, many small businesses have been quite critical 
of the high interchange fees charged by credit card issuers. We 
have seen or we have been told that these fees were needed to 
cover not only the cost of processing transactions but also to 
cover the cost of fraud, theft, and data breaches. With the 
U.S. scheduled to move to the more secure chip and pin 
technology in October, do you expect interchange fees to come 
down?
    Mr. BERGER. Interchange fees were created before it was 
capped, to create the rails, to invest in the rails and the 
technology, as well as for fraud recoupment. Now that there is 
a cap on interchange fees, that is not the case for fraud 
prevention. And so I do not think the interchange fees will go 
down because there is no recoupment for financial institutions 
any longer with the cap.
    Ms. VELAZQUEZ. Okay. Thank you.
    Mr. McCracken, it is often hard to persuade small firms to 
spend money without seeing an immediate return. So what do you 
think we need to do in order to get more small businesses to 
understand the importance of investing in cyber security ?
    Mr. MCCRACKEN. Well, there are a number of different 
fronts. One is on the credit card front, I think when they 
start seeing more chip-based cards, many more of them will 
begin investing in readers to use them rather than the other 
way around, which is unfortunately the way it seems to have 
been pursued so far. And on larger cyber security, I think 
education is everything. And I think that larger companies who 
do business with smaller companies have a significant role to 
play in helping and educating them figure out how to implement 
some of these services. And also, education on the 
implications, because it is true that one mistake from a small 
company can be devastating for them.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman.
    Chairman CHABOT. Thank you. The gentlelady's time is 
expired.
    The gentleman from New York, Mr. Hanna, who is the chairman 
of the Subcommittee on Subcontracting and Workforce is 
recognized for five minutes.
    Mr. HANNA. Thank you all for being here. And thank you, 
chairman.
    I want to ask about not just responsibility to protect 
one's system but liability as to moves across what the staff 
calls like a chain. The Internet is comprised of technology 
links that are dependent upon each other. Is it incumbent upon 
a bigger organization to help a smaller organization? And what 
do you see for the future of that? Because clearly, the 
perception of risk vis-a-vis liability varies across 
industries, and willingness to provide support to protect 
oneself varies on the individual and their means. So, so much 
of this is subjective, yet because of its interconnectedness, 
it is all critical.
    So Mr. Grobman, you talked about the cloud and how that 
offers. If everybody would like to speak to that, if that is a 
fair question.
    Mr. GROBMAN. Sure. I think it is key for large enterprise 
to understand the implications that a breach to a small 
business supply chain or supplier would have, and there are key 
steps large business can take to help small businesses in this 
manner. One key example is advocacy and linkage to things like 
the cyber security framework as a part of supplier guidelines.
    Mr. HANNA. You say advocacy. What about demand? I mean, 
there must be a point at which somebody says if you do not do 
this, we cannot do business with you.
    Mr. GROBMAN. Sure. I think understanding the risk profile 
of a supplier is a reasonable thing for a large business to do, 
and having a common language to understand and describe risk is 
something that the cyber security framework can help 
facilitate. So I think it is those sorts of communication 
interactions can help large business assess the risk of using 
various suppliers.
    Mr. HANNA. How do you feel about that, Mr. McCracken, being 
a representative of small businesses, being demanded to do 
that?
    Mr. MCCRACKEN. Well, on the one hand I think that is a way 
forward because that, as I discussed before, the supply chain 
issues are real and we have to have ways of both educating and 
also helping those smaller companies by giving them incentives 
beyond--maybe something might happen later, which we are facing 
now.
    Mr. HANNA. Yeah, punitive stuff.
    Mr. MCCRACKEN. I think the danger to keep in mind is that 
what you do when you do that is you begin to restrict some of 
those possibilities for companies that are trying to grow, 
because if you do not--if what we are already seeing is larger 
companies saying, look, if you do not have X capabilities, do 
not even send us--do not even apply to do business with us. I 
think that is a mistake, because what you are going to see is 
larger and larger companies all working together. What I would 
like to see is for those companies to put in standards that 
once you are a vendor of ours, here is how we are going to work 
together to get you to this point. That, I think, would be much 
more productive and really help smaller companies grow to the 
point they need to be.
    Mr. HANNA. Mr. Berger?
    Mr. BERGER. As part of Gramm-Leach-Bliley's implementation 
rules, we are required to ensure that third-party vendors are 
up to speed and the NCOA examines for that.
    Mr. HANNA. Ms. LeClair?
    Ms. LECLAIR. I do not disagree with anything that the other 
folks have said. What I do see as very difficult for small 
businesses and any organization to know what to use and coming 
from a commercial nuclear power background, it was not until 
the Institute of Nuclear Power Operations came into being that 
there was an organization that fully structured what was 
happening in that industry. So in some ways, yes, I agree, and 
in others I see that you need some definitive, as you said, 
organization to make that happen.
    Mr. HANNA. Thank you.
    Mr. Grobman, I have a minute and a few seconds here. I want 
to ask about mobile devices.
    Mr. GROBMAN. Sure.
    Mr. HANNA. Given the ubiquitous nature of that, how do you 
deal with that?
    Mr. GROBMAN. I think mobile devices are both a key benefit 
in cyber security. They have been developed more recently and 
have had the opportunity to redesign the underlying software 
architecture to put individual applications into sandboxes. So 
I think that is a very positive aspect.
    The flip side of it though is mobile devices are also 
generally more closed where the security industry has 
challenges in looking at the information of what is going on on 
a mobile device. So when we look at a modern way to do 
detection of an advanced attack, it is really about 
understanding the data that is coming out of your environment 
as far as different events, and the mobile devices do not lend 
themselves very well to that. So mobile is still a fairly new 
area relative to other capabilities and is something we are 
looking at very closely.
    Mr. HANNA. Thank you very much.
    My time is expired.
    Chairman CHABOT. Thank you. The gentleman's time is 
expired.
    The gentlelady from North Carolina, Ms. Adams, is 
recognized for five minutes.
    Ms. ADAMS. Thank you, Mr. Chairman. Thank you, Ranking 
Member Velazquez. And thank you to the speakers for your 
insightful remarks.
    And, of course, this is a critical issue and I think about 
collaboration as I think about this. And my question, Dr. 
LeClair, to you, are credit unions and community banks working 
hand-in-hand with the small business industry to develop the 
financial resources that help protect the assets of small 
businesses as well as the investments of financial firms from 
the effects of a cyber attack?
    Ms. LECLAIR. Are they working, was that your question?
    Ms. ADAMS. Yes. Yes. I mean, is there a collaboration in 
terms of the banks and the businesses?
    Ms. LECLAIR. Yes. The collaboration that is out there is 
what we need to have and continue to have in order to be able 
to not only be prepared but to recover.
    Ms. ADAMS. Is it working, in your opinion?
    Ms. LECLAIR. I think that we have a ways to go still.
    Ms. ADAMS. Okay. All right
    Protecting the businesses, of course, is crucial, but it is 
also costly, especially when we talk about small businesses. 
And most of the insurance that small businesses have does not 
actually cover cyber attacks. What can we do to encourage that?
    Ms. LECLAIR. Again, from the standpoint of if you are 
talking cyber insurance----
    Ms. ADAMS. Right. And investing in it.
    Ms. LECLAIR. And investing, yes, I do not think that small 
businesses really have any clear understanding of cyber 
insurance and what the capabilities are for them. I think it is 
a new area that is being developed. One of the reasons we are 
writing a book is to be able to give that to small businesses 
so they can understand what the options are out there for them 
and what they can expect from it.
    Ms. ADAMS. Thank you.
    Mr. McCracken, can you comment on it?
    Mr. MCCRACKEN. Well, I do think it is worth noting that 
many very small companies are run by people who, you know, they 
are at the nexus of the individual and the business world. They 
see--these are very small companies I am talking about now--as 
extensions of themselves. And they are often very surprised to 
find out that their business bank accounts do not have the same 
kinds of protections that a consumer or personal account might 
have. And so when they are the victim of some sort of fishing 
scheme and their money is just gone, they initially often 
expect, well, I will go to the bank and we will get this fixed, 
like I know my neighbor did. And in fact, if it is a business 
account, that is simply not the case in many cases because they 
operate under different standards and they have different 
levels of protection. So I think that is something that we may 
need to address. And it is certainly something that we need to 
educate more small companies about in the first place because 
they do not understand it.
    Ms. ADAMS. Okay. I was going to follow up with a question 
about the technological sophistication that was necessary, and 
I think you have probably answered that.
    But Mr. Grobman, would you like to comment?
    Mr. GROBMAN. Sure. I think one of the important things on 
the education side for small business is we can simplify some 
of the critical questions to something every small business can 
understand whether they are running security operations for 
themselves or relying on others. Even simply asking the 
questions of how would I be able to detect if a breach has 
occurred and what would my plan be to get back to a known good 
state after a breach, those are things that I think, 
unfortunately, many small businesses do not think about. They 
understand the threat of cyber security is real but they are 
maniacally focused on protecting without thinking about the 
other elements. And I think just the simple education things 
are key things that we need to do as a partnership.
    Ms. ADAMS. Okay. Mr. Berger would you comment, please?
    Mr. BERGER. Yes, ma'am. We completely agree. I think 
education is a very important component because some of the 
cyber experts, when they are looking at it from a forensic 
standpoint, they say 80 percent of credit card fraud and data 
breaches could be prevented by some simple things that the 
chairman actually talked about--updating the patches, doing the 
downloads that are necessary, and changing your passwords on a 
regular basis. Something like 80 percent of those breaches 
could be stopped. So it is an education component for that as 
well.
    Ms. ADAMS. Proactive?
    Mr. BERGER. Yes, ma'am.
    Ms. ADAMS. Thank you very much.
    Mr. Chairman, I yield back.
    Chairman CHABOT. The gentlelady yields back. And I 
apologize for having to leave. I had to change my password.
    The gentleman from Nevada, Mr. Hardy, who is the chairman 
of the Subcommittee on Investigations Oversight and Regulations 
is recognized for five minutes.
    Mr. HARDY. Thank you, Mr. Chairman.
    Mr. Grobman, you mentioned that small and medium businesses 
are just as vulnerable to the same as the sophisticated cyber 
security threats as large corporations. Although small 
businesses are vulnerable as large corporations, do you think 
that the susceptible threats to emphasize or do you believe 
that the cyber criminals are only targeting small business 
because they know that they do not have cyber security ? Or 
would these cyber security criminals only focus on the large 
corporations due to their financial benefit?
    Mr. GROBMAN. I think what we see is adversaries go after 
targets that will most effectively meet their objectives. If 
their objective is to generate money, they will look at is it 
more valuable to breach a large company and steal a mega 
database or target many small businesses and breach many of 
them? And I think we see both happening per the data that we 
cite. So it is not `` one size fits all'' and that is one of 
the reasons why it is critical that all organizations think 
about cyber security because it is really about the objectives 
of the adversary.
    Mr. HARDY. Thank you.
    Mr. McCracken, with that being said, you mentioned that the 
EMV will be costly to small businesses for replacing that 
equipment and training for the employees on how to use that. I 
understand your concern for that small business owner, these 
costs, but do you not believe that the cost is insignificant in 
comparison to the loss to the consumer and the potential that 
it may impact that small business in maybe losing business 
competition by not implementing those standards?
    Mr. MCCRACKEN. Well, what is going to go into place October 
1st is a shift in liability. So if they do not have a chip card 
reader and that kind of card comes in and it is fraudulent, 
they are on the hook rather than the issuing bank. Our point 
was there are many small companies that simply do not have the 
kind of customer base where they are subject to that kind of 
fraud. If you are a deli and all you are selling are sandwiches 
and sodas on credit cards, the odds that someone is going to 
take a stolen credit card number and come in to your shop and 
buy a whole bunch of sandwiches is probably pretty remote. 
Also, if you know all your customers personally, then you are 
probably not at very much risk for that fraud. But if you sell 
high-dollar electronics or jewelry and you do not know who your 
customers are, you had better switch to the EMV system as soon 
as possible because you are going to be on the hook for those. 
That is really our point. But we want to get to the point 
really where mag stripe cards do not exist at all anymore. We 
think that really is the ultimate solution because right now we 
have these kinds of cards that are very easy to put fraudulent 
data on and go out and use, and so long as those exist, we 
think cyber criminals are going to find ways to get that day, 
if not this way, then that way. And we can patch this and it 
will pop up over here. We have got to get to a point where we 
have only chip-based cards.
    Mr. HARDY. Thank you.
    Mr. Berger, I appreciate your statement when you just 
stated that cyber security is everybody's responsibility. I 
believe that is the truth. Also, you state that the United 
States Government is identifying malicious actions in their 
networks and preparing to monitor program that strengthen their 
areas. I guess the question is, the private sector, you see the 
expansion and the growth of things like Life Lock and other 
businesses growing out of this challenge that we are having to 
help the small businesses, or will that be a benefit at all to 
them?
    Mr. BERGER. I think any improvement in technology that 
prevents cyber fraud is fantastic and it is welcomed. But when 
you have the entire payment ecosystem, if you have the 
financial institutions, the payment processors, the payment 
networks all doing a pretty darn good job in protecting 
people's personal and financial data, the cyber criminals 
attack the weakest component of that ecosystem. And so from our 
standpoint, we still think there needs to be a national 
standard at a minimum, not on an equal basis but on a flexible 
basis because I am not talking about the small mom and pops 
where you get your Yoo-Hoos and your Slim Jims from, but some 
of the larger retails, it is flexible and it should be 
scalable, but there needs to be some set standard to hold 
people accountable for that kind of stuff.
    But back to your original question, we do like technology 
and we welcome any technology that prevents the bad guys from 
winning.
    Mr. HARDY. And I guess my last question maybe to one or all 
of you is just what are we doing together as a collaborative 
group here, along with the federal government, to assure this 
can happen in a quick, safe manner, because expediency is of 
real importance.
    Ms. LECLAIR. I think from going back to the original 
question, we keep going to the 10 percent. If you think of the 
90/10 rule where 90 percent of the issues revolve around 
people, we focus a lot of our time on the 10 percent, which is 
the technology. So I think we have to continue to think of the 
90 percent and how we are going to educate people because they 
are in every piece and part of what we talk about.
    Chairman CHABOT. The gentleman's time is expired.
    Did any other witnesses want to answer that?
    Mr. Berger?
    Mr. BERGER. Yeah. Just real quickly.
    This being Washington, D.C., there are probably 35 
coalitions working on this issue right now here, so. There is a 
collaborative effort amongst merchants, financial institutions, 
as well as the payment networks.
    Chairman CHABOT. That is great to hear. Thank you. Thank 
you very much.
    The gentlelady from New York, Ms. Meng, is recognized for 
five minutes.
    Ms. MENG. Thank you, Mr. Chairman. And thank you to our 
witnesses for being here and helping us learn more about this 
newer and important topic.
    My question is in relation to the SBA and many of the 
resource centers and locations that they have throughout the 
U.S., and particularly in my home county and borough of Queens, 
New York. What more can the SBA do, whether it is training, 
increasing awareness? And are there any incentives, financial 
incentives that might be helpful for small businesses to 
encourage them to have these plans in place?
    Anyone can answer.
    Ms. LECLAIR. I can start out. I think one of the things 
that we could work on is perhaps grants for small businesses in 
order to upgrade their security and train their staff. Those 
would be a quick start to get us there.
    Mr. GROBMAN. I think one of the other things is the very 
nature of cyber security is that it changes very rapidly and it 
is very difficult to use static policies to really resolve the 
core issues. The SBA has a strong relationship with small 
business and it is structured well to comprehend the rapid 
change in the evolving landscape. And looking at it from that 
perspective may be a key area of focus.
    Mr. BERGER. And if I may add, the SBA actually has done a 
pretty good job in creating recently some workshops and modules 
in small business that deal specifically with cyber and data 
security and do some of the components to protect their 
business.
    Ms. MENG. Do you think there are additional measures that 
the SBA or federal government can take in addition to what they 
are already doing? Maybe working or collaborating with law 
enforcement? Is that something we should see more of in 
relation to small businesses?
    Mr. MCCRACKEN. One suggestion I have is actually is helping 
us to sharpen the focus on the problem because, of course, when 
you talk about it today, when we say small business, we are 
talking about all different kinds of companies in various 
stages of development, different supply chains, different 
industries, different access to data. I really think that one 
role some centralized agency, perhaps the SBA could play is to 
try to define the nature of various threats and the kinds of 
companies that might face them the most and try to figure out 
how we can focus our efforts. Instead of saying outreach to 
small business, let us talk about what do we need to do with 
this type of retailer or someone who has access to health 
records. And I think we really have to get much more specific 
about the kinds of approaches that we need to use, and the SBA 
might be able to help with that.
    Ms. MENG. And just lastly, in terms of just curious, can 
you tell if a lot of these attacks are coming more from 
international or domestic? Does that have an effect on the kind 
of attacks?
    Mr. GROBMAN. I think we see attacks coming from all facets, 
and I think the thing that we do see is regardless of whether 
an attack is coming from an origin that is domestic or 
international, they are using the same playbook. So the way 
that we ultimately defend against cyber security issues I think 
will be less about where they originate than what they are 
actually trying to achieve.
    Mr. BERGER. We are seeing the same thing. They do not 
discriminate. The cyber criminals will attack from anywhere.
    Ms. MENG. Thank you. I yield back.
    Chairman CHABOT. The gentlelady yields back. And the 
gentlelady from Michigan, Ms. Lawrence, is recognized for five 
minutes.
    Ms. LAWRENCE. Thank you, Chairman, and thank you to our 
ranking member as well.
    Over 250 credit unions have their headquarters in my state 
of Michigan, and more than 4.5 Michiganders have membership in 
these credit unions. I want to thank the credit union 
representatives for making sure that my staff and I clearly 
understand the challenges you face in the event of data 
security for no fault of your own.
    Mr. Berger, what are data breaches costing credit unions, 
and have these costs been increasing? And what do these cost 
impacts have on credit unions to provide services to their 
members?
    Mr. BERGER. For just the Home Depot breach alone was $30 
million, and you combine Target and all the other breaches in 
2014, it is close to $80 million it hit credit unions. And what 
happens is that we rarely get any reimbursement for those 
recouped losses. And so what we are calling for is some kind of 
national standard that holds people accountable for those 
breaches.
    And we talked about shifting to EMV and chip technology and 
that is a really important component, but it is not a panacea. 
That will prevent credit card fraud, but going to EMV or chip 
technology would not have stopped any of the Target or Home 
Depot breaches whatsoever. And so it is really important to 
separate credit card fraud from data breaches, and we need to 
address data breaches and make sure it is a level playing 
field. Because I had mentioned earlier, when you look at the 
payment ecosystem, the cyber criminals attack the weakest 
component of it, and so if everybody is doing their job and 
everybody is responsible for cyber and data security, everybody 
has to be on that level playing field and doing their part.
    Ms. LAWRENCE. Well, I look forward to working with the 
chair and the ranking member, as well as my fellow members of 
Congress. I just left a briefing, the issue of cyber security 
and I thank you for understanding that we need to look at data 
breaches as well as a separate entity. And I just look forward 
to joining with you to address this issue.
    I thank all the individuals who are here today to testify. 
Thank you so much, and I yield back the rest of my time. Thank 
you, Mr. Chairman.
    Chairman CHABOT. Thank you very much. The gentlelady yields 
back.
    And in lieu of a second round, having discussed this with 
the ranking member, we have just one question I think we both 
jointly would like to ask the panel and you can respond in any 
way that you would like to.
    Chairman McCaul, who is chair of the Homeland Security 
Committee has legislation which will be coming to the floor 
tomorrow, so it was very timely, the Small Business Committee 
looking at the aspects of how cyber attacks affect small 
businesses, so it was very timely to have you all here today 
because we are going to be voting on legislation that is 
somewhat relevant this week, tomorrow. The legislation seeks to 
strengthen the National Cyber security and Communications 
Integration Center's role as the lead civilian interface for 
the sharing of cyber security risks and incidents. It also aims 
to preserve existing public-private partnerships to ensure 
ongoing collaboration on cyber security .
    I will just start with you, Mr. Grobman, and we just go 
down the line, do you want to comment?
    Mr. GROBMAN. Yes, I would.
    I think one very important aspect to comprehend is that 
sharing of information is one aspect of what is needed for an 
effective cyber defense. Getting data from global threat 
intelligence, sharing between entities, but also very important 
is the data that is local to the organization, and combining 
all of those types of data together in an analytical capability 
to determine when a breach is underway and be able to react 
quickly is critical. I do become concerned that there is a 
focus on just one of the elements around data sharing being the 
thing that will make things go away. It is as much about 
looking at the data we have more effectively than just 
collecting more data.
    Chairman CHABOT. Thank you very much.
    Mr. McCracken, did you want to comment?
    Mr. MCCRACKEN. Not at length, but I would generally agree 
with Mr. Grobman's remarks. And the bill seems, I think, 
positive, and a step in the right direction. But obviously, it 
will not be a panacea, but it will certainly help. Information 
for small companies is useful but we have got to actually give 
them a lot more direction on how to use that information as 
well.
    Chairman CHABOT. Thank you.
    Mr. Berger?
    Mr. BERGER. Yes, Mr. Chairman, we do support the 
legislation, but we think there needs to be really three key 
components to be successful in all this cyber and data 
security. One is the sharing of information. Two is 
notification. And three, we still think there needs to be a 
national standard for retailers and merchants. We need to make 
sure there is a level playing field and everybody is doing 
their part in holding folks accountable.
    Chairman CHABOT. Thank you very much.
    And Dr. LeClair?
    Ms. LECLAIR. I think that goes back to my earlier comment 
where I talked about the nuclear industry where you have a 
central entity that looks at lessons learned, what is 
happening, identifying that; notification to other 
organizations within that area; and then standards were created 
there. So those are the three things, very similar to what you 
were talking about. So a very similar comment.
    Chairman CHABOT. Thank you very much.
    And I know the ranking member and I would like to thank our 
witnesses for their participation today.
    I ask unanimous consent that members have five legislative 
days to submit statements and supporting materials for the 
record. And if there is no further business to come before the 
Committee, we are adjourned. Thank you very much.

    [Whereupon, at 12:08 p.m., the Committee was adjourned.]
    
                            A P P E N D I X

[GRAPHIC] [TIFF OMITTED] 

    Good afternoon. My thanks to Chairman Chabot, Ranking 
Member Velazquez and the members of the Small Business 
Committee for inviting me to testify today on the impact of 
cybersecurity and credit card fraud issues on the health and 
growth potential of millions of small businesses.

    My name is Todd McCracken, and I am President and CEO of 
the National Small Business Association (NSBA)--the nation's 
first small-business advocacy organization. NSBA is a uniquely 
member-driven and staunchly nonpartisan organization. NSBA has 
members in all sectors and industries of the U.S. economy from 
retail to trade to technology--our members are as diverse as 
the economy that they fuel. Small employers comprise 99.7 
percent of all employer firms in the U.S. One in two workers in 
the private workforce run or work for a small business, and one 
in four individuals in the total U.S. population is part of the 
small-business community. Those are certainly impressive 
figures.

    In the last few years, cybersecurity has emerged as a 
significant problem and concern for the small-business 
community. By the end of 2014, according to NSBA's Year-End 
Economic Report, fully half of small businesses reported having 
been the victim of a cyber-attack (up from 44 percent in 2013). 
Of those, 61 percent say an attack had occurred within the last 
year.

    Cyber-Attacks on Small Businesses are Becoming More 
Prevalent

    While a 14 percent increase in the number of small-business 
victims of a cyber-attack is significant, we believe the real 
story is the increasing impact those attacks are having on 
small businesses, in terms of both the interruption of normal 
business operations and the direct financial cost of the 
attack.

    In 2013, only 12 percent of businesses reported that 
resolution of the cyber-attack required more than one week; by 
late 2014, more than one in five such attacks were still 
unresolved after one week, with 13 percent of them requiring 
more than two weeks. Three in five businesses experienced a 
service interruption, and a third had their websites go down 
for some period.

    Small Companies Have Fewer Resources to Deal with Cyber-
Attacks

    Many small companies are not in a position to have a 
dedicated IT department, and many either outsource IT functions 
or assign such duties to an employee with other 
responsibilities--often the owner him/herself. In fact, the 
number of business owners who personally handle IT support 
appears to be on the rise. When we asked in 2010, 25 percent of 
business owners indicated that they were primarily responsible 
for IT support in their companies, while a larger number (36 
percent) said they contracted with an outside vendor. By 2013, 
those numbers had essentially reversed, with 40 percent of 
business owners handling IT personally and only 24 percent 
indicating that they outsourced the function.

    In the case of an outsourced IT function, a very small 
business might not be high on the IT firm's priority list of 
clients, even though such a firm is more likely to have the 
experience and technical expertise to resolve the issue 
quickly. In the case of in-house functionality, new issues 
might require research and training, making mistakes and delays 
more likely. In either scenario, dealing with the technical 
side of a cyber-attack presents unique challenges to our 
smallest companies.

    Cyber-Attacks are Becoming Much more Costly

    Perhaps the most startling finding of our most recent 
cybersecurity data was the sharp increase in the direct 
financial cost of cyber-crime on small companies. Of those 
companies reporting some kind of cyber-attack, the average 
amount of money stolen from a bank account rose from $6,927 in 
2013 to $19,948 by late 2014, a 188 percent increase in a short 
amount of time.

    This dramatic increase in stolen funds appears to be 
related to a sharp rise in the incidence and sophistication of 
so-called phishing scams. These scams send emails closely 
mimicking those of banks or other trusted institutions and 
citing an urgent need to login to an account or provide some 
other vital information. Small businesses are particularly 
vulnerable to these attacks, since multiple employees could 
have access to vital information. Further, business accounts do 
not enjoy the same level of protections and guarantees against 
loss and theft as those provided to consumers--a reality that 
many small-business owners do not discover until it is too 
late. Consumers are protected by Regulation E, which 
dramatically limits their liability in a cyber-heist. 
Commercial accounts, however, are covered by the Uniform 
Commercial Code (UCC). The UCC does not hold banks liable for 
unauthorized payments so long as ``the security procedure is a 
commercially reasonable method of providing security...'' Few 
small businesses that are the victims of theft from their bank 
accounts ever recover those funds.

    According to Verizon's 2015 Data Breach Investigations 
Report, phishing has increased dramatically in just the last 
four years, having gone from about 2 percent of cyber-attacks 
in 2010 to over 20 percent in 2014. Moreover, these phishing 
attacks have become much more sophisticated, with a high degree 
of verisimilitude. Small companies need to engage in ongoing 
employee training to recognize and avoid these dangerous traps.

    Credit Card Fraud and Small Businesses

    Various forms of credit card fraud have been part of our 
financial landscape for some time. However, the increased 
technical prowess of cyber-thieves--and the continued 
prevalence of magnetic stripe cards--has taken credit card 
fraud to heightened levels. The U.S. finally appears to be 
taking significant steps toward the introduction chip (EMV) 
enabled cards, or so-called chip and PIN cards.

    Liability Shift

    As EMV cards begin to enter the U.S. market, the credit 
card issuers will begin to shift liability for card fraud to 
the entity with the lowest level of security. The practical 
effect of this rule--effective Oct. 1, 2015--is that merchants 
will, for the first time, become liable for fraudulent card use 
if they have not upgraded to the latest EMV card reader 
technology and software.

    This move to EMV means that millions of countertop card 
readers will need to be replaced. The change is also likely to 
mean new software and a need for employee training. Therefore, 
since the transition will both be expensive and time-consuming, 
smaller merchants should carefully consider whether the shift 
to EMV card readers makes sense for their businesses, at least 
for now.

    Merchants who sell low-priced goods and consumables, for 
instance, are unlikely to be targets for credit card fraud, so 
they are unlikely to see their potential liabilities 
significantly rise as a result of the shift. However, merchants 
that sell more expensive goods with strong re-sale value (e.g., 
electronics, jewelry), and who do not know their customers 
well, have a higher incentive to move to EMV card readers. 
Small businesses should carefully examine their own ``charge-
back'' history to determine whether the investment in the new 
technology and processes makes sense for them at this time.

    Hastening the Transition to a More Secure EMV Environment

    Besides a general lack of awareness of the liability shift 
issue, there are two other major reasons that smaller merchants 
have not generally made the switch to EMV card readers:

          1. Card issuers are not offering reduced interchange 
        fees for merchants using EMV care readers, despite 
        promised reduction of fraud resulting in their use. 
        Given that card issuers have long blamed fraud as a 
        prime cause for high interchange fees, merchants will 
        naturally expect that EMV implementation will drive 
        down those fees.

          2. Card issuers have not yet made their own 
        transition to EMV cards. Until smaller merchants see a 
        market demand (in the form of their customers using 
        chip-enabled cards), they are unlikely to move quickly 
        to accommodate a non-existing demand.

    Stepped-up issuance of EMV-enabled cards, combined with the 
eventual elimination of magnetic-stripe cards altogether is the 
only logical path toward a significant and lasting reduction in 
card-based fraud, at least for ``card-present'' transactions.

    Recommendations

    Cybersecurity is a large and growing threat to the small-
business community. NSBA urges Congress to move forward on 
establishing streamlined guidelines and protocols to ensure the 
protection and security of online data and financials, but 
cautious against a knee-jerk reaction that would unfairly place 
a disproportionate burden on America's smallest firms:

           Legislation to enhance America's 
        cybersecurity should provide clear, simple steps for 
        companies to follow when their data is breached and 
        must balance the need for greater information sharing 
        with privacy rights.

           Any federal discussion on cybersecurity or 
        development of a private-public partnership or advisory 
        board must include representatives of small business.

           Extend consumer banking protections to the 
        banking accounts held by America's smallest firms.

           Congress should maintain oversight on the 
        credit card technology transition and ensure small 
        firms are protected against any unfair or seriously 
        burdensome costs or liabilities associated with 
        transitioning to the new technology.

    Conclusion

    Thank you for the opportunity to speak with you today. I 
hope that we can work with each of you as we advance to 
solutions to the significant cybersecurity issues before us.
[GRAPHIC] [TIFF OMITTED] T4346.018

                          Introduction

    Good Morning, Chairman Chabot, Ranking Member Velazquez and 
Members of the Committee. My name is Dan Berger and I am 
testifying today on behalf of the National Association of 
Federal Credit Unions (NAFCU) where I serve as President and 
CEO.

    Credit unions and their 100 million members have been 
heavily impacted by ongoing data security breaches by no fault 
of their own and I greatly appreciate the opportunity to 
testify before the committee today on cyber and data security. 
More can and must be done to better protect consumers. As 
NAFCU's chief advocate on Capitol Hill, at the White House, and 
before the regulatory agencies, I know firsthand how important 
yet complicated this issue is for policy makers to navigate.

    Over the past 25 years I have worked in public policy and 
in a variety of business management positions. I earned a 
Master's degree in public administration from Harvard 
University and a bachelor's degree in economics from Florida 
State. Before joining NAFCU's executive team in 2006, I served 
as a chief-of-staff in the United State House of 
Representatives. I was named NAFCU's President and CEO in 
August, 2013.

    As you are aware, NAFCU is the only national organization 
exclusively representing the interests of the nation's 
federally-chartered credit unions. NAFCU-member credit unions 
collectively account for approximately 70 percent of the assets 
of all federally chartered credit unions.

                  Background on Credit Unions

    Historically, credit unions have served a unique function 
in the delivery of essential financial services to American 
consumers. Established by an Act of Congress in 1934, the 
federal credit union system was created, and has been 
recognized, as a way to promote thrift and to make financial 
services available to all Americans, many of whom may otherwise 
have limited access to financial services. Congress established 
credit unions as an alternative to banks and to meet a precise 
public need--a niche that credit unions still fill today.

    Every credit union, regardless of size, is a cooperative 
institution organized ``for the purpose of promoting thrift 
among its members and creating a source of credit for provident 
or productive purposes.'' (12 USC 1752(1)). While over 80 years 
have passed since the Federal Credit Union Act (FCUA) was 
signed into law, two fundamental principles regarding the 
operation of credit unions remain every bit as important today 
as in 1934:

           credit unions remains wholly committed to 
        providing their members with efficient, low-cost, 
        personal financial services; and,

           credit unions continue to emphasize 
        traditional cooperative values such as democracy and 
        volunteerism.

    Credit unions are small businesses themselves, especially 
when compared to our nation's mega banks and largest retailers, 
facing challenges of meeting the products and service needs of 
their community, while dealing with various laws and 
regulations.

                Credit Unions and Data Security

    My testimony today will cover what credit unions currently 
do to have a successful track record of protecting information. 
NAFCU's work on the cyber security and data security front, how 
recent data breaches hae impacted credit unions and consumers, 
including the financial burdens they have faced, and NAFCU's 
principles for data security reform and thoughts on some of the 
ways forward on this issue.

    As members of the committee are well aware, cyber and data 
crime has reached epic proportions in nearly all sectors of the 
economy. Symantec's 2015 Internet Security Threat Report 
characterized 2014 as a year with ``far-reaching 
vulnerabilities, faster attacks, files held for ransom and far 
more malicious code than in previous years.'' According to the 
report, more than 317 million new pieces of malware were 
created in 2014 and breaches were up 23 percent from 2013. 
While large companies across all sectors are still a prime 
target, 60 percent of all targeted attacks struck small and 
medium-sized companies last year.

    The U.S. government is also constantly working to identify 
malicious actions within their networks. Earlier this year the 
Department of Homeland Security's Office of Cybersecurity and 
Communication announced that a network monitoring program will 
fully cover the government by the end of fiscal year 2016 
through the Einstein program used to strengthen perimeter 
defenses and the Continuous Diagnostics and Mitigation program 
designed to better detect hacker's once systems have already 
been penetrated.

    NAFCU supports comprehensive data and cyber security 
measures to protect consumers' personal data. Credit unions and 
other financial institutions already protect data consistent 
with the provisions of the 1999 Gramm-Leach-Bliley Act (GLBA). 
Unfortunately, there is no comprehensive regulatory structure 
similar to what was put in place for financial institutions 
under GLBA for other entities that may handle sensitive 
personal and financial data.

    In today's digital economy, cybersecurity poses a threat to 
businesses of all sizes, individual consumers, and even 
national security through our government's critical 
infrastructure. From the financial services perspective, cyber 
security and data security are inextricably linked--both 
require the entire payments ecosystem to take an active role in 
addressing emerging threats, and both require all players to be 
proactive in protecting consumers personally identifiable and 
financial information from the onset.

    As will be discussed in my testimony, credit unions have 
been able to successfully minimize emerging threats and data 
breaches. Still, consumers unwittingly put themselves at risk 
every time they swipe their debit or credit card. Given the 
magnitude of the many recent data breaches and the sheer number 
of consumers impacted, policy makers have a clear bipartisan 
opening to ensure all players in the payments system have a 
meaningful federal data safekeeping standard to help prevent 
breaches from occurring.

    This hearing is an important one as we are at a critical 
juncture in the cyber and data security discussion on Capitol 
Hill. On behalf of NAFCU and our member credit unions, I 
appreciate the opportunity to be here today.

     Financial Institutions and the Gramm-Leach-Bliley Act

    GLBA and its implementing regulations have successfully 
limited data breaches among financial institutions and this 
standard has a proven track record of success since its 
enactment in 1999. This record of success is why we believe any 
future requirements must recognize this existing national 
standard for financial institutions such as credit unions.

    Consistent with Section 501 of the GLBA, the National 
Credit Union Administration (NCUA) established administrative, 
technical and physical safeguards to ensure the (1) security, 
(2) confidentiality, (3) integrity, (4) and proper disposal of 
consumer information and other records. Under the rules 
promulgated by the NCUA, every credit union must develop and 
maintain an information security program to protect customer 
data. Additionally, the rules require third party service 
providers that have access to credit union data take 
appropriate steps to protect the security and confidentiality 
of the information.

    GLBA and its implementing regulations have successfully 
limited data breaches among credit unions. The best way to move 
forward and address data breaches is to create a comprehensive 
regulatory scheme for those industries that are not already 
subject to oversight. At the same time, the oversight of credit 
unions, banks and other financial institutions is best left to 
the functional financial institution regulators that have 
experience in this field. It would be redundant at best and 
possibly counter-productive to authorize any agency--other than 
the functional financial institution regulators--to promulgate 
new, and possibly duplicative or contradictory, data security 
regulations for financial institutions already in compliance 
with GLBA.

    Below, I outline the key elements, requirements and 
definitions of the GLBA. Specifically, the GLBA:

           Requires financial institutions to establish 
        privacy policies and disclose them annually to their 
        customers, setting forth how the institution shares 
        nonpublic personal financial information with 
        affiliates and third parties.

           Directs regulators to establish regulatory 
        standards that ensure the security and confidentiality 
        of customer information.

           Permits customers to prohibit financial 
        institutions from disclosing personal financial 
        information to non-affiliated third parties.

           Prohibits the transfer of credit card or 
        other account numbers to third-party marketers.

           Prohibits pretext calling, which generally 
        is the use of false pretenses to obtain nonpublic 
        personal information about an institution's customers.

           Protects stronger state privacy laws and 
        those not inconsistent with these federal rules.

           Requires the U.S. Department of Treasury and 
        other federal regulators to study the appropriateness 
        of sharing information with affiliates, including 
        considering both negative and positive aspects of such 
        sharing for consumers.

    Sensitive Consumer Information

    Sensitive consumer information is defined as a member's 
name, address, or telephone number in conjunction with the 
member's social security number, driver's license number, 
account number, credit or debit card number, or personal 
identification number or password that would permit access to 
the member's account. Sensitive consumer information also 
includes any combination of components of consumer information 
that would allow someone to log into or access the member's 
account, such as user name and password or password and account 
number. Under the guidelines, an institution must protect 
against unauthorized access to or use of consumer information 
that could result in substantial harm or inconvenience to any 
consumer.

    Unauthorized Access to Consumer Information

    The agencies published guidance to interpret privacy 
provisions of GLBA and interagency guidelines establishing 
information security standards. The guidance describes response 
programs, including member notification procedures, that a 
financial institution should develop and implement to address 
unauthorized access to or use of consumer information that 
could result in substantial harm or inconvenience to a member.

    The security guidelines require every financial institution 
to have an information security program designed to:

           Ensure the security and confidentiality of 
        consumer information;

           Protect against any anticipated threats or 
        hazards to the security or integrity of such 
        information; and,

           Protect against unauthorized access to or 
        use of such information that could result in 
        substantial harm or inconvenience to a member.

    Risk Assessment and Controls

    The security guidelines direct every financial institution 
to assess the following risks, among others, when developing 
its information security program:

           Reasonably foreseeable internal and external 
        threats that could result in unauthorized disclosure, 
        misuse, alteration, or destruction of consumer 
        information or consumer information systems;

           The likelihood and potential damage of 
        threats, taking into consideration the sensitivity of 
        consumer information; and,

           The sufficiency of policies, procedures, 
        consumer information systems, and other arrangements to 
        control for the risks to sensitive data.

    Following the assessment of these risks, the security 
guidelines require a financial institution to design a program 
to address the identified risks. The particular security 
measures an institution should adopt depend upon the risks 
presented by the complexity and scope of its business. This is 
a critical aspect of GLBA that allows flexibility and ensures 
the regulatory framework is workable for the largest and 
smallest in the financial service arena. As the committee 
considers cyber and data security measures, it should be noted 
that scalability is achievable and that it is a misnomer when 
other industries claim they cannot have a federal data 
safekeeping standard that could work across a sector of varying 
size businesses.

    At a minimum, the financial institution is required to 
consider the specific security measures enumerated in the 
Security Guidelines, and adopt those that are appropriate for 
the institution, including:

           Access controls on consumer information 
        systems, including controls to authenticate and permit 
        access only to authorized individuals and controls to 
        prevent employees from providing consumer information 
        to unauthorized individuals who may seek to obtain this 
        information through fraudulent means;

           Background checks for employees with 
        responsibilities for access to consumer information;

           Response programs that specify actions to be 
        taken when the financial institution suspects or 
        detects that unauthorized individuals have gained 
        access to consumer information systems, including 
        appropriate reports to regulatory and law enforcement 
        agencies;

           Train staff to implement the credit union's 
        information security program; and,

           Regularly test the key controls, systems and 
        procedures of the information security program. The 
        frequency and nature of such tests should be determined 
        by the credit union's risk assessment. Tests should be 
        conducted or reviewed by independent third parties or 
        staff independent of those that develop or maintain the 
        security programs.''

    Service Providers

    The security guidelines direct every financial institution 
to require its service providers through contract to implement 
appropriate measures designed to protect against unauthorized 
access to, or use of, consumer information that could result in 
substantial harm or inconvenience to any consumer.

    Third-party providers are very popular for many reasons, 
most frequently associated with cost-savings/overhead 
reduction. However, where costs may be saved for overhead 
purposes, they may be added for audit purposes. Because audits 
typically are annual or semi-annual events, cost savings may 
still be realized but the risk associated with outsourcing must 
be managed regardless of cost. In order to manage risks, they 
must first be identified.

    An institution that chooses to use a third-party provider 
for the purposes of information systems-related functions must 
recognize that it must ensure adequate levels of controls so 
the institution does not suffer the negative impact of such 
weaknesses.

    Response Program

    Every financial institution must develop and implement a 
risk-based response program to address incidents of 
unauthorized access to consumer information. A response program 
should be a key part of an institution's information security 
program. The program should be appropriate to the size and 
complexity of the institution and the nature and scope of its 
activities.

    In addition, each institution should be able to address 
incidents of unauthorized access to consumer information in 
consumer information systems maintained by its service 
providers. Where an incident of unauthorized access to consumer 
information involves consumer information systems maintained by 
an institution's service providers, it is the responsibility of 
the financial institution to notify the institution's consumers 
and regulator. However, an institution may authorize or 
contract with its service provider to notify the institution's 
consumers or regulator on its behalf.

    Consumer Notice

    Timely notification to members after a security incident 
involving the unauthorized access or use of their information 
is important to manage an institution's reputation risk. 
Effective notice may also mitigate an institution's legal risk, 
assist in maintaining good consumer relations, and enable the 
institution's members to take steps to protect themselves 
against the consequences of identity theft.

    Content of Consumer Notice

    Consumer notice should be given in a clear and conspicuous 
manner. The notice should describe the incident in general 
terms and the type of consumer information that was the subject 
of unauthorize4d access or use. It should also generally 
describe what the institution has done to protect consumers' 
information from further unauthorized access. In addition it 
should include a telephone number that members can call for 
further information assistance. The notice should also remind 
members of the need to remain vigilant over the next 12 to 24 
months, and to promptly report incidents of suspected fraud or 
identity theft to the institution.

    Delivery of Consumer Notice

    Notice should be delivered in any manner designed to ensure 
that a consumer can reasonably be expected to receive it.

  NAFCU's Work in Various Cyber and Data Security Initiatives

    NAFCU has been an active participant in various industry 
and government cyber and data security initiatives, doubling 
down these efforts as data breaches continue to rise and 
innovations in payments technology make the entire ecosystem 
more complex for financial institutions and consumers.

    Specific to payments, NAFCU is a member of the Payments 
Security Task Force, a diverse group of participants in the 
payments industry that is driving a discussion relative to 
systems security. NAFCU also supports many of the ongoing 
efforts at the Financial Services Sector Coordinating Council 
(FSSCC) and the Financial Services Information Sharing and 
Analysis Center (FS-ISAC). These organizations work closely 
with partners throughout the government creating unique 
information sharing relationships that allow threat information 
to be distributed in a timely manner.

    NAFCU also worked with the National Institute of Standards 
and Technology (NIST) on the voluntary cybersecurity framework 
released in 2013 designed to help guide financial institutions 
of varying size and complexity through the process of reducing 
cyber risks to critical infrastructure. The recommendations are 
designed to evolve and will be updated to keep pace with 
changes in technology and threats.

    Earlier this year, I also had the opportunity to attend 
President Barack Obama's White House Summit on Cybersecurity 
and Consumer Protection at Stanford University which featured 
leaders from across the country--industry, tech companies, law 
enforcement, consumer and privacy advocates, law professors who 
specialize in this field, and students--to collaborate and 
explore partnerships that will help develop the best ways to 
bolster cybersecurity. Credit unions continue to pursue greater 
data security through innovation.

    During the Summit, NAFCU-member First Tech Federal Credit 
Union's recent partnership with MasterCard in the area of card 
security was announced. First Tech is innovative in this area 
and will implement a new pilot program later this year that 
will allow consumers to authenticate and verify their 
transactions using a combination of unique biometrics such as 
facial and voice recognition. This type of innovation is not 
unusual at member-owned and member-driven credit unions as they 
take data security seriously.

         Credit Unions and Consumers Continue to Suffer

    With the increase of massive data security breaches at 
retailers, from the Target breach at the height of holiday 
shopping in 2013 impacting over 110 million consumer records to 
the recent Home Depot breach impacting 56 million payment 
cards, Americans are becoming more aware and more concerned 
about data security and its impact. A Gallup poll from October 
12-October 15, 2014, found that 69 percent of U.S. adults said 
they frequently or occasionally are concerned about having 
their credit card information stolen by hackers, while 27 
percent of Americans say they or another household member had 
information from a credit card used at a store stolen in the 
last year. These staggering survey results speak for themselves 
and should cause serious pause among lawmakers on Capitol Hill.

    Data security breaches are more than just an inconvenience 
to consumers as they wait for their plastic cards to be 
reissued. Breaches often result in compromised card information 
leading to fraud losses, unnecessarily damaged credit ratings, 
and even identity theft. Symantec's Internet Security Threat 
Report issued earlier this month found that 36% (roughly 74 
million consumers) of the 205,446,276 individuals compromised 
in retail breaches in 2014 had their financial information 
exposed. That percentage doubled from 18% in 2013. More than 
23% of the US population had their financial identities 
compromised by a retailer data breach in 2014.

    While the headline grabbing breaches are certainly 
noteworthy, the simple fact is that data security breaches at 
our nation's retailers are happening almost every day. A 
February of 2015 survey of NAFCU member credit unions, found 
that respondents were alerted to potential breaches an average 
of 164 times in 2014. Two-thirds of the respondents said that 
they saw an increase in these alerts from 2013. When credit 
unions are alerted to breaches, they take action to respond to 
protect their members. The chart below outlines the actions 
that credit unions took in 2014 in response to merchant data 
breaches.

[GRAPHIC] [TIFF OMITTED] 

    Credit unions suffer steep losses in re-establishing member 
safety after a data breach occurs. They are often forced to 
charge off fraud-related losses, many of which stem from a 
negligent entity's failure to protect sensitive financial and 
personal information or the illegal maintenance of such 
information in their systems. Moreover, as many cases of 
identity theft have been attributed to data breaches, and as 
identity theft continues to rise, any entity that stores 
financial or personally identifiable information should be held 
to minimum federal standards for protecting such data.

    Merchants and credit unions are both targets of 
cyberattacks. The difference, however, is that credit unions 
have developed and maintain robust internal protections to 
combat these attacks and are required by federal law and 
regulation to protect this information and notify consumers 
when a breach occurs that will put them at risk. Every credit 
union must comply with significant data security regulations, 
and undergo regular examinations to ensure that these rules are 
followed. A credit union faces potential fines of up to $1 
million per day for compliance violations. These extensive 
requirements and safeguards discussed earlier in my testimony 
have evolved along with cyber threats and technological 
advances and have been enhanced through regulation since they 
were first required in 1999. In contrast, retailers are not 
covered by any federal laws or regulations that require them to 
protect the data and notify consumers when it is breached.

    A credit union data security program to protect its own 
system can have many security components, such as:

          1. Firewall
          2. Intrusion Prevention
          3. Botnet Filtering
          4. Anti-Virus protection
          5. Malware protection
          6. Management and Monitoring Services
          7. Anti-Phishing and Phishing site takedown services
          8. Third party vulnerability assessments and testing
          9. Web Filter
          10. Spam Filter
          11. Secure Email
          12. Encryption
          13. End point security
    These elements can have a significant cost to the 
institution. A February, 2015, survey of NAFCU members found 
that the average respondent credit union spent $136,000 on data 
security measures in 2014, and that doesn't even factor in the 
additional costs that the credit union faced due to data 
breaches at other entities.

    The ramifications of recent data breaches for credit unions 
and their members have been monumental. The aforementioned 
survey of NAFCU members found that the estimated costs 
associated with merchant data breaches in 2014 were $226,000 on 
average per credit union. Almost all respondents noted that 
merchant data breaches lead to increased member-service costs 
and needs that are not reflected in these direct costs. The 
three main elements of these costs were card reissuing costs, 
fraud investigations/losses and account monitoring. The chart 
on the next page outlines how these various costs from merchant 
data breaches are broken down.

[GRAPHIC] [TIFF OMITTED] 

    Charlotte Metro Federal Credit Union is a prime example. 
Their estimated cost for reissuing, additional staffing, member 
notification, account monitoring, increase in call volume and 
branch visits among other things is over $200,000. However, a 
cost cannot be placed on the vulnerability their cardholders 
are left with as well as the lack of trust and confidence that 
is created. They have indicated that the impact from the losses 
and increased expenses affect the fees and rates they are able 
to offer their members.

    Additionally, one of the residual effects that goes largely 
unnoticed is the impact that the reissuance of a card has on 
the neural network of a credit union. This is a credit union's 
own fraud detection system. Some of the components of the 
system are payment patterns and history of card usage, as is 
the case with most neural networks. Every time a credit union 
has to reissue a card, the pattern and history for that member 
is erased and it starts over. This increases the chance that 
the member will make a purchase that is perfectly acceptable, 
but get denied because the network doesn't recognize that what 
they are doing is perfectly normal. This is especially true for 
credit union members who travel.

    Smaller credit unions such as Diebold Federal Credit Union, 
a small credit union with only 3,300 members and $17 million in 
assets in North Carolina, Ohio, are especially feeling the 
impact. Since the beginning of 2014, Diebold has had over 
$32,000 in losses from data breaches at retailers. While that 
may not seem like much, it is nearly $10 in loss for every one 
of their members and a real burden on the institution. They are 
not alone. Over that same time period, Chicago Patrolmen's 
Federal Credit Union has had over $143,000 in losses, which is 
over a $5 loss for each of their 28,000 members.

    Unfortunately, credit unions often never see any 
reimbursement for their costs associated with the majority of 
data breaches. Even when there are recoupment opportunities, 
such as the recent Target settlement with MasterCard, it is 
usually only pennies on the dollar in terms of the real costs 
and losses incurred. Meanwhile, big box retailers that were 
negligent in recent data security breaches are posting record 
profits. A 2015 Columbia University review of financial 
statements of merchants such as Target and Home Depot reveals 
that retailers barely notice a financial hit from massive data 
breaches, and breach costs were less than one-tenth of one 
percent of these giant retailers 2014 annual sales.

    Payment networks are critical partners to credit unions in 
ensuring credit union members have the credit and debit card 
programs they need and demand. Collectively, the networks have 
worked together to standardize the Payment Card Industry (PCI) 
Data Security Standard designed to provide merchants and 
retailers with a framework of specifications, tools, 
measurements and support resources to ensure the safe handling 
of cardholder information. While NAFCU appreciates the positive 
progress in this regard, credit unions and other issuers are 
still seeing steep losses in the wake of retailer and merchant 
data breaches and would like to see the networks do everything 
they can to make reimbursement in the wake of fraud stemming 
from a data breach more equitable. As discussed, NAFCU believes 
the negligible entity should be wholly responsible for such 
damages.

              NAFCU's Key Data Security Principles

    NAFCU has long been active on the data security front, and 
was the first financial services trade association to call for 
Congressional action in the wake of the 2013 data breach at 
Target. Recognizing that a legislative solution is a complex 
issue, NAFCU's Board of Directors has also established a set of 
guiding principles to help define key issues credit unions 
would like to see addressed in any comprehensive cyber and data 
security effort that may advance. These principles include:

           Payment of Breach Costs by Breached 
        Entities: NAFCU asks that credit union expenditures for 
        breaches resulting from card use be reduced. A 
        reasonable and equitable way of addressing this concern 
        would be to require entities to be accountable for 
        costs of data breaches that result on their end, 
        especially when their own negligence is to blame.

           National Standards for Safekeeping 
        Information: It is critical that sensitive personal 
        information be safeguarded at all stages of 
        transmission. Under the GLBA, credit union and other 
        financial institutions are required to meet certain 
        criteria for safekeeping consumers' personal 
        information. Unfortunately, there is no comprehensive 
        regulatory structure akin to the GLBA that covers 
        retailers, merchants and others who collect and hold 
        sensitive information. NAFCU strongly supports the 
        passage of legislation requiring any entity responsible 
        for the storage of consumer data to meet standards 
        similar to those imposed on financial institutions 
        under the GLBA.

           Data Security Policy Disclosure: Many 
        consumers are unaware of the risks they are exposed to 
        when they provide their personal information. NAFCU 
        believes this problem can be alleviated by simply 
        requiring merchants to post their data security 
        policies at the point of sale if they take sensitive 
        financial data. Such a disclosure requirement would 
        come at little or no cost to the merchant but would 
        provide an important benefit to the public at large.

           Notification of the Account Servicer: The 
        account servicer or owner is in the unique position of 
        being able to monitor for suspicious activity and 
        prevent fraudulent transactions before they occur. 
        NAFCU believes that it would make sense to include 
        entities such as financial institutions on the list of 
        those to be informed of any compromised personally 
        identifiable information when associated accounts are 
        involved.

           Disclosure of Breached Entity: NAFCU 
        believes that consumers should have the right to know 
        which business entities have been breached. We urge 
        Congress to mandate the disclosure of identities of 
        companies and merchants whose data systems have been 
        violated so consumers are aware of the ones that place 
        their personal information at risk.

           Enforcement of Prohibition on Data 
        Retention: NAFCU believes it is imperative to address 
        the violation of existing agreements and law by 
        merchants and retailers who retain payment card 
        information electronically. Many entities do not 
        respect this prohibition and store sensitive personal 
        data in their systems, which can be breached easily in 
        many cases.

           Burden of Proof in Data Breach Cases: In 
        line with the responsibility for making consumers whole 
        after they are harmed by a data breach, NAFCU believes 
        that the evidentiary burden of proving a lack of fault 
        should rest with the merchant or retailer who incurred 
        the breach. These parties should have the duty to 
        demonstrate that they took all necessary precautions to 
        guard consumers' personal information but sustained a 
        violation nonetheless. The law is currently vague on 
        this issue, and NAFCU asks that this burden of proof be 
        clarified in statute.

                   Preventing Future Breaches

    NAFCU has long argued that protecting consumers and 
financial institutions by preventing future data breaches 
hinges on establishment of strong federal data safekeeping 
standards for retailers and merchant akin to what credit unions 
already comply with under the GLBA.

    The time has come for Congress to enact a national standard 
on data protection for consumers' personal financial 
information. Such a standard must recognize the existing 
protection standards that financial institutions have under the 
GLBA and ensure the costs associated with a data breach are 
borne by those who incur the breach.

    While some have said that voluntary industry standards 
should be the solution, the recently released Verizon 2015 
Payment Card Industry Compliance Report found that 4 out of 
every 5 global companies fail to meet the widely accepted 
Payment Card Industry (PCI) data security standards for their 
payment card processing systems. In fact, Verizon found that 
out of every data breach they studied over the past 10 years, 
not one single company was in compliance with the PCI standards 
at the time of the breach. This should cause serious pause 
among lawmakers as failing to meet these standards, exacerbated 
by the lack of a strong federal data safekeeping standard, 
leaves merchants, and therefore consumers, more vulnerable to 
breaches.

    In addition, the report finds that the use of EMV cards 
(``chip cards'') in other countries has not been a silver 
bullet solution to preventing fraudulent activity, but merely 
displaces it. The report shows that once EMV use increases, 
criminals shift their focus to card not present transactions, 
such as online shopping. While some have argued for a ``chip 
card'' solution, the reality is that it is not a panacea and 
does not replace a sound data security standard.

    One basic but important concept to point out with regard to 
almost all cyber and data threats is that a breach may never 
come to fruition if an entity handling sensitive information 
limits the amount of data collected on the front end and is 
diligent in not storing sensitive personal and financial data 
in their systems. Enforcement of prohibition on data retention 
cannot be over emphasized and it is a cost effective and 
commonsense way to cut down on emerging threats. If there is no 
financial data to steal, it is not worth the effort of cyber 
criminals.

                     Legislative Solutions

    NAFCU believes that the best legislative solution on the 
issue of data security that has been introduced in this 
Congress is bipartisan legislation in the Senate by Senators 
Roy Blunt and Tom Carper. Their bill, S. 961, the Data Security 
Act of 2015, sets a national data security standard that 
recognizes those who already have one under the GLBA. We 
support this legislation and would urge introduction of a House 
companion measure.

    As the committee is aware, the cyber and data security 
discussions cross the jurisdiction of several Congressional 
committees. Given the daunting task of making meaningful reform 
in these areas, early this Congress NAFCU called on 
Congressional leadership to create a bipartisan and bicameral 
working group to find a legislative path forward to help better 
protect consumers from ongoing data breaches.

                           Conclusion

    Cyber and data security, ensuring member safety, and how to 
incentivize and emphasize data safekeeping in every link of the 
payments chain is a top challenge facing the credit union 
industry today. Given the breadth and scope of many recent 
retailer data breaches, we have reached a tipping point in the 
public dialogue about how to tackle these issues. NAFCU member 
credit unions and the 100 million credit union members across 
the country are looking to Congress to continue work on cyber 
and data security issues and move forward with legislation that 
will make a meaningful difference to consumers. It is time to 
level the playing field and require equal data security 
treatment to all those who collect and store personally 
identifiable and financial data.

    Consumers will only be protected when every sector of 
industry is subject to robust federal data safekeeping 
standards that are enforced by corresponding regulatory 
agencies. It is with this in mind that NAFCU urges Congress to 
modernize data security laws to reflect the complexity of the 
current environment and insist that retailers and merchants 
adhere to a strong federal standard in this regard.

    Thank you for the opportunity to appear before you today on 
behalf of NAFCU. I welcome any questions you may have.
                        Statement for the Record


               Dr. Jane LeClair, Chief Operating Officer


         National Cybersecurity Institute of Excelsior College


                               Before the


                 United States House of Representatives


                      Committee on Small Business


                      Small Business, Big Threat:


             Protecting Small Businesses from Cyber Attacks


                             April 22, 2015

    Mr. Chairman and members of the Committee, on behalf of the 
National Cybersecurity Institute at Excelsior College. I 
appreciate the opportunity to address you and provide a 
statement for today's hearing. The National Cybersecurity 
Institute is dedicated to increasing knowledge in the 
cybersecurity discipline and assists small businesses (SMB's) 
to better understand and meet the challenges in today's digital 
world. My name is Dr. Jane LeClair, and I am the Chief 
Operating Officer of the National Cybersecurity Institute 
located in Washington, D.C.

    SMB's are challenged both by the ability and the desire to 
secure themselves against cyber threats which makes them 
uniquely vulnerable to cyber attacks. Fifty percent of SMB's 
have been the victims of cyber attack and over 60 percent of 
those attacked go out of business. Often SMB's do not even know 
they have been attacked until it is too late.

    SMB's are under attack from many avenues including social 
engineering, the internet of things, insider threat, weak 
passwords and cyber theft through weak payment systems. Mobile 
devices and the lack of formal cyber plans and policies spell 
trouble. Infections brought in through browsers pose a threat, 
and finally, outdated technology and poor maintenance top the 
list of problems. SMB's are characterized by central management 
focused around the owner, with lack of a specialized IT or 
cyber staff, inadequate control systems, and day-to-day rather 
long term planning for asset protection. Almost 70% of SMB's 
manage their own websites, use the Internet for sales, social 
media, marketing, and a host of other needs. SMB's have 
resource contraints and often ignore cyber-security in favor of 
day-to-day operations or other financial needs. Yet SMB's 
remain a gateway to gain access to clients, business partners, 
donors, and contractors working with the SMB ... a backdoor 
into many large organizations. These organizations frequently 
lack the knowledge needed to develop and implement a cyber 
policy or the expertise to develop a response strategy. 
Surprisingly, 96% of the attacks on SMB's were fundamentally 
basic attacks. SMB's need employees trained in networking, 
operating systems and multiple layers of security.

    Otherwise, who's watching for signs of an attack and making 
sure the operating systems are properly patched? Who's 
responsible for regular backups and reviewing system logs?

    There are several ways that the National Cybersecurity 
Institute is offering assistance to SMB's. An affordable 
package that provides a targeted cybersecurity plan, basic 
training for owners, IT staff and employees, and ensures that 
the basics of antivirus software and firewall protection are in 
place, is under development. Our media campaign raises 
awareness through quarterly webinars and weekly blogs. The 
National Cybersecurity Institute is publishing two short books 
on Cyber for Small Business and Cyber Insurance, and is 
partnering to offer a SMB workshop in medium-sized cities 
around the country that is affordable and aimed at SMB owners 
and their IT staff. Cybersecurity is without a doubt one of the 
prime concerns of the SMB community in America today. The 
efforts of this Committee in seeking ways to help alleviate 
those concerns cannot be understated. Mr. Chairman and members 
of this Committee, thank you for your interest in this 
important area, and I thank you for the opportunity to address 
you today.

                             [all]