[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]
CYBER THREATS, CONSUMER DATA,
AND THE FINANCIAL SYSTEM
=======================================================================
HYBRID HEARING
BEFORE THE
SUBCOMMITTEE ON CONSUMER PROTECTION
AND FINANCIAL INSTITUTIONS
OF THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTEENTH CONGRESS
FIRST SESSION
__________
NOVEMBER 3, 2021
__________
Printed for the use of the Committee on Financial Services
Serial No. 117-59
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
__________
U.S. GOVERNMENT PUBLISHING OFFICE
46-248 PDF WASHINGTON : 2022
-----------------------------------------------------------------------------------
HOUSE COMMITTEE ON FINANCIAL SERVICES
MAXINE WATERS, California, Chairwoman
CAROLYN B. MALONEY, New York PATRICK McHENRY, North Carolina,
NYDIA M. VELAZQUEZ, New York Ranking Member
BRAD SHERMAN, California FRANK D. LUCAS, Oklahoma
GREGORY W. MEEKS, New York BILL POSEY, Florida
DAVID SCOTT, Georgia BLAINE LUETKEMEYER, Missouri
AL GREEN, Texas BILL HUIZENGA, Michigan
EMANUEL CLEAVER, Missouri ANN WAGNER, Missouri
ED PERLMUTTER, Colorado ANDY BARR, Kentucky
JIM A. HIMES, Connecticut ROGER WILLIAMS, Texas
BILL FOSTER, Illinois FRENCH HILL, Arkansas
JOYCE BEATTY, Ohio TOM EMMER, Minnesota
JUAN VARGAS, California LEE M. ZELDIN, New York
JOSH GOTTHEIMER, New Jersey BARRY LOUDERMILK, Georgia
VICENTE GONZALEZ, Texas ALEXANDER X. MOONEY, West Virginia
AL LAWSON, Florida WARREN DAVIDSON, Ohio
MICHAEL SAN NICOLAS, Guam TED BUDD, North Carolina
CINDY AXNE, Iowa DAVID KUSTOFF, Tennessee
SEAN CASTEN, Illinois TREY HOLLINGSWORTH, Indiana
AYANNA PRESSLEY, Massachusetts ANTHONY GONZALEZ, Ohio
RITCHIE TORRES, New York JOHN ROSE, Tennessee
STEPHEN F. LYNCH, Massachusetts BRYAN STEIL, Wisconsin
ALMA ADAMS, North Carolina LANCE GOODEN, Texas
RASHIDA TLAIB, Michigan WILLIAM TIMMONS, South Carolina
MADELEINE DEAN, Pennsylvania VAN TAYLOR, Texas
ALEXANDRIA OCASIO-CORTEZ, New York PETE SESSIONS, Texas
JESUS ``CHUY'' GARCIA, Illinois
SYLVIA GARCIA, Texas
NIKEMA WILLIAMS, Georgia
JAKE AUCHINCLOSS, Massachusetts
Charla Ouertatani, Staff Director
Subcommittee on Consumer Protection and Financial Institutions
ED PERLMUTTER, Colorado, Chairman
GREGORY W. MEEKS, New York BLAINE LUETKEMEYER, Missouri,
DAVID SCOTT, Georgia Ranking Member
NYDIA M. VELAZQUEZ, New York FRANK D. LUCAS, Oklahoma
BRAD SHERMAN, California BILL POSEY, Florida
AL GREEN, Texas ANDY BARR, Kentucky
BILL FOSTER, Illinois ROGER WILLIAMS, Texas
JUAN VARGAS, California BARRY LOUDERMILK, Georgia
AL LAWSON, Florida TED BUDD, North Carolina
MICHAEL SAN NICOLAS, Guam DAVID KUSTOFF, Tennessee, Vice
SEAN CASTEN, Illinois Ranking Member
AYANNA PRESSLEY, Massachusetts JOHN ROSE, Tennessee
RITCHIE TORRES, New York WILLIAM TIMMONS, South Carolina
C O N T E N T S
----------
Page
Hearing held on:
November 3, 2021............................................. 1
Appendix:
November 3, 2021............................................. 47
WITNESSES
Wednesday, November 3, 2021
Jain, Samir, Director of Policy, Center for Democracy and
Technology (CDT)............................................... 5
James, Robert II, Chairman, National Bankers Association (NBA)... 7
Newgard, Jeffrey K., President and Chief Executive Officer, Bank
of Idaho, testifying on behalf of the Independent Community
Bankers of America (ICBA)...................................... 11
Vazquez, Carlos, Chief Information Security Officer, Canvas
Credit Union................................................... 9
APPENDIX
Prepared statements:
McHenry, Hon. Patrick........................................ 48
Jain, Samir.................................................. 50
James, Robert II............................................. 59
Newgard, Jeffrey K........................................... 65
Vazquez, Carlos.............................................. 73
Additional Material Submitted for the Record
Perlmutter, Hon. Ed:
Written statement of the American Bankers Association........ 75
Written statement of the Credit Union National Association... 90
Written statement of the Electronic Transactions Association. 93
Written statement of the National Association of Federally-
Insured Credit Unions...................................... 95
Written statement of SentiLink............................... 102
CYBER THREATS, CONSUMER DATA,
AND THE FINANCIAL SYSTEM
----------
Wednesday, November 3, 2021
U.S. House of Representatives,
Subcommittee on Consumer Protection
and Financial Institutions,
Committee on Financial Services,
Washington, D.C.
The subcommittee met, pursuant to notice, at 10:06 a.m., in
room 2128, Rayburn House Office Building, Hon. Ed Perlmutter
[chairman of the subcommittee] presiding.
Members present: Representatives Perlmutter, Sherman,
Green, Foster, Vargas, Lawson, Casten, Pressley, Torres;
Luetkemeyer, Lucas, Posey, Barr, Williams of Texas, Loudermilk,
Budd, Kustoff, Rose, and Timmons.
Ex officio present: Representative Waters.
Chairman Perlmutter. The Subcommittee on Consumer
Protection and Financial Institutions will come to order.
Without objection, the Chair is authorized to declare a
recess of the subcommittee at any time. Also, without
objection, members of the full Financial Services Committee who
are not members of the subcommittee are authorized to
participate in today's hearing.
I want to thank our witnesses for being here today. With
the hybrid format of this hearing, we have some Members and
witnesses participating in person and others on the Webex
platform. For those of you on the Webex platform, we have had
some trouble with the timer, so I will have to step in if
people are running over their time limit. But we should be
fine.
I would like to remind all Members participating remotely
to keep themselves muted when they are not being recognized by
the Chair. The staff has been instructed not to mute Members,
except when a Member is not being recognized by the Chair and
there is inadvertent background noise.
Members are also reminded that they may only participate in
one remote proceeding at a time. If you are participating
remotely today, please keep your camera on, and if you choose
to attend a different remote proceeding, please turn your
camera off.
Today's hearing is entitled, ``Cyber Threats, Consumer
Data, and the Financial System.'' Legislation noticed with
today's hearing includes H.R. 3910, ``the Safeguarding Non-bank
Consumer Information Act;'' a discussion draft entitled, ``the
Strengthening Cybersecurity for the Financial Sector Act,'' and
a discussion draft entitled, ``the Enhancing Cybersecurity of
Nationwide Consumer Reporting Agencies Act.''
I now recognize myself for 4 minutes to give an opening
statement.
In both business and medicine, they have variations of what
is known as the, ``Sutton Rule.'' And for those of you who
don't know what the Sutton Rule is, it is based on an old urban
legend about a famous bank robber named Willie Sutton. When he
was asked by a reporter why he robbed banks, Sutton casually
replied, ``Because that is where the money is.''
The Sutton Rule suggests going after the obvious target.
Banks and credit unions have long been targets for criminals,
but today's criminals don't wield Tommy guns and they aren't
only after cash. Cyber criminals also target financial
institutions to steal consumer and business data, deploy
ransomware, and disrupt services.
Ransomware attacks have been growing in frequency and
severity for years. Over the first half of this year, there was
a 1,318 percent increase in ransomware attacks on banks and
credit unions.
Consumer financial and personal data is an attractive
target for criminals. I doubt there is a person on this
committee who has not had some of their personal or financial
information exposed in a data breach. And I know I have been
impacted by multiple data breaches over the last few years.
Tech companies, financial institutions, and many other
businesses are collecting and storing more consumer data than
ever before. The 2017 Equifax breach exposed the data of 147
million people, including 200,000 credit card numbers. And in
2019, Capital One was hacked and 100 million credit card
applications were stolen.
The issues of cybersecurity and consumer data rights are
intertwined, which makes cybersecurity critical for all
financial institutions, large and small. Earlier this year, the
CEOs of the largest banks in the United States testified before
our committee. Congressman Huizenga asked them what was the
greatest threat facing our financial system, or what was one of
them, and the answers from four of the six CEOs included
cybersecurity.
Similarly, in a recent survey, 71 percent of community
bankers listed cybersecurity as a significant risk. Many
financial institutions have strong cybersecurity protections,
but such efforts don't come cheap. For some of the largest
banks, cyber defenses cost more than a billion dollars per
year.
In May of this year, President Biden issued an Executive
Order on improving the nation's cybersecurity, to enhance
information-sharing between the government and the private
sector, modernize cybersecurity standards in government,
improve software supply chain security, and make other
improvements to cyber defenses.
Additionally, the Treasury Department recently announced
new efforts to counter the rise in ransomware, including
sanctions against cryptocurrency exchanges for facilitating
ransomware payments.
The security and resilience of our financial system is not
a partisan issue. Republicans, Democrats, and unaffiliated
voters all share the desire to stop criminals from exploiting
vulnerabilities and carrying out attacks on critical
infrastructure, such as financial institutions.
I was pleased to work with my friend from Missouri, Ranking
Member Luetkemeyer, on this hearing, and I appreciate his ideas
and commitment to strengthening cyber defenses in the financial
sector. And I also appreciate working with my friend,
Representative Kustoff, on this very same subject.
I look forward to this discussion today to learn how we can
work together to improve cybersecurity in the financial sector
to protect businesses and consumers.
With that, I will now yield to the vice ranking member of
the subcommittee, the gentleman from Tennessee, Mr. Kustoff,
for 5 minutes for an opening statement.
Mr. Kustoff. Thank you, Mr. Chairman. Thank you for
convening today's hearing.
And thank you to the witnesses for appearing today, both in
person and virtually.
Without a doubt, our financial system is the envy of the
world. I think we all agree with that. To make sure it stays
that way, Republicans need to continue to embrace technology
and support innovation. We do. In fact, both sides of the aisle
do.
Private-sector innovation has led us to more dynamic and
inclusive financial institutions that are better-equipped to
serve American consumers, but bad actors continue to evolve. We
have seen cyber espionage from foreign adversaries such as
China, Russia, and Iran, and they have all spiked. And that is
why it is crucial that we remain one step ahead.
Cyber attacks pose one of the greatest threats to our
financial systems. And understanding what policies will better
protect our financial institutions and consumers remains a top
priority for this committee, again, on both sides of the aisle.
As we have seen, there are vulnerabilities in the system, and
they have to be identified and they have to be corrected.
We know that financial institutions have been one of the
leading targets for cyber criminals. Just recently, we
witnessed the Colonial Pipeline ransomware attack. Attacks of
this size are more common than ever before. And with that,
financial institutions are more mindful that a similar attack
could happen to them.
We all know that such an attack could disrupt the flow of
money to consumers, disclose closely-held personal information,
and ultimately undermine confidence in the entire banking
system.
So, again, I do want to thank the witnesses for being here
today. They face the daily challenges of cybersecurity, and I
think will provide us today with a real-world perspective.
This committee has already begun work on these important
issues. We included bipartisan cybersecurity provisions in
legislation just last year. And financial regulators are
providing Congress with more information about cybersecurity
risks.
In January of this year, Republicans issued a report which
found that the COVID-19 pandemic and related relief programs
created an environment ripe for cybercriminal activity, which
continues to threaten our financial system and American
consumers today.
As our economy recovers, protecting our financial system
from cybercriminals assumes an even more important role. And we
all know that technology is changing the way consumers and
investors operate. Online commerce is becoming the norm, and
people are working from home more than ever before. Cyber
exposure continues to grow. More work can and certainly must be
done. Private-sector innovation, not government mandates, can
lead the way. One-size-fits-all government policies won't be
the solution.
With that, I do want to thank the chairman, and I also want
to thank Ranking Member Luetkemeyer for convening this hearing,
which I think will be both informative and helpful. I look
forward to more bipartisan work on this issue.
And, Mr. Chairman, before I yield back my time, I would ask
unanimous consent to insert Full Committee Ranking Member
McHenry's remarks into the record.
Chairman Perlmutter. Without objection, it is so ordered.
Mr. Kustoff. I yield back.
Chairman Perlmutter. I thank the gentleman.
The Chair now recognizes the Chair of the full Financial
Services Committee, Chairwoman Waters, for one minute.
Chairwoman Waters. Thank you very much, Chairman
Perlmutter, for holding this important hearing on
cybersecurity.
Financial institutions have long been a top target for
cybercriminals. Several years ago, Equifax experienced one of
the largest cyber attacks, exposing the sensitive, personally
identifiable information of nearly 150 million Americans.
Government agencies and institutions are observing an alarming
increase in the volume and sophistication of cyber attacks.
According to one report, banks and credit unions experienced a
1,318 percent increase in ransomware attacks during the first
part of this year.
So, I look forward to hearing from our witnesses on ways we
can strengthen cybersecurity in the financial sector, including
understanding how small institutions like minority depository
institutions (MDIs) utilize third-party vendors to provide core
processing and software, and what vulnerabilities arise from
those partnerships that we need to address.
Thank you, and I yield back the balance of my time.
Chairman Perlmutter. The gentlewoman yields back.
It is now my pleasure to welcome each of our witnesses, and
I want to introduce our panel.
First, we will begin with Samir Jain, the director of
policy at the Center for Democracy and Technology, who is
present in the hearing room today. Mr. Jain has decades of
experience in private practice and government, including at the
Department of Justice, and as a Senior Director for
Cybersecurity Policy for the National Security Council.
Second, we have Mr. Robert James II, the president and CEO
of Carver Financial Corporation. Mr. James is also the director
of strategic initiatives at Carver State Bank, and currently
serves as the chairman of the National Bankers Association.
Third, from my great State of Colorado, we have Carlos
Vazquez, the chief information security officer of Canvas
Credit Union in Colorado. Mr. Vazquez has decades of experience
in information technology and security, and currently leads
Canvas Credit Union's efforts in mitigating cybersecurity
risks.
And finally, our fourth witness is Jeff Newgard, the
president and chief executive officer of the Bank of Idaho. He
is testifying on behalf of the Independent Community Bankers of
America. Previously, Mr. Newgard was president and CEO of
Yakima National Bank, and he is a graduate of the Colorado
Graduate School of Banking.
Witnesses are reminded that your oral testimony will be
limited to 5 minutes. I think our timer is now working. You
should be able to see a timer on the desk in front of you or on
your screen that will indicate how much time you have left.
When you have 1 minute remaining, a yellow light will appear. I
would ask you to be mindful of the timer, and when the red
light appears, to quickly wrap up your testimony, so that we
can be respectful of both the other witnesses' and the
subcommittee members' time.
And without objection, your written statements will be made
a part of the record.
I would also ask, just as a personal plea, to take your
time with your testimony, and speak as clearly as you can,
because, especially if you are on the platform, your testimony
kind of reverberates in this room. So for these ears, I just
would appreciate that.
Mr. Jain, you are now recognized for 5 minutes for your
testimony, sir.
STATEMENT OF SAMIR JAIN, DIRECTOR OF POLICY, CENTER FOR
DEMOCRACY AND TECHNOLOGY (CDT)
Mr. Jain. Thank you, and good morning. CDT is a
nonpartisan, nonprofit 501(c)(3) organization dedicated to
advancing civil rights and civil liberties in the digital
world. On behalf of CDT, I appreciate the opportunity to
testify today.
In my written statement, I discuss how the cyber threat
environment has grown more dangerous. Two of you, I think, this
morning, have already noted the statistic about a 1,318 percent
increase in ransomware attacks in the last year.
Today, I am going to briefly discuss a few of the
challenges that the financial services sector in particular
faces in addressing cyber threats, and two potential areas in
which we can make progress to better protect consumers and
their data.
Even though the financial services industry has responded
more proactively to cybersecurity challenges than most sectors,
it still remains highly vulnerable.
I will focus on three particular reasons. First, financial
institutions are highly-interconnected with one another and
with third-party service providers, which has significant
implications from a systemic perspective. A cyber attack can
spread rapidly across the financial sector as an attacker moves
laterally across institutions between financial networks.
Moreover, if many financial institutions rely on a common
vendor, a successful attack on that single vendor can have
sector-wide consequences.
A second challenge is the gap between large and small
financial institutions. The largest financial institutions have
significant in-house cyber expertise and can develop or
purchase sophisticated defensive products, but smaller
financial institutions don't have those resources or
capabilities. But they aren't immune from attack, just because
they are small. In 2020, over a quarter of breaches involved
small businesses.
A third challenge is the increasing reliance on technology.
Today, customers interact with the financial system through
networks, even for traditional banking services. As a result,
the financial sector is increasingly subject to disruption from
cyber attacks. And that is all the more true once you look
beyond traditional banks to the role of fintech, data
aggregators, and large technology platforms.
In the face of these challenges, both the government and
the private sector have sought to address cyber threats for a
number of years, but much work remains to be done.
I will highlight two areas in particular. First,
information-sharing remains a fundamental component of any
successful cybersecurity strategy, but we have learned that
effective information-sharing is hard. The most useful
information is actionable. It can actually be used by network
defenders to prevent or recover from a cyber incident. It also
needs to be as close to real time as possible so that they can
act on time. Any information-sharing needs to separate signal
from noise. Otherwise, companies may not know what information
they should pay attention to now and what they can safely
ignore or leave for later.
One step Congress should consider in connection with
information-sharing is mandating that critical infrastructure
entities report cyber incidents to the Federal Government.
Today, no government agency has a complete picture of what
institutions have suffered cyber incidents, and such
information could clearly be valuable in bolstering cyber
defenses.
A second area to which Congress should look is baseline
privacy legislation. Instead of one comprehensive set of rules
to protect personal data throughout the digital ecosystem, we
have a patchwork of sectoral laws with varying protections.
One such law, the Gramm-Leach-Bliley Act (GLBA), applies to
financial institutions. However, GLBA is inadequate to protect
consumer financial data for at least two reasons.
First, it applies only to financial institutions, a defined
term that does not capture the full range of fintech and other
technology companies and data aggregators that today process
consumer financial information.
Second, GLBA is limited in its privacy protections. It
focuses on providing notice to consumers of certain forms of
data-sharing and permits them to opt out. Yet, we all know that
consumers don't read or rarely read online privacy policies,
and that notice and consent, therefore, rests on a fiction.
GLBA effectively adopts a broad default sharing of consumer
financial information.
The time has come for Congress to enact comprehensive
privacy legislation that shifts the burden away from consumers
and imposes obligations on the entities that collect, use, and
share data. Privacy legislation should, among other things,
require an entity to minimize the data it collects and
processes, based on the purpose for which the entity needs the
data. It should prohibit the secondary use or sharing of
sensitive data, without the express opt-in consent of the
consumer, and it should include data security requirements.
Each of these steps will lower the risk to consumers from
cyber attacks by reducing the amount of data that will be
collected and shared and ensuring that whatever data is
collected is handled with appropriate care.
Moreover, a common privacy baseline that applies to all
companies will avoid the situation we have today, in which the
same data may receive some protection if processed by one
entity but less protection if processed by another.
Thank you, and I look forward to your questions.
[The prepared statement of Mr. Jain can be found on page 50
of the appendix.]
Chairman Perlmutter. Thank you, Mr. Jain. I appreciate your
testimony.
Mr. James, you are recognized for 5 minutes for your
testimony.
STATEMENT OF ROBERT JAMES II, CHAIRMAN, NATIONAL BANKERS
ASSOCIATION (NBA)
Mr. James. Thank you, Chairman Perlmutter, Ranking Member
Luetkemeyer, Vice Ranking Member Kustoff, Chairwoman Waters,
and members of the subcommittee.
We appreciate the opportunity to testify this morning on
cyber threats, consumer data, and the financial system.
My name is Robert James II, and I am the president of
Carver Financial Corporation, the holding company for Carver
State Bank in Savannah, Georgia. And I am also privileged to
serve as chairman of the National Bankers Association (NBA).
The NBA is the leading trade association for minority
depository institutions (MDIs). Our mission is to advocate for
MDIs on all legislative and regulatory matters concerning and
affecting our members and the communities we serve. Our members
are on the front lines of reducing economic hardship in
minority communities, which are underserved by traditional
banks and have been the hardest-hit by the pandemic.
MDIs are critical economic development engines in minority
and low-income communities, particularly due to our trusted
relationships in these communities. Our internal teams work
tirelessly to protect our systems and our customers from ever-
evolving cyber threats. We take these threats extremely
seriously. Unfortunately, our small scale and lack of access to
cutting-edge technology does not always allow us to move with
the speed or agility required at times like these.
A critical component of the resilience of the banking
sector and its ability to assist underserved communities is the
ability to adapt technologically. A host of different factors
are intersecting to change the banking industry.
Like most community banks, MDIs are heavily-reliant on a
handful of large technology companies that provide core
processing services for the technological systems of our
operations. These companies have no incentives to help us adapt
to the changing competitive landscape. We are consigned to
long-term contracts with punitive early termination provisions,
cannot easily plug in modern outside solutions that make it
easier for our customers to do business or secure their data,
and the fundamental technology of many of these systems is
antiquated and leaves us incapable of making rapid changes.
Because we are often the smallest clients of these giant
firms, we receive the lowest priority for service. Our bank
employees are constantly training and monitoring our internal
systems, but we do not get the latest and best technology from
the big core processors.
We saw this play out during each round of the Paycheck
Protection Program (PPP). Congress devised that program as a
mechanism to aid small businesses who suddenly found themselves
forced to close during stay-at-home orders, but a set of
conditions favored larger businesses, and disadvantaged our
banks in our communities.
Many banks only approved loans for existing customers,
delayed the applications of sole proprietorships, and didn't
allow enough time for institutions like ours to work with small
businesses through the application process. This combined to
shut out many minority-owned businesses.
Our banks found themselves sorely lacking in the technology
needed to quickly respond. Unregulated companies were able to
build technology solutions to address this market, but our
banks, reliant on the core processors, were stuck with outdated
processes that limited our ability to serve our customers.
We also need our regulatory partners to help. We need to
invest more in technology and the right people to implement it,
but these investments can result in criticism when their
earnings don't meet regulatory expectations. We can also find
ourselves in situations where local or regional examiners
impede our ability to implement new technological solutions.
Several recent industry reports have attempted to detail
how banks are responding to the challenge, whether through
investment, data management, or new strategies to engage with
customers. But with every step, there are obstacles, including
potential workforce impact or just the burden of increased cost
of technology investments.
Even as customers primarily conduct transactions over
mobile, banks are discovering that they still expect branch
service to be an option. Young consumers are also open to going
to technology firms for all of their financial services. In a
recent global survey, Accenture found that 31 percent of bank
customers would consider Google, Amazon, or Facebook if they
offered such services.
According to an FIS survey, the top 20 percent of firms are
changing policy to promote and emphasize digital innovation.
These firms are recruiting for digital technology expertise,
encouraging more open innovation across roles, and appointing
board-level roles with responsibility for digital innovation.
It is difficult for our small banks to keep up.
In conclusion, cultural shifts inside the financial
services industry, including the core processors and the
regulators, are necessary to help MDIs and other community
banks better orient ourselves to meet new customer demands.
Even though our teams are keeping our bank-side systems
very safe, we are heavily-reliant on the big three core
processors. Because of this concentration, our institutions are
saddled with complex, onerous long-term contracts that stifle
innovation in all areas, including security and identity
verification.
As the smallest banks, we get the worst service, and are
the last to get innovations. So, our banks have a hard time
competing with large banks and cannot easily offer our
customers the latest technology. Our regulators do not always
allow us to make needed investments in technology because of
pressure on earnings. These factors, when combined, leave our
customers and communities frustrated and vulnerable.
We look forward to working closely with the committee and
the subcommittee on ways we can level the playing field to
ensure that our customers have access to the latest, most
secure technology.
Thank you.
[The prepared statement of Mr. James can be found on page
59 of the appendix.]
Chairman Perlmutter. Thank you, Mr. James. I appreciate
your testimony.
Mr. Vazquez, you are now recognized for 5 minutes for your
testimony.
STATEMENT OF CARLOS VAZQUEZ, CHIEF INFORMATION SECURITY
OFFICER, CANVAS CREDIT UNION
Mr. Vazquez. Good morning, and thank you for inviting me to
your subcommittee to discuss cybersecurity. We were provided
with a few topics we would be discussing, so I would like to
speak to these.
The National Credit Union Administration (NCUA) is seeking
legislative authority to have oversight over credit union
service organizations and third-party vendors that offer
services to credit unions. The NCUA sits on the Financial
Stability Oversight Council (FSOC), yet is the only Federal
agency that currently does not have this statutory authority as
it relates to vendors that serve banking organizations.
We believe credit unions deserve a Federal regulator with
parity in this regard. Canvas Credit Union is supportive of
parity for the NCUA, if the NCUA shares its information with
State regulators and coordinates efforts with them whenever
possible.
It is important that vendors who have access to our
members' data are held to the same standards as credit unions.
It is the responsibility of Canvas to ensure that our members'
financial data is safe and secure. We expect no less from our
vendors. An additional level of comfort would be possible
knowing that our vendors would also be scrutinized by a
regulatory agency complementing our own vendor due diligence
programs.
On the efforts by government agencies to strengthen
cybersecurity defenses, data-sharing is paramount in ensuring
that credit union security departments are up-to-date in all
threats affecting the security landscape. The Cybersecurity and
Infrastructure Security Agency (CISA), the Department of
Homeland Security (DHS), and the Financial Services Information
Sharing and Analysis Center (FS-ISAC) are all doing a great job
in disseminating threat information in a timely manner.
Security webinars, conferences, and summits all provide
important security information which allows for credit unions
to remain current with the constantly-evolving threat
landscape.
In several recent summits, there was participation by CISA
and Homeland Security as either guest speakers or presenters.
Having these agencies present at these gatherings is very
helpful and important, as the discussions presented provide
vital information as well as reassurance that our government is
standing with financial institutions in their battle against
malicious actors.
One service I would like to highlight is the automated
network scanning tool provided by CISA. This free tool
complements our tool chest for security systems that monitor
and test our network. For Canvas, it is another tool to use,
but for smaller credit unions, it could be the only tool they
have. I would like to see more efforts placed on providing free
services to help credit unions with their security frameworks.
Canvas Credit Union follows the National Institute of
Standards and Technology Cybersecurity Framework (NIST CSF), as
do many financial institutions. We are thankful for the
guidance this provides on many architectures, such as zero
trust and identity management. These guidelines definitely help
credit unions in their roles of ensuring that our members' data
remains secure.
FS-ISAC is a resource that provides collaboration tools and
security education to member financial institutions. They do a
fantastic job of ensuring that those who need help, get the
help that they need.
On consumer data protection challenges, people and
technology are the challenges that credit unions face in
ensuring that our members' data is protected. Statistics show
that a massive shortage exists in skilled security
professionals, which are required to manage the sophisticated
tools in use today. Many in the security industry are working
to address this shortage by providing access to security
training at all educational levels. We would expect our
government would also be focused on addressing this skill
shortage.
Technology will constantly be changing and improving to
counter the threat landscape brought to us by the hackers bent
on breaking into our networks to steal our data for their
financial gain. Security teams are constantly on the defensive
when it comes to protecting our networks. Security tools are
improving, allowing for better detection to address
vulnerabilities, but a focus by software vendors on security at
the early stage of the development life cycle would ensure that
most of these vulnerabilities are caught prior to going live
with their product.
Vendors need to have a better focus on security of both
software development and how they store our data on their
systems. As mentioned before, vendors should be held to the
same standard as credit unions when it comes to protecting our
members' data.
In closing, cybersecurity will always be in a state of
change. Yesterday, a threat was malware, viruses, or malicious
executables inserted into our company's network. Today, as you
have mentioned, ransomware, social engineering, and supply
chain attacks are all threats today. And tomorrow, we will see
the same, plus deepfake technology, and yet-unknown
vulnerabilities in current hardware and software deployed by
companies. Quantum process, which may allow for easy compromise
of all of our current cyber technology is an added concern as
well.
I would like to thank the subcommittee for bringing a focus
on cybersecurity, the challenges it presents, and the role all
of us have in protecting our data. It is an honor and privilege
to speak with you today, representing Canvas Credit Union.
[The prepared statement of Mr. Vazquez can be found on page
73 of the appendix.]
Chairman Perlmutter. Thank you, Mr. Vazquez. I appreciate
your testimony.
Now, our final witness, Mr. Newgard, is recognized for 5
minutes.
STATEMENT OF JEFFREY K. NEWGARD, PRESIDENT AND CHIEF EXECUTIVE
OFFICER, BANK OF IDAHO, TESTIFYING ON BEHALF OF THE INDEPENDENT
COMMUNITY BANKERS OF AMERICA (ICBA)
Mr. Newgard. Chairman Perlmutter, Ranking Member
Luetkemeyer, and members of the subcommittee, I am Jeff
Newgard, president and CEO of Bank of Idaho, a $700 million
asset community bank headquartered in Idaho Falls, Idaho, and
serving markets throughout the State. I am testifying today on
behalf of the Independent Community Bankers of America (ICBA),
where I am Chair of the Cyber and Data Security Committee.
A community bank that does not successfully navigate cyber
threats and safeguard its customers will lose their trust and
cannot remain viable and independent. To enhance cybersecurity,
we need support from policymakers in Congress, the
Administration, and the agencies.
Community banks need to be on the cutting edge of
technology to remain relevant and to compete with larger
institutions as well as newer fintechs, but we need to adopt
technology in a way that protects our vulnerable customers and
the financial system as a whole. We operate in an ecosystem
that includes all financial institutions as well as retailers,
core providers, and many others. We are all in this together.
An attack on any one node of the ecosystem is an attack on all
of the participants.
Cyber threats have evolved in recent years from criminal
attackers seeking profit to nation-states with massive
resources and technological sophistication. The threats are
greater than ever and continue to mount and evolve.
How do we manage the complexity? Ten years ago, community
bank technology was mostly provided in-house. Today, this is
simply an unaffordable option. Disaster recovery mandates as
well as new technologies, such as internet banking, mobile
banking, and imaging, have escalated the cost of cybersecurity.
In response, community banks have turned to core providers
and other large third-party providers for their cybersecurity.
At the same time, consolidation has occurred among the core
providers. Today, just three or four providers dominate the
market. This has increased their market power and leverage and,
most importantly, it has put a target on their backs. Their
connections to other institutions and servicers create a web of
vulnerability.
What do we need from policymakers? While I provide more
detail in my written statement, our recommendations form three
broad themes. First, close the gaps in law, standards, and
examination; second, create greater uniformity and
harmonization of regulatory efforts; and third, promote sharing
of information and best practices across the ecosystem.
The gaps in today's regulatory environment exist because
not all parties that process and store sensitive information
are subject to the Gramm-Leach-Bliley Act (GLBA), which
requires safeguarding of sensitive data backed by examination
to ensure compliance. Retailers and technology companies, for
example, are not subject to GLBA. Core providers and other
third-party providers as well as credit reporting agencies are
not subject to examination.
A gap in accountability also contributes to systemic
failures. When a data breach occurs, we believe that liability
for that breach should be assigned to incentivize stronger
security. The costs of a breach should be borne by the party
that incurs the breach, be that a retailer, a credit reporting
agency, or a bank or credit union. Too often, the breached
entity evades accountability while financial institutions are
left to mitigate damages to their customers.
Uniformity and harmonization will strengthen the ecosystem
by eliminating redundancy, closing gaps, and strengthening weak
links. Financial institutions are regulated, overseen, and
examined by four agencies, which, unfortunately, do not
adequately coordinate their data security efforts.
Thank you for the opportunity to testify today. My written
statement provides comments on the legislation before the
subcommittee today. And I look forward to your questions.
[The prepared statement of Mr. Newgard can be found on page
65 of the appendix.]
Chairman Perlmutter. Thank you, Mr. Newgard.
I would now like to recognize the Chair of the full
Financial Services Committee, Chairwoman Waters, for 5 minutes
for questions.
Chairwoman Waters. Mr. Perlmutter, I would like to thank
you again so much for this hearing today. And I want to thank
you for the way that you have provided leadership on
bipartisanship to deal with a serious issue confronting this
country and this world.
I want to thank the witnesses who are here today, and I
want to thank particularly, Mr. James, and of course, Mr.
Newgard, whom we have heard from today. I am so very interested
in all that we have learned about these core processors and the
lack of competition and, of course, the cost to our smaller
institutions, our minority depository institutions (MDIs), our
Community Development Financial Institutions (CDFIs), and our
community banks.
And I would just like to ask Mr. James whether or not you
agree with Mr. Newgard? He not only gave us a very vivid
description of what is going on, but he talked about
recommendations, which I was very pleased to hear. Do you agree
with the recommendations that Mr. Newgard just shared with us
and is giving us more information about?
Mr. James. Thank you for the question, Madam Chairwoman.
Yes, I actually agree wholeheartedly with Mr. Newgard. As you
stated, all of our community banks are really subject to the
whims of a handful of very large companies. And while we are,
in a sense, secure, additionally secure, because there are ways
for us to cut off access to consumer information at our bank
locations, and our staff at Carver State Bank, and I'm sure the
staff at Bank of Idaho work tirelessly, and train constantly,
to keep up with various threats and landscapes.
We are very dependent on these big core processors, and
they have almost no incentives to work with our banks and make
sure that we have the latest and greatest technology. I surmise
that we are not necessarily getting the same level of service
and attention that some of the larger institutions are getting,
because we don't get the same level of service and attention
when it comes to the customer-facing technology.
I do know that the big core processors are attempting to
keep their systems very safe, but they present a significant
amount of risk to the entire system, so I think that they need
to be subject to examination. And I certainly agree with Mr.
Newgard's recommendations.
Chairwoman Waters. Thank you very much.
Mr. Chairman, just in this short period of time, I have
heard enough from our witnesses today that leads me to believe
that we must step up our action to deal with cybersecurity,
particularly with our community banks, our CDFIs, and our MDIs,
who are at the mercy of core processors who certainly attempt
to do a good job, but I get the feeling that our smaller
institutions are at the mercy of the work that is done for the
larger institutions.
The other thing that I would like to say to my colleagues
on the opposite side of the aisle is, I can't think of a better
subject or project that we could work on together than
cybersecurity. And I want you to know that I will join with you
for whatever it costs for us to ensure that they are able to
deal with the sophisticated cybersecurity that they need.
And, we really have to speed this up. We cannot linger as
we deal with this, and then be forced to have to deal with the
fact that there has been another big breach. We have to stop
them, and we have to do it now. This is very important.
I appreciate working with the opposite side of the aisle. I
don't always, but I do now. And I think this is a great
opportunity for us to work together. Let's get busy. Let's do
it quickly, and let's make sure that our smaller institutions
have the resources that they need to do the job.
Thank you, and I yield back.
Chairman Perlmutter. I thank the chairwoman. And I
appreciate the comments about how this is a subject that all of
us need to tackle together.
And with that, I would like to yield 5 minutes to the
ranking member of the subcommittee, the gentleman from
Missouri, Mr. Luetkemeyer, for his questions.
Mr. Luetkemeyer. Thank you, Mr. Chairman. And in the spirit
of bipartisanship here that the chairwoman has set, before I
begin my questioning, I want to take a moment to thank you for
working with me in a bipartisan manner to hold this hearing
today. I know we sat down and discussed the various topics to
be able to find some common ground on, and this is one of them.
And we were able to sit down and pick the subject as well as
the witnesses. I appreciate your willingness to work across the
aisle, and I am sure nothing last night had any sort of impact
on what we are doing today.
But along these lines, Mr. Newgard, you mentioned a minute
ago something about some of these different entities that could
enable the bad guy, so to speak, to access your records, and
then the retailers or whomever escape liability for allowing
the folks to access your records and documents and data.
Would you like to expand just a little bit and explain how
that happens, and what the reaction is and the costs that are
associated with it?
Mr. Newgard. Sure. Financial institutions are subject to
examination, are subject to the GLBA. That does not go across
the entire ecosystem. That is the issue. Retailers and the core
processors are not subject to examination.
And what happens in the real world is when customers get
their information breached, and say, for example, a debit card
is compromised, we work very hard to get that account closed
and reissued. There is very little incentive from the retailer
or from the entity that was breached to help out in that
process, because they don't bear any of the cost. In fact, many
times, the consumer does not bear the cost. The bank or the
financial institution has to bear that cost. So, there is very
little incentive to work together to strengthen the entire
system. And that is the important thing, that it is an
ecosystem.
Mr. Luetkemeyer. How do you resolve that situation? What is
your suggestion on how you fix that? Do the courts need to step
in here? Do the courts need to step in and assign blame, assign
liability? Do we need to have contracts that somehow explain
where the liability lies for certain actions when they are
taken? How do you fix this?
Mr. Newgard. Yes. The retailers, the entities that are
breached need to bear the cost. They need to be responsible for
that breach. There is such a numbness within the consumer
world. You hear about breaches all the time, and people are
numb to it. There is no accountability. So, there needs to be a
cost associated with having a breach instead of just
assigning--they get out of it, basically. They sidestep it, and
we are held accountable. In many cases, financial institutions
have to pay for it.
And the consumer is numb to it. There have been cases where
I try to reissue the debit card, but the consumer really likes
the convenience and doesn't want to change cards. They would
rather have the convenience of using their card.
Mr. Luetkemeyer. Very good. Thank you. I have a limited
amount of time, so I want to move on here.
Mr. James, I appreciate you being in front of us again. I
always enjoy your comments. Thank you for being here.
The chairwoman made a comment today about the smallest
banks being vulnerable. I know you represent a lot of small
banks, and so I was curious as to a concern I have that the big
banks seem like they have unlimited resources to be able to do
whatever it takes to protect themselves. And the small banks
are really vulnerable from the standpoint that they can only
purchase the amount of protection they can afford. How
vulnerable does that leave them?
Mr. James. Thank you, Ranking Member Luetkemeyer. It does
leave us vulnerable. I walked through our bank's cybersecurity
program with our chief technology officer yesterday. And what
he explained to me is that we constantly train, we constantly
test our employees. We constantly test our own systems that are
sort of on the bank side. And because of the fact that we are
plugged into these cores, we can cut off attacks at the local
level and kind of minimize the damage.
The flip side is that it is very challenging if the core
processor gets attacked. That could shut down our ability to
provide our customers with access to their funds. That could
shut down our ability to transact business for them. So, that
is really where the challenge comes in, because of the
vulnerability of the core processors.
Mr. Luetkemeyer. So, what you are saying is that the big
guys can afford their own core processor, while the small guys
are at the mercy of the core processors, whomever they may be,
that service their needs?
Mr. James. Yes.
Mr. Luetkemeyer. Thank you. I apologize. I am out of time.
Chairman Perlmutter. The gentleman's time has expired.
I will now recognize myself for 5 minutes for questions.
And, Mr. Newgard, I was chuckling about your anecdote about the
guy who didn't want to change his credit card because it was
inconvenient. Recently, Wells Fargo notified me of some
unauthorized charges, one in Ohio, and one in South Carolina. I
said, okay, I will close my credit card and get a new one. And
then, I realized all of the different accounts that were
attached to automatic payments on that credit card, usually
when they turned off my TV, or I didn't pay for the Terminex
pest guys.
I can understand your customer saying they didn't want to
change their card, because all of a sudden it really is
inconvenient. So, we have to do our best to stop this at the
beginning. But I did appreciate my bank notifying me of these
unauthorized charges.
Mr. Vazquez, I have a question for you. In your testimony,
you call for the National Credit Union Administration to have
parity with other financial regulators regarding oversight of
third-party vendors. What are some of the challenges credit
unions face in vendor management, and how might expanding this
authority benefit credit unions such as yours?
Mr. Vazquez. Yes, sir. Thank you for that question. The
credit unions, as others have mentioned--you have small credit
unions, and you have large credit unions. And the larger credit
unions can have a very robust vendor management program while
the smaller ones cannot. And it takes a huge program to be able
to look at the vendor, review their contracts, look at their
stock and look at their security landscape to ensure that they
have the security that we have to match.
So, what we are looking for is to say that we are being
regulated to ensure that we are doing right by our members to
hold their data safe and secure. Vendors that have our data
that we contract with to better serve and provide services to
our members now have our data, but they need to have the same
security stance that we have. They need to have the same care
that we have.
So without that type of regulation, we don't have that
comfort, especially smaller credit unions, to know that we are
all on the same level field in protecting our data.
Mr. Perlmutter. Thank you.
Mr. Jain, this question may be better suited to the Science
Committee, but I am hoping you or any of the panelists might
have an answer. Somebody mentioned quantum computing and the
potential benefits or concerns that something like that might
have.
In your studies, because you have had a pretty broad
background, have you begun thinking about what quantum
computing might do to enhance security or harm security?
Mr. Jain. Thank you for that question. I think when we
think about a lot of these new technological developments,
whether it is quantum computing, whether it is the increased
use of artificial intelligence, I think the difficulty is it
can both help attackers and defenders, right? Because attackers
can use these technologies, whether it is to try to overcome
encryption or to automate their attacks and do them faster. On
the other hand, defenders also potentially could take advantage
of these technologies to help automate their defenses.
Although this is an area where I think this disconnect that
we have been talking about between large banks and large
institutions and small institutions again will come into play,
because it is going to be the large banks that can afford to
try to take advantage and deploy some of these newer
technologies, and it is going to be much harder for the smaller
institutions and banks. And so, I think this is just going to
exacerbate the sort of divide that we are seeing between the
large and the small banks.
Chairman Perlmutter. Thanks.
Mr. Jain, as we saw in the SolarWinds hack and other cyber
attacks, criminals are increasingly attempting to breach
service providers. And for minority depository institutions and
community banks, if one of the core service providers was
compromised, how many financial institutions might be affected,
if you can give us a guess?
Mr. Jain. Sure. Chairman Perlmutter, one of the beauties of
the American financial system is the diversity of financial
institutions and community-oriented financial institutions that
we have to serve customers and create those relationships.
Our institutions really need to be able to protect our
customers. On the banking side alone, there are probably 4,000
or so banks that would be vulnerable in the event of attacks on
the big core processors. And that is probably 80 percent of the
banks that are regulated that are ensured by the FDIC. That is
my guess.
Chairman Perlmutter. Thank you, sir. My time has expired.
I would now like to recognize my friend from Oklahoma, Mr.
Lucas, for 5 minutes.
Mr. Lucas. Thank you, Mr. Chairman. I appreciate that.
Mr. Newgard, could you discuss how the COVID-19 pandemic
has exacerbated cybersecurity threats, and what challenges your
bank and others have seen as a result of the lost year, so to
speak, which continues?
Mr. Newgard. The biggest challenge is the mobility of the
workforce. Everybody, as was mentioned previously, went home
and worked from home. That created a vulnerability, as people
relied on working remotely. So, that has been a big challenge
as people have adapted. And criminals take advantage of that
and use that as an opportunity to create fraud, and there is
incentive to do that.
Mr. Lucas. Along that line, I guess I have to ask, is there
anything that the government can do to help institutions
address this kind of an issue? Is there additional flexibility
or is there any way to help you cope with that?
Mr. Newgard. Yes, there are several, one of which is we
talk about core providers, that we are at the whim of core
providers and that it is very expensive. These contracts are
expensive and they are long term. So if we go in, say, 2 or 3
years into a contract and determine that this is the wrong
course of action for us, that there may be a better provider,
it is very expensive to exit out of that.
If an examiner comes in and wants to weigh in on how that
can be improved, it will take years for us to get out of the
contract, and it is very expensive to do so. So, that is a big
issue.
The other thing is, there are gaps within the regulatory
environment. We have four regulators, and there is a lack of
coordination between all four, and that provides an issue for
the service providers as well, because they have four different
regulators to try to cope with, and sometimes they are not in
sync; they are at cross purposes. So, having harmonization
within the regulatory environment would be helpful.
And then finally, more information-sharing across the
ecosystem so that we can get ahead of these threats. We don't
have Top Secret clearance, so we don't have information as it
is becoming available through counterintelligence and all of
the work we are doing on the government side.
We would like to have more information regarding
vulnerabilities so that we can get ahead of it, because we feel
like we are about a half-step behind in this area.
Mr. Lucas. Mr. Newgard, continuing along this line of logic
and a very important discussion, in your testimony you discuss
that we should focus on creating greater uniformity among the
financial regulators' cybersecurity standards.
Can you expand on this and, in particular, discuss what
cybersecurity practices the Federal agencies now expect from
you?
Mr. Newgard. Yes. We are regulated by the FDIC and the
Idaho State Department of Finance. And there are other
regulatory agencies out there, including the OCC and the
Federal Reserve. So, what we comply with may not be what, say,
Wells Fargo has to comply with.
And I am not saying that one-size-fits-all, but there
should be some more harmonization so that we can have best-in-
class regulation. And this is an area where we really need to
step up and work together.
Mr. Lucas. Mr. Vazquez, could you discuss the challenges in
training employees to be prepared for cybersecurity threats?
Mr. Vazquez. Absolutely, sir, and thank you for that
question. Our employees, as with any other company's employees,
are part of our security stack, as we would say. They are part
of our tool chest. We know that they are highly-targeted.
In today's world, as I mentioned in my opening, social
engineering is the easiest and fastest way for a malicious
actor to get into our network. It is cheap for them to send a
ton of emails that come through, and it just takes one click.
It is amazing how a click allows a malicious actor to gain a
foothold in and then go lateral into our critical data.
It is super important that we maintain training for our
employees, and we have done so. We test ourselves multiple
times. We work with our learning department to ensure that we
provide the materials to train our employees. We are sending
out notices via our PSAs to remind them. We just went through
the Cybersecurity Month, which highlighted the importance of
cybersecurity and the role that our employees face.
Mr. Lucas. Thank you. And thank you, Mr. Chairman.
Chairman Perlmutter. Mr. Vazquez, the gentleman's time has
expired.
I now recognize the gentleman from Texas, Mr. Green, who is
also the Chair of our Subcommittee on Oversight and
Investigations, for 5 minutes.
Mr. Green. Thank you, Mr. Chairman. I greatly appreciate
your hosting this hearing. And I thank the ranking member as
well.
I am concerned about minority banks. I happen to have Unity
National Bank in my congressional district. It is a small bank,
but it serves a niche. And we want to do all that we can to
protect all of our banks, especially these small banks that are
helping communities that otherwise might not have the same
opportunities to achieve their way of banking, because there is
no bank in the community.
Here is my question: We talk about these breaches in the
abstract, to a certain extent. We talk about the costs
associated with megabanks having all of the technology
necessary to protect themselves, whereas the smaller
institutions, such as the $100 million, or very small banks--
under $1 billion, you are a small bank; at $10 billion, you are
still small.
My question is this: What is the amount of money that we
are talking about for a small bank to properly acquire the
technology necessary to protect itself? And I say this
understanding that just for data acquisition to run the bank, I
happen to have been told that it can cost around $50,000 a
month. That is just to have the technology necessary to process
the information that you receive to make sure that you can deal
with the financial aspect of banking.
So, what does it cost? What are we talking about? I would
like to get away from the abstract and save a lot of money and
go right to a number. You don't have to be exact. Just give me
some sense of it, please. I will allow whomever happens to have
the necessary information to do so.
Chairman Perlmutter. Somebody jump in there.
Mr. James. Congressman Green, I will attempt to address it
first. You are correct in identifying the very, very steep cost
of just the basic technology.
And so we have to think about it in terms of, the cost of
the core processor is usually the second-largest cost on all of
our balance sheets, our income statements, just behind people.
And that is not including the people that it takes to run the
technology. I would surmise that you are talking about a
similar size investment in cybersecurity, which is really just
going to be cost-prohibitive.
What would be a more interesting approach would be perhaps
the regulators could actually help us. There are some
innovative things that are coming out of the FDIC. I heard the
Chair of the FDIC just yesterday talk about the idea of having
the FDIC actually pre-vet and do some vendor due diligence, on
behalf of all community banks, on fintech companies and new
technology providers, and essentially vetting those companies
so that we know that we could plug into those companies safely
and securely.
So if the regulators themselves could do something similar
to what Mr. Newgard proposed, which is to coordinate amongst
themselves but actually conduct a lot of this due diligence for
our institutions, we would not only have the opportunity to
increase the technology and improve the technology we are
offering to our customers, but also to improve the security of
that technology and keep up and compete with these large banks
that just have basically unlimited resources to devote towards
both technology and innovation and security.
Mr. Green. Thank you for your response.
Mr. Newgard. If I may, I would--
Mr. Green. Yes, sir, go right ahead.
Mr. Newgard. --add to that, is that the cost is really
based on size and what other offerings you have. Do you have
mobility? Do you have internet banking? There are all sorts of
different add-ons that you can have with those core providers,
so it is tens of thousands of dollars, and hundreds of
thousands of dollars, in some cases. And the issue that you
really hit on--
Mr. Green. Excuse me, if you don't own it but you are in a
sense leasing it--
Mr. Newgard. Yes.
Mr. Green. --is that per month?
Mr. Newgard. We have to sign a contract for years.
Mr. Green. Yes, I understand.
Mr. Newgard. Yes.
Mr. Green. Okay, but I am trying to get some sense of what
it is per month? What is it over the 10-year period? Give me
more than it could be tens of thousands of dollars but not say
per what amount of time.
Mr. Newgard. Yes. It really depends on the contract per
bank, depending on how big it is.
Mr. Green. Well, give me a general number. Just assume you
are doing all of the basics that you need. What would that be?
Just basic banking.
Mr. Newgard. It is hard to say. It would be $20,000, I
would say. But I can get you more information on specifically
what the cost is to our bank.
Mr. Green. I would appreciate it. Thank you.
Here is why I would like to know. I want to make the
argument that if we want to maintain smaller banks and keep
them in business, the government is going to have to play a
role in this. We are losing small banks at a rapid pace, and I
want to do what I can to make sure that we do all that we can
to protect them.
Mr. Chairman, thank you so much. You have been generous
with the time.
Chairman Perlmutter. The gentleman's time is expired.
I would like to recognize Mr. Posey for 5 minutes, but I
can't see him on the screen.
Mr. Posey, are you out--there you are.
Mr. Posey. Yes.
Chairman Perlmutter. The gentleman from Florida is
recognized for 5 minutes.
Mr. Posey. Okay. Thank you very much, Chairman Perlmutter,
for holding this hearing.
Mr. Newgard, cybersecurity looks something like other kinds
of menaces that we manage through government action. For
example, we have police forces to prevent crime and enforce
deterrence, but we may expect people to behave rationally to
avoid being victims of crime. In fire prevention, we may impose
fire codes on individuals and businesses and also publicly
provide a fire department to fight fires. In cybersecurity, we
apparently impose regulations on financial institutions, and we
also have agencies in government who fight cyber attacks and
cybercrime and enforcement laws.
Are we achieving the right balance between regulating
financial institutions and law enforcement to prevent cyber
attacks and protect our financial institutions and the people
that they serve?
Mr. Newgard. Yes, thank you. There needs to be more
coordination between the police force, if you will, the
regulators, and more harmonization so that we are getting the
best-in-class approach to that policing, if you will. And then,
it is not just us. That is the issue here, is that we are truly
in an ecosystem where you can focus on just the financial
institution, but you can have a breach.
And the criminals are going to go after the weakest link.
So, they are going to go after the most unsophisticated
customer or the smallest business to try to get in. And the
retailers, the other fintechs, the screen scrapers, all of
these entities are not subject to the same examination and
regulation. So the police force isn't--they are ignoring that
area where they are very focused on us, which is great, we
embrace that regulation, but it needs to be throughout the
whole ecosystem.
Mr. Posey. Thank you. When a government agency like the
Consumer Financial Protection Bureau (CFPB) imposes regulations
on financial institutions to fight cyber attacks and
cybercrime, we would expect that the agency would perform a
cost-benefit analysis or a cost-effective analysis to ensure we
are getting official regulation or at least minimizing the cost
regulation. Can you please share your experience with us in
that regard?
Mr. Newgard. The cost of the regulation?
Mr. Posey. Yes. Does the CFPB look at alternative ways of
regulating in this regard or to pick the most efficient way to
achieve the goal or do they merely impose their preferred
alternative without looking at other needs?
Mr. Newgard. I am not as familiar with them in particular.
We are regulated by the FDIC and the Idaho State Department of
Finance, and we have a great relationship with them. But they
are, again, looking for more harmonization with the OCC and the
Federal Reserve, to get best-in-class regulation.
Mr. Posey. Yes. Looking at a broad array of cybersecurity
issues, it looks like we have a number of Federal agencies
regulating financial institutions to improve security. Do you
believe it would make sense to have a single agency or a
private-sector standards bureau to design the cybersecurity
standards we impose on financial institutions? Would it help to
make cybersecurity regulation more efficient and less
redundant?
Mr. Newgard. Yes. Right now, we have a patchwork throughout
all the States, and that becomes very problematic, so having
standardization would be good. I would say that one size does
not fit all institutions, so we do need to keep that in mind,
that we are not the same as Wells Fargo. We have to keep that
in mind, but having some standardization and harmonization
would be great.
Mr. Posey. One of the clear roles of government is
protecting individual rights and especially private property
rights. Without those protections, our market economy can't
operate effectively, if it can operate at all. Is the Federal
Government investing enough resources in cybersecurity
countermeasures and law enforcement to adequately deter cyber
attacks and protect our financial institutions and the public
they serve?
Mr. Newgard. I think there is a tremendous effort on
counterintelligence. Where I live, the Idaho National Lab has a
great effort in that area. There is a lot of information out
there, but it doesn't always flow down to the smaller banks and
financial institutions. And I am a big advocate of sharing that
information throughout our entire system and in a timely way.
To learn a week later after a proposed attack is too late. We
need to be much more timely on these issues.
Mr. Posey. I see my time has expired. Thank you, Mr.
Chairman, and I yield back.
Chairman Perlmutter. Thank you, Mr. Posey.
I will now recognize the gentleman from Illinois, Dr.
Foster, who is also the Chair of our Task Force on Artificial
Intelligence, for 5 minutes.
Mr. Foster. Thank you. And, Mr. Chairman, is it likely that
there will be time for a second round of questions?
Chairman Perlmutter. I will talk to my counterparts over
here, but yes.
Mr. Foster. If you could get us a reading on that, it would
be great.
Many of our witnesses noted that small financial
institutions are becoming increasingly dependent on third-party
core processors. Credit unions in particular frequently rely on
third-party technology providers for the processes that credit
unions need, but these aren't cost-efficient to provide in-
house, particularly for smaller ones. In some cases, however,
these vendors might not follow the cybersecurity standards that
are consistent with what is required of credit unions or they
might not be familiar with the financial regulations concerning
credit unions.
Now, once upon a time, the National Credit Union
Administration (NCUA) had temporary authority to examine third-
party vendors to address, in that case, the Y2K issue, but that
authority expired in 2002. Now, recently, the NCUA, the
Financial Stability Oversight Council (FSOC), and the U.S.
Government Accountability Office (GAO) have all requested that
this authority be reinstated for modern cyber threats.
My bill that is being noticed today, the Strengthening
Cybersecurity for the Financial Sector Act of 2021, would
simply make credit unions, Federal Home Loan Banks, and
Government-Sponsored Enterprises subject to the Bank Service
Company Act, which would give the NCUA and the Federal Housing
Finance Agency (FHFA) the same oversight of third-party vendors
that bank regulators have for banks.
And I have to mention how gratified I am that at a time
when it seems like nobody is able to get along with each other
in Washington, that even above getting Democrats and
Republicans to work together, we have been able to get the
banks and the credit unions behind the support for this
legislation. So, I am very grateful for that.
Mr. Vazquez, could you describe a little more about the
need for stronger regulation of the service providers in this
area, particularly in light of the increasing market
concentration that we see in this industry?
Mr. Vazquez. Absolutely, sir, and thank you for that.
Everything you just mentioned we agree with, in that the NCUA
should have greater authority to be able to regulate our
vendors.
As mentioned before, and I think Mr. Newgard mentioned it,
the vendors seem to have a playbook where they know a breach is
coming. Breaches are coming so fast that it is almost--it
doesn't affect us as it used to. A vendor now probably has a
playbook to safely get a breach. All we have to do is wait for
the next news cycle and it will go away. We will do a little
bit of marketing to get our reputation back, and they move on.
There is nothing that prevents them from doing so.
I think that to help at least with the credit unions, to
ensure that we value our members' data, we want to make sure
that nobody has access to that, we want to ensure that the
vendors have that same feeling, that there is some kind of
process for them to understand that if they have access to our
data, it is not just a commodity to them to make money and to
move forward, but that they need to protect that data as well
as we protect the data.
Mr. Foster. Thank you. And is there a second level of sort
of correlated risk that we should be worrying about? For
example, the same way that a core provider can go down and
impact many banks, if several core providers, for example, all
use the same cloud service, they all use Amazon Web Services
(AWS) or they all use SolarWinds, would the legislation we are
proposing adequately cover the ability to look upstream and
above just directly at the core processors but the people they
are dependent on? Does it go all the way upstream, and is there
a need for it?
Mr. Vazquez. I think there is a need for that, and I will
give an example. I believe Cloudstar was just a company that
was victim of ransomware, and Cloudstar hosts in their systems
many title companies as they do their business. We work with a
title company that used Cloudstar. Because Cloudstar is a
third-party vendor, we don't have access to Cloudstar to ask
about our data that may have been on their systems.
So, we worked with our title company vendor to see if they
were affected. They were. They had to rebuild from scratch
everything that they had to do. But they could not provide us
back what Cloudstar had, what Cloudstar went through, what
Cloudstar data was affected.
Having more regulations upstream, as you mentioned, going
to the third-party contractors would definitely help us ensure
that we have the comfort of knowing that if a vendor that we
contract with subcontracts out to other areas to have their
data, that flow continues on.
Mr. Foster. Thank you. My time is up, and I yield back.
Chairman Perlmutter. The gentleman's time has expired.
The gentleman from Kentucky, Mr. Barr, is recognized for 5
minutes for his questions.
Mr. Barr. Thank you. Thank you, Chairman Perlmutter. I
appreciate your leadership in holding this very, very important
hearing.
And I appreciate the sentiments of Chairwoman Waters in
talking about the need to tackle this in a bipartisan way. I
think we can, and we should. It is overdue. This is a huge
matter.
There has been some discussion about what is the right
approach here, more harmonized regulation. I think there is a
private-sector innovation point to be made. It is not black and
white; it can be both.
But, Mr. Newgard, can you give us an example of some
private-sector innovation that has made the financial system
more secure from cyber attacks?
Mr. Newgard. Okay. Of course, our core providers, those
would be private sector, and we really, as I mentioned before,
rely on them for that innovation, almost solely. And the
fintechs are coming online. That is private sector. By the way,
we pay about--
Mr. Barr. Sorry to interrupt, but they are providing
increasingly-innovative solutions for your institution?
Mr. Newgard. Yes, absolutely. We want them to do more in
terms of innovation.
Mr. Barr. Let me ask you about regulation then. Are there
regulatory requirements that cause institutions like yours,
smaller banks, to shift more resources onto regulatory
compliance rather than investing in cybersecurity and
strengthening cybersecurity? In other words, are regulatory
compliance burdens hampering your ability to invest in
financial technology cybersecurity?
Mr. Newgard. Absolutely. The increased regulation makes it
very difficult for small banks, and that is why [inaudible] to
scale. That is why you are seeing banks consolidate.
Mr. Barr. Okay. Sorry, sir. Let me get into this issue of
core processors. And I have heard this from my constituent
community institutions, the take-it-or-leave-it kind of
contract approach, that they express--vociferously they are
expressing frustration with that. And I take seriously the
suggestion, the recommendation from both you and Mr. James
about harmonization of regulation and my colleague's
legislation to bring these third-party vendors under
supervision. I am open to that.
But my question is, the problem appears to be inadequate
competition, so how do we get more competition in financial
technology and among the core processors so you have greater
choices of contracts for these services, which would not only
bring down costs potentially, but also encourage greater
private-sector innovation in this space? And is it a concern
that more regulation on them could potentially have the
opposite effect of actually encouraging greater consolidation
among core providers, which we don't want?
Mr. Newgard. Yes. We pay $51,500 that we budget a month in
costs for our core provider with Fiserv. It is very expensive.
We rely on them for technology, but the problem is, they don't
keep up with innovation. So then, fintech comes in and provides
that solution, but they are very unproven, very new, and they
don't have the regulatory guidance, so they are at risk for
cyber attacks.
Mr. Barr. But if I could shift over to Mr. James, because I
am very sympathetic to the problem that MDIs and other small
institutions face, in your testimony, you talked about needing
to level the playing field. And my last question here is, how
do we level the playing field for MDIs and small banks? I
assume you are able to, through the Tax Code, deduct your
investments in technology as a business expense, but, clearly,
the economies of scale of your larger competitors puts you at a
disadvantage. Besides the regulatory harmonization, what else
would help MDIs and community banks level the playing field and
access the technology you need?
Mr. James. Mr. Barr, I think it is a great question. I
think some of the answer there lies in regulation, but some of
it does lie in competition and being able to access competitors
to these companies. Oftentimes, what happens is when a good
competitor comes along to one of the big core processors, they
will go and buy that company rather than allow them to grow
enough to be able to provide services to more of our
institutions.
I think we really need to look at those contracts and we
need to look at encouraging more competition so that we can
move to different providers that are more flexible and more
secure and provide our customers with better service.
Mr. Barr. Thank you. I yield back.
Chairman Perlmutter. The gentleman's time has expired.
The gentleman from California, Mr. Sherman, who is also the
Chair of our Subcommittee on Investor Protection,
Entrepreneurship, and Capital Markets, is recognized for 5
minutes.
Mr. Sherman. Naturally, this hearing is focusing on
defending ourselves from cyber attack and hacking. We shouldn't
just be focused on defense, but perhaps in classified sessions,
focused on offense, especially when we are dealing with state
actors or actors that are protected by states.
The U.S. has done little or nothing in this area. There was
action taken against Iran's nuclear program that delayed it for
a while by either Israel or the United States. Our intel
community conjures up an image that they could make the lights
flicker in the Kremlin or turn off the Internet Research
Agency's operations in Saint Petersburg; they just choose not
to.
I have no idea if that is correct, but I do know that
Congress should be fully apprised of what are our offensive
capacities, what could we do to develop them, and what should
be our policies as to whether to threaten to use them or
actually use them or maybe not.
Instead, we are here, as we are in many hearings, talking
about a shield without ever talking about a sword. If we are
not in a position to deter what some foreign governments are
doing or deliberately allowing and encouraging, we are going to
have an even bigger problem.
Turning to the private sector, we want to make sure the
private sector spends more and does the best possible job.
Basic economic theory says that the cost of a data breach
should be imposed on those who could invest in safety measures
and who should spend the appropriate amount of money and care
in safeguarding data.
When Americans focus on the issues of this hearing, their
first thought is on the big and well-publicized, and sometimes
smaller and not well-publicized, data breaches where their
personal information, particularly their credit card
information, comes into the hands of ne'er-do-wells and
criminals.
But our policy has been that if a big retailer has millions
of credit card data files stolen, they don't face any
liability. If it is a really big one, they may face some
reputational risk, but all the costs are borne by the financial
institutions.
Mr. James, would we get better investment by big retailers
in safeguarding data if it was the retailers that had to pay
the money that was occasioned by the breach?
Mr. James. Mr. Sherman, I definitely think that you would
see a renewed interest in protecting this data if some of those
retailers, who were a part of this ecosystem that Mr. Newgard
so eloquently described, bore some responsibility.
If our institution has a debit card that is breached or a
checking account number that is breached, ultimately, we bear
the responsibility for recouping that customer's funds. And
those retailers that have--particularly very, very large
retailers that have massive data operations are not really
subject to any responsibility for protecting consumer data,
certainly not the way that we are.
I certainly don't want to impose onerous costs on our small
businesses, our small customers that are retailers, but even
they are dependent on--
Mr. Sherman. I would just interrupt and say that the big
hackers are not going after the small businesses. The treasure
trove is in the big ones.
I do have a question for Mr. Vazquez. With regard to the
question of expanding the National Credit Union Administration
(NCUA) oversight of credit union third-party vendors, a primary
concern is the risks with credit union service organizations
(CUSOs). In your view, do these credit union service
organizations and vendors pose the same level of risk to credit
unions and customers? And if not, are there specific types of
risks that would be more appropriate for NCUA oversight than
others?
Mr. Vazquez. Sir, I thank you for that question. And I do
believe that they have the same type of risk. When a credit
union such as Canvas partners with a CUSO or a vendor and we
provide them our data so that our members can have a better
service, we are basically--in some areas, people would think
that we are transferring our risk to the vendor. And some
people would think that we are now hands-off with that risk. We
are expecting our vendor to take that risk. But, ultimately,
that risk still resides with Canvas. That is our members' data.
And we could try and transfer it, but it is really ours.
And we hope and expect that the vendors and the CUSOs that
have our data would have maintain that same recognition of
securing that data and have the same risk that we have.
Mr. Sherman. Thank you.
Chairman Perlmutter. The gentleman's time has expired.
The Chair will now recognize the gentleman from Texas, Mr.
Williams, for 5 minutes.
Mr. Williams of Texas. Thank you, Mr. Chairman.
We have seen a wave of new proposed regulations coming out
of the Biden Administration that will cause banks to dedicate a
significant amount of money towards new compliance costs. For
smaller community banks, like the ones I deal with and most
people, this means they will have less resources available to
lend money into their communities or dedicate to cybersecurity
efforts, and bottom line, it hurts Main Street America.
Whether it is asking banks to report account information
from their customers to the IRS, or being forced to comply with
a 900-page rule coming out of the CFPB on reporting small
business loan information, these actions will force banks to
divert significant amounts of resources--there is no question
about that--because they have no clue what it is going to cost
them.
So, Mr. Newgard, can you tell us how your bank has been
adjusting with some of these potential new compliance costs
coming down the pipeline?
Mr. Newgard. Yes. It is extremely expensive and it
continues to ramp up. So, we are looking at hiring additional
people to comply with things such as Bank Secrecy Act, and all
of the other compliance burdens. And, simply, you have to get
scale in order to be able to bear that cost. That is why you
are seeing a tremendous amount of consolidation in our
industry, because it is so expensive to comply, and the burden
of the regulation continues to go up.
Mr. Williams of Texas. Well, in the end, your customer is
hurt.
As cyber threats are getting more sophisticated, there is a
need for financial institutions to understand the threats and
outages facing their third-party service providers.
Unfortunately, I have heard from some of my market participants
in Texas that the financial regulators are working on a new
rule regarding computer incident notification requirements that
could impose a significant new burden--here we go, a new
burden--on community banks.
I understand the need to have transparency in the digital
systems of the financial system to ensure that proper steps can
be taken when something else goes wrong; however, I am
concerned that the rule, as currently proposed, could both make
community banks responsible for deciphering complex cyber
incident notifications and cause market participants to share
so much information with the regulators that they will not be
able to determine what issues deserve attention.
Mr. Newgard, again, can you give us your thoughts on how we
can strike the correct balance with cyber notifications so that
banks can receive timely information from their service
providers without creating an overly-burdensome review and
reporting process for banks and, again, hurting Main Street?
Mr. Newgard. That's right. We already comply with good
cybersecurity practices, and what we would ask is for
harmonization within the regulatory bodies, and then to spread
that risk and liability to those that don't have it today: the
retailers; the core providers; and the other people within the
ecosystem. I will leave it at that.
Mr. Williams of Texas. Okay. Lastly, I have talked with
many different fintech firms in my district that have been
dealing with a patchwork regulatory system of data security
requirements coming out of different States. From my
experience, what works in California, doesn't work in Texas. I
repeat, what works in California, does not work in Texas.
Mr. Newgard, can you briefly discuss the benefits that your
institution would see should a uniform data security standard
come out of Washington? That is pretty scary.
Mr. Newgard. Yes. We are not in favor of a one-size-fits-
all approach. We do need harmonization, I will stress that
again, but definitely a one-size-fits-all approach doesn't
work.
Mr. Williams of Texas. Okay. So I would just say, in
closing, as a business person who employs hundreds of people,
and still has my business, that regulations hurt community
banks, make them sometimes not competitive, and at the end of
the day, affect your borrowers who are trying to grow their
company and put more people to work. So, regulations do not
help Main Street.
And with that, Mr. Chairman, I yield back.
Chairman Perlmutter. The gentleman yields back.
The gentleman from California, Mr. Vargas, is recognized
for 5 minutes for his questions.
Mr. Vargas. Thank you very much, Mr. Chairman. I appreciate
very much this hearing, and I want to thank the ranking member
also.
I have to say, though, there was a quip, stated something
like, ``what happened last night, of course, had no influence
on the bipartisanship.'' I have to say, for me, zero, none,
because I really don't like the Atlanta Braves or the Houston
Astros, either one of those teams. Now, if it had been the
Rockies or my beloved Padres that had won, well, then it is
different. But since they weren't there, I really don't care
too much about what happened last night.
Now, Mr. Newgard, I do want to ask you, you said that there
is very little cost to the core providers when there is a
breach. You also said the contracts are very expensive and they
are only long term. The way the market is supposed to work is,
if this is the case, there should be another actor that comes
in, another participant with innovation to bring the cost down.
Why hasn't that happened?
Mr. Newgard. The core providers are three or four. And, by
the way, we pay about--we budget $51,500 a month for that
service. So, we really push on those core providers to
innovate, and many times they are slower than we would like
them to be, and slower than our consumers and the small
businesses would like to move.
So, that is where the fintechs come in. That is why we have
a whole industry of fintech, because of innovation. The issue
is, they are not subject to regulation like the GLBA, and the
issue is they are startups, so they are brand new, and don't
have much history--
Mr. Vargas. I understand that, but I am asking why--in the
core providers, why aren't there new startups there? In other
words, why isn't there competition? That is usually what
happens in our market side.
Mr. Newgard. Yes. Mr. James stated this very well, that
once one starts up, it is purchased, so it just becomes part of
the whole. They don't even hardly let them get legs under them
before they are consolidated.
Mr. Vargas. Now, it has been interesting, because I think
Mr. Barr, and certainly Mr. Williams and others have said, ``We
don't like regulation.'' And yet, a lot of the witnesses today
seem to want to extend regulation to the core providers.
It has been fascinating to listen to what you on the
private side have said tonight. Almost everyone says that the
Gramm-Leach-Bliley Act (GLBA) should be extended, the Privacy
Act should be extended, there should be harmonization. I assume
you mean to make sure that the core providers, fintech, and
everybody else has these regulations that they don't have now.
Is that correct?
Mr. Newgard. That is correct.
Mr. Vargas. Okay. Then I do, because we always have that
fight that no regulation is good regulation. And we always
think, well, no, you have to have regulations, then we just
solve it. Going through this pandemic, a lot of banks didn't
fail because we had some good regulations.
I do want to ask Mr. Jain, if I could, government
information-sharing, you talked about that and said that we
should have more of that and it should be actionable in real
time. Could you comment a little bit more about that? Because
we do spend a lot of money at the Federal Government level with
respect to cybersecurity. What are we doing wrong?
Mr. Jain. We have talked about information-sharing for many
years, and I think we have learned that information-sharing or
effective information-sharing is hard because it is not just a
matter of sharing some isolated technical indicators.
What you really need is context and enough information in
real time and actionable information that if a network defender
receives the information, they can look at it, and they can
say, oh, here is a copy of a phishing email that is being sent
around that people are using to get access to people's
networks. I can block that email, or I can look for that kind
of email and block it.
Mr. Vargas. Mr. Jain, I am going to interrupt you just for
a second, because my time will run out. Why aren't we doing
that? I understand that part. You told us that. Why aren't we
doing that? Why can't we do that?
Mr. Jain. I think we are getting there. I think it has
taken us a while to realize that is what we need. And I think
some of the innovations coming out of CISA, around the joint
collaborating center that they just announced, I think is
moving in this direction. But I think it is going to take more
resources trying to get it economy-wide, and it is going to
take time. So, I think we are moving in that direction, but we
still need more time to get there.
Mr. Vargas. Yes. I only have 4 seconds left. The only thing
I would say is, ``Go Padres!''
Thank you, Mr. Chairman.
Chairman Perlmutter. Okay. The gentleman yields back on
that note.
And the gentleman from Georgia, Mr. Loudermilk, is here to
talk about the Atlanta Braves, I will bet, but he is now
recognized for 5 minutes.
Mr. Loudermilk. Mr. Chairman, I appreciate my colleague
from California. And I understand that there was no California
team good enough to make it to the World Series, so I
understand why he was not affected by the game last night. But,
``Go Braves! Go Braves, America's team!'' And, by the way, Mr.
Chairman, the Braves are in my district, so we are celebrating
here today.
Chairman Perlmutter. Okay. The gentleman gets an extra 30
seconds because the Braves were in his district.
Mr. Loudermilk. Thank you, Mr. Chairman. I will use it
wisely.
Cybersecurity and cyber threats is one of the issues that I
have been working on since I have been in Congress. I spent
some time in the military, in intelligence. Of course, security
is a big issue for those in that field, especially protecting
the data, the information that we have. I also spent 20 years
running and owning an IT business, where, again, security was a
main concern for our customers and we wanted to make sure that
their networks were secure.
However, being here in Congress, I see that quite often, we
will take one step forward and two steps backwards. Sometimes,
we will go six steps backwards. I am going back to some of the
basic tenets of what it means to secure data, and one of the
primary tenets that we were taught in the military, and that I
have kept throughout my businesses is this one principle: You
don't have to protect what you don't have. You don't have to
protect what you don't have, meaning, do not keep something
that could be vulnerable just for the sake of having it.
And what we do here in the Federal Government, through
mandates and regulations, and especially the idea that is being
proposed right now for the banks to spy on everyone's bank
account, and then all of that information by small
institutions, large institutions, whatever is going to be sent
to the Federal Government, which is, again, data that they
don't need and they don't need to have.
And we have seen this continual flow of taking on more and
more responsibility, the government either forcing businesses
to keep data that they really don't need or forcing the
businesses to send it to the Federal Government, which is a
huge cybersecurity risk in itself, in my opinion.
So, I think we take one step forward and several steps
backwards in trying to figure out better ways of securing data,
where the bad guys are always going to be one step ahead of
you, and when we really don't need to have this data to secure.
Another issue that I have been working on is the need for
some type of uniform national data security breach notification
standard. One of the issues is we have so many different
standards throughout the nation that institutions have to
comply with, various State laws, and those are often
conflicting with the Gramm-Leach-Bliley Act and other Federal
requirements, and it adds unnecessary complexity to the
cybersecurity efforts, in my opinion.
So, Mr. Newgard, if banks were able to operate under a
single set of rules, would that allow you to spend more of your
time and resources defending against cyber attacks?
Mr. Newgard. Yes, having harmonization within the
regulatory bodies would help significantly. And then
voluntarily, we ask to share that breach information. And what
we really need is to have more information shared from the
government to us. I loved your comment about having too much
data sent. That doesn't make sense. I think you are spot on
there.
Mr. Loudermilk. That is one of the areas that we just tend
to gloss over, and I have been bringing this up over and over
in this committee, is that we keep talking about cybersecurity.
We have put the onus on the businesses to be more secure, but
then we require them to take more and more information, which
they don't need to be taking. So, I appreciate that.
Another issue I have been focused on is payments fraud.
Point-of-sale payments fraud has significantly declined, thanks
to the adoption of chip technology, but the problem has shifted
toward digital payments.
Mr. Vazquez, what are credit unions doing to enhance the
security of digital payments?
Mr. Vazquez. Thank you, sir, for that question. We partner
with CO-OP Financial Services for our digital payments, and we
work with them to ensure that they are monitoring for fraud.
And we have a department ourselves that monitors for fraud.
Even though we spend quite a bit of money on my area, which
is cybersecurity, we do spend the same amount of money in our
fraud area to make sure that we have the right tools and the
right people to monitor it. And it is important that the tools
that we have are real-time tools, so that they are not a day
old and the fraud that is happening isn't escaping while we are
waiting for the information to come in. We are working with our
vendors to ensure that the data we have is in real time so we
can prevent the fraud.
Mr. Loudermilk. Thank you. I see my time is expired, so I
will submit my other questions for the record. But thank you,
Mr. Chairman.
Chairman Perlmutter. The gentleman's time has expired. And
we should all applaud the Braves. They played a good game last
night.
We have Ms. Pressley next, and then Mr. Rose, and then, if
you wish, we will do a second round.
I am also going to make a suggestion that, Mr. Loudermilk,
you get together with Mr. Foster and talk about this kind of
stuff, because I think between the two of you, and after
listening to this panel, we are going to have some good ideas
as to what we should do.
So now, I would like to recognize the--
Mr. Foster. Mr. Chairman, Representative Loudermilk and I
are already primary sponsors of some key legislation on digital
identity.
Chairman Perlmutter. See? Okay, good. It is already
working.
Mr. Foster. Your wish is our command.
Chairman Perlmutter. Okay. I would now like to recognize
the gentlewoman from Massachusetts, Ms. Pressley, who is also
the Vice Chair of this subcommittee, for 5 minutes.
Ms. Pressley. Thank you, Mr. Chairman. You forgot to
mention in my introduction, ``and the Congresswoman for the
Massachusetts Seventh District, proudly representing the Boston
Red Sox.''
Thank you, Mr. Chairman, for convening this important
hearing.
Chairman Perlmutter. I apologize.
Ms. Pressley. That's okay. Let the record reflect that.
But in all seriousness, through the first half of this
year, banks and credit unions experienced a 1,318 percent
increase in ransomware attacks, where attackers held private
data hostage, and threatened to publish it should the victim
not pay. You heard that right, 1,318 percent. So, this is a
substantial and immediate threat to consumers in our financial
system that really does require a substantial and immediate
response.
The largest financial institutions devote tremendous
resources to addressing cyber risk, yet smaller, regional, and
community financial institutions don't have those resources or
capabilities, even though cyber attacks on smaller institutions
can also harm consumers and cause serious disruption. In fact,
in 2020, over 25 percent of cybersecurity breaches involved
were small business victims.
So, Mr. Jain, what sorts of challenges do financial
institutions face in the prevention and detection of these
attacks, especially when it comes to smaller, regional, and
community financial institutions?
Mr. Jain. Thank you for that question. I think they face a
number of challenges. As we have talked about, they have
significantly less resources, obviously, than the big players,
both in terms of monetary resources to invest, but also in
terms of access to in-house expertise. We have a shortage in
the cyber workforce, I think, around this country, and so
smaller institutions in particular, I think, have a harder time
getting the in-house expertise they need.
The information-sharing, as we have talked about, is
important. And while the big institutions are able to, for
example, have people in the government centers that are
designed for information-sharing, that is obviously not
possible for the smaller institutions. And so, finding the
right ways for information to get to smaller institutions in a
way that is actionable in real time remains, I think, a
challenge.
And then, I think, in many ways, smaller institutions have
a greater dependence on vendors and other service providers
because the big banks can provide a lot of these capabilities
or develop them in-house. And as we have talked about, vendors
create all sorts of security problems.
Ms. Pressley. Thank you, Mr. Jain. And just building on
that, I think that certainly makes the case for exactly why we
need to address the fact that there are nearly 500,000 unfilled
cybersecurity jobs across the nation. And this is why the Build
Back Better Act makes these robust investments in cybersecurity
workforce development with training opportunities at community
colleges, Historically Black Colleges and Universities (HBCUs),
and for our veterans.
The Biden Administration is partnering with private
companies such as IBM, headquartered in my district, which is
committed to training more than 150,000 people in cybersecurity
skills over the next 3 years, working with more than 20 HBCUs
to build a more diverse cyber workforce.
Mr. Jain, just sticking with you for a moment here, how
will these investments that I just enumerated help our nation
combat growing cybersecurity risks in the financial services
sector?
Mr. Jain. I think it is crucial because, as you say, we do
have a huge shortage of cybersecurity workers. And our system
is set up where we are expecting every business, every small
business to have that kind of cybersecurity expertise, and so
that mismatch creates a real problem.
And, obviously, when you have that kind of shortage, just
the basic law of supply and demand means that they can--
cybersecurity workers can demand really large salaries, which,
again, becomes a handicap for smaller institutions. So, I think
there is no doubt that one part of this has to be to increase
our cyber workforce.
Ms. Pressley. Thank you, Mr. Jain. And before my time
totally runs out, yes, these investments are certainly
necessary to ensure that we have an equitable recovery to
provide those good-paying jobs and to diversify this sector.
Transitioning to the issue of consumer justice and
cybersecurity, under the Gramm-Leach-Bliley Act, covered
financial institutions must inform customers of their data-
sharing practices and allow customers to opt out of sharing
their information with third parties. But most consumers, as
you all know--we are consumers ourselves--don't have the time
to read privacy policies and others may not understand the
policy, or that they even have opt-out rights. So as a result,
many of these folks are not opting out.
Mr. Jain, you argue that this opt-out system places the
burden of privacy protection on the individual consumer and
that the result of this shortcoming is that the GLBA
effectively adopts a default of broad sharing of consumer
financial information. So, how would you recommend that
Congress change this data privacy burden so that more of it
falls on the companies and not the consumer?
Mr. Jain. Yes. I think we need to move away from this idea
of notice and consent, that as long as consumers have notice,
we have this fictional idea that they have consented, and start
imposing some basic obligations on the entities that are
collecting and processing this information, so among other
things, to require them to only collect the information they
really need to provide the product or service for which the
individual signed up.
And if they want to use it for another purpose, then they
have to come back to the consumer and say, hey, we want to
share your data for this reason, is that okay? And if the
consumer then expressly opts in, fine, but not sort of default
to sort of, hey, we can hide this stuff in the privacy policy,
and if you don't take the time to read it and check this box to
opt out, we can do what we want.
Chairman Perlmutter. Thank you. The gentlewoman from
Boston's time has expired.
Ms. Pressley. Thank you.
Chairman Perlmutter. The gentleman from Tennessee, Mr.
Kustoff, is now recognized for 5 minutes.
Mr. Kustoff. Thank you, Mr. Chairman, and thank you again
for convening today's hearing. And thank you again to the
witnesses.
And, Mr. Jain, thank you for personally appearing today.
Mr. Jain, if I could ask you, going back to your prior life in
government, both with DOJ and the National Security Council,
can you compare and contrast, if you will, how the cyber threat
environment has changed from the time you left the government
to now?
Mr. Jain. Yes. I think it has become more problematic. I
think we are seeing an increased number of sophisticated cyber
actors, not only nation states, but increasingly, criminal
enterprises that have access to sophisticated capabilities. So,
in that sense, it has become significantly more challenging.
We are also seeing more brazen attacks. Previously, 5 or 10
years ago, most of the attacks you saw were either things like
denial of service or theft, whether it was of information or
even money. But today, we are seeing so many more attacks that
are actually disruptive, operationally disruptive, as we saw
with the Colonial Pipeline and the likes, where they are really
attacking critical infrastructure and really disrupting
people's lives and basic services that people need. So I think
in that respect, it has actually become a more serious problem
for us.
Mr. Kustoff. And if I could, Mr. Jain, specifically about
financial institutions, can you characterize how the threat or
threats have changed during the time you left government to now
as it relates specifically to financial institutions?
Mr. Jain. Sure. One obvious change has been the rise of
ransomware. I think a number of you have now mentioned the
statistic about the 1,300 percent increase in ransomware
attacks on banks. And that, in a financial institution context,
obviously has major issues because it means that consumers, for
example, may not be able to access their accounts or may not be
able to use banking and financial services in a timely manner
when they really need it. So, I think that is one example of
where it has really had an effect.
And I also think it is important to recognize--we have
talked a lot about the financial system as an ecosystem, but it
is not only a financial ecosystem, but it is a broader
ecosystem than that. For example, financial institutions rely
on power, so to the extent that power companies and utilities
are at risk for cyber attacks, that is going to have a
downstream effect on financial institutions as well. And so,
the risk to critical infrastructure broadly affects all
companies, including in the financial institutions space.
Mr. Kustoff. Thank you, Mr. Jain.
And, Mr. Newgard, if I could maybe follow up on what Mr.
Jain just talked about as it relates to the ecosystem, and, of
course, you mentioned that interconnected ecosystem in your
written testimony. Can you talk about that, and how an attack
on big banks ultimately could filter down to smaller banks and
community banks, et cetera?
Mr. Newgard. Sure. An attack on any financial institution,
whether it be a large bank, whether it be a credit union or a
small community bank, impacts significantly the overall
financial system, and it hurts trust and it hurts communities.
Mr. Kustoff. Essentially, it is a domino effect. One attack
on the large or larger banks is a domino to other banks down
the ecosystem.
Mr. Newgard. That is right, certainly. But I would also say
that an attack on a service provider, a core provider, if they
get in there, if a perpetrator gets in there, look at how many
community banks would be affected. We are talking about
thousands of community banks and communities being affected by
an attack on them as well.
Mr. Kustoff. So, not necessarily a direct attack on a
community bank or a smaller bank, but from a best-practices
standpoint, what could a community bank do to protect itself
against attacks at larger financial institutions or banks?
Mr. Newgard. I would say having the harmonization of the
regulators and also having those service providers be examined
and have them be accountable to those requirements, because the
bigger institutions have their own cores, if you will. They do
a lot of this in-house, where we are reliant on third parties.
Mr. Kustoff. Thank you. My time has expired. I yield back.
Chairman Perlmutter. The gentleman yields back.
Another gentleman from Tennessee, Mr. Rose, is now
recognized for 5 minutes.
Mr. Rose. Thank you, Chairman Perlmutter and Ranking Member
Luetkemeyer, for holding this hearing, and to our witnesses for
being here with us today.
Unfortunately, cyber attacks across Tennessee and our
nation are on the rise. While the ransomware attack that
targeted the Colonial Pipeline, and the cyber attack on JBS in
the meatpacking sector, have dominated the headlines this year,
there have been countless other attacks affecting millions of
Americans, and the financial sector in particular is routinely
a major target of malicious cyber actors.
In order for our nation to meet the unique challenges posed
by cyber attacks, it is essential that we have an adequate
number of qualified cybersecurity professionals. However, it is
becoming increasingly clear that there is a substantial
shortage of qualified cybersecurity professionals in this
country.
According to the data gathered under the Commerce
Department grant, and as Representative Pressley just pointed
out, there are nearly 465,000 unfilled cyber jobs in the United
States. To help combat the shortage of cybersecurity
professionals, the Department of Homeland Security and the
National Security Agency have designated centers of academic
excellence in cybersecurity.
I am proud to represent one such center of academic
excellence in my district. The Cybersecurity Education,
Research, & Outreach Center located at Tennessee Tech
University in Cookeville, Tennessee, my alma mater, was
established in 2015 in an effort to integrate university-wide
initiatives in cybersecurity, education, and research.
One of the goals at the Tennessee Tech Center of Excellence
is to help supply highly-trained students to the cybersecurity
workforce. While I think we can all be appreciative of the work
being done at Tennessee Tech to help fill these critically
important jobs, there is clearly more work to be done.
Mr. Newgard, as the Chair of the Cyber & Data Security
Committee at the Independent Community Bankers of America,
would you talk a little about the challenges the financial
sector faces when it comes to recruiting qualified
cybersecurity professionals?
Mr. Newgard. This is a huge issue, and I would say that
Governor Little from Idaho has created a cybersecurity task
force to address some of these workforce issues.
This is bigger than we realize, because as the threat
continues to increase, so does the demand for cyber
professionals. We need more people. The issue within the
financial institutions is our ability to pay for these talented
people, because they get scooped up by other entities that are
bigger and can pay larger salaries. So, it is a challenge to
keep and attract good talent in the cyber area.
Mr. Rose. Thank you, Mr. Newgard. I have spent my career in
the IT training space, and have spent quite a bit of time
through my own business helping to train cybersecurity
professionals. And one of the old sayings we had in that
industry is, if you train your employees--and you make
reference to this--if you train your employees, they will leave
you and go on to better opportunities. The only thing worse
than that is not training them and having them stay. And I am
sure, Mr. Newgard, you probably agree with that.
Mr. Jain, I would also welcome your input here regarding
any challenges that you see when it comes to recruiting
qualified cybersecurity professionals.
Mr. Jain. Sure. As Representative Pressley alluded to, I
think one of our challenges is making sure that we are drawing
from our entire citizenry in terms of encouraging them to enter
into the cyber workforce. We know that for a long time, for
various reasons, women and girls have been more reluctant to
get into technology. And we know that minorities sometimes
don't see the same opportunities.
So, I think part of the solution to increasing the number
of cyber workers that we have is making sure that we are doing
everything we can to reach out and provide the opportunities
really across-the-board to everyone, including underrepresented
communities, because I think that is going to be critical in
order for us to actually get the number of cyber workers we
need.
Mr. Rose. I am wondering, Mr. Jain and Mr. Newgard, if you
believe that there is adequate credentialing or verification of
the talents and capabilities of cybersecurity professionals
today, or if you think there is more work to be done there? I
mentioned the program at Tennessee Tech, but, historically,
there has been some question about whether our cybersecurity
professionals really know their stuff. Could you all comment on
that in the remaining seconds we have?
Mr. Newgard. Sure. I am a big fan of certifications. I
think certifications keep up quite well. We just need to have
the workforce to do that, and potentially grants to help fund
those.
Mr. Jain. And I would just add in 2 seconds that I think it
is also important to recognize that we shouldn't just assume
that to be a cybersecurity professional, you need a computer
science degree. I think we need to have different kinds of
certifications and recognize that different kinds of skills can
be useful.
Mr. Rose. Thank you both.
I see my time has expired. And thank you, Chairman
Perlmutter, for indulging me.
Chairman Perlmutter. The gentleman's time has expired.
The gentleman from Florida, Mr. Lawson, is recognized for 5
minutes.
Mr. Lawson. Thank you, Mr. Chairman.
And I would like, again, to welcome everyone to the
committee. This has been quite interesting. And I would like to
thank Ranking Member Luetkemeyer also, because this issue is
critical now.
My question is going to go to Mr. Newgard first. As you
know, we are in an age where there is an increased reliance on
technology, and with that comes an increased need to protect
consumers' sensitive data. Financial institutions are pairing
with technology services to provide other third-party vendors
that are not versed in Federal regulations that protect
consumers.
Based on your experience, do you believe programs that help
close the gaps and establish digital cybersecurity
infrastructure plans will be utilized by financial
institutions?
Mr. Newgard. We are extremely reliant on third parties, and
so anything that can make them more accountable is good. The
other thing is, as part of this ecosystem, having retailers,
core providers, everybody else within that ecosystem made
accountable for consumer information and the liability
associated with that as well. If they have a breach, they have
to pay. That would go a long way.
Mr. Lawson. Okay. Thank you.
And, Mr. Jain, it has been stated that cybercrimes could
cost the world up to $10.5 trillion annually by 2025, which is
right up the way. With cybercrime cases on the rise, how can
Federal policy help aid and recovery for financial institutions
that are victim to cyber attacks? Most of the proposed
solutions today discuss preventive measures, but what action
can we take to shape policy that would help mitigate the
staggering effect of a data breach and help financial
institutions effect recovery?
Mr. Jain. Just to give a couple of examples, I think one
thing that we should be thinking harder about from a policy
perspective is whether there are points in the ecosystem where
imposing requirements or requiring certain security practices
can have benefits that sort of propagate across the ecosystem.
If you think, for example, of software providers or
internet service providers, to the extent they up their
security game, they eliminate a bug or a bug doesn't get into
software, that has benefits that propagate across the whole
ecosystem.
If you think of a program like Windows, when Windows has a
problem, it affects everybody. But if we can fix it or we can
create incentives so that commonly-used software providers or
internet service providers who are serving tens of thousands of
customers, if we can incentivize them to up their security
game, that has benefits for everybody throughout the ecosystem.
So, I do think one thing that we should be thinking harder
about is identifying those kinds of points in the ecosystem,
what we can do there to improve security and sort of benefit
everybody?
Mr. Lawson. And the $10 million question that is always
asked, Mr. Jain, is, what action could Congress take to improve
cybersecurity and prepare to respond to attacks on the
financial system, which may impact the entire community and
other sectors of our economy?
Mr. Jain. One action, as I mentioned before, that I think
Congress should take is to adopt Federal privacy legislation,
because I think it really gets to a point that Representative
Loudermilk made earlier, albeit from a different perspective,
which is that if you have privacy legislation that, for
example, requires providers to minimize the amount of data that
they are collecting, minimize the amount of sharing that they
do, that means there is just less data sloshing around the
whole ecosystem so that if there, in fact, is a breach, there
is less data that is being taken or fewer people's data that is
being taken.
I actually think there is a really strong link between
privacy legislation on the one hand, and reducing the negative
effects of data breaches and the like on the other hand.
Mr. Lawson. My time has almost run out, but I wanted to
leave with you, is cybercrime international in scope with other
countries now?
Mr. Jain. Oh, absolutely. I think cybercrime is definitely
international and requires international solutions for that
reason.
Mr. Lawson. Okay. With that, Mr. Chairman, I yield back.
Chairman Perlmutter. The gentleman yields back.
The gentleman from South Carolina, who is also the Vice
Chair of the Select Committee on the Modernization of Congress,
Mr. Timmons, is recognized for 5 minutes.
Mr. Timmons. Thank you, Mr. Chairman. I appreciate you
holding this hearing. This is extremely important.
And I am just going to begin--I am actually not going to
ask questions during my first 5 minutes, because I am going to
take advantage of the second 5 minutes. But please listen to
just how I am going to frame this.
In 2012, the Obama Administration proposed the
Cybersecurity Act, that would largely address critical
infrastructure. It failed. The Democrats at that time had a 58-
seat majority. And the right didn't like it because it was
overly prescriptive. It was too burdensome on businesses. And
portions of the left didn't like it because of privacy
concerns. It was too invasive.
So, let's talk about what has happened since then. We have
had billions and billions of dollars worth of damage from
cybersecurity breaches, both in the business community and in
government: Epsilon; Target; Home Depot; Experian; T.J.Maxx;
Sony; the Department of Veterans Affairs; and the U.S. Office
of Personnel Management (OPM). They are increasing in number,
and they are increasing in disruptive capacity.
Most recently, Colonial Pipeline, which affected my
district, resulted in 75 percent of the gas stations in the
Fourth Congressional District of South Carolina not having any
gas. They did not have any gas. And I was getting calls all the
time. And this is because they didn't have dual-factor
authentication on their logins. So, this is basic stuff.
The EU passed the General Data Protection Regulation (GDPR)
in 2016. A lot of people think that was overly prescriptive. It
has created a lot of challenges. California has done the
California Consumer Privacy Act (CCPA). That was in 2018.
Colorado just signed one into law in 2021. Legislation is
currently pending in Massachusetts, New Jersey, North Carolina,
Ohio, and Pennsylvania.
If we are going to try to do something in Congress: one, we
are kind of late; and two, think about how challenging it is
going to be. It would go through at least eight committees in
the House, and probably five or six in the Senate. We don't
need to just address the financial services component of
cybersecurity and data privacy; we need to address the whole of
the economy and the Government of the United States.
This is going to become increasingly problematic. And I
know that we generally only legislate in crisis moments, but we
have an opportunity to get ahead of that. And there are a lot
of different ways you can try to craft legislation that would
accomplish this objective, but I don't know if we have the will
to do it because committee jurisdiction people are very
protective of their committee's jurisdiction. There is a
possibility of perhaps doing a joint select committee on
cybersecurity.
We have to find a way to get everybody's buy-in before we--
it needs to be a collaborative process, because the perfect
will always be the enemy of the good, and we have to get the
experts to write this legislation.
And it needs to be self-updating. We can't keep coming back
and addressing every new development in technology. We don't
have the ability--Congress doesn't do things like that.
So, we are going to get to the questions in my next 5
minutes, but one other thing I want to point out is preemption.
What do you think the California delegation is going to do when
we say that we are going to do away with the CCPA by Federal
preemption, we are going to get rid of the law they have worked
so hard on? They are going to go crazy.
But we can't have a patchwork framework of regulations. It
would create such an incredible regulatory burden, such a
compliance burden for your banks and your credit unions and for
all of the businesses.
And I guess I am going to end with this: We are only as
good as our weakest link. Small businesses or larger businesses
that are breached, let's just use--we will go with Target or
Home Depot. How much money do you think the banks had to spend
to reissue tens of millions of debit cards? That is a
compliance cost which is then passed along to the end users, to
the customers.
This affects so many people. It affects every aspect of our
economy, every aspect of our government. We are ill-equipped as
a body to address it. We are running out of time.
So, that is the doom-and-gloom approach that I am going to
begin with, and I am going to ask questions in the second
round. But I look forward to you all weighing in on that
assessment of the situation.
And with that, Mr. Chairman, I yield back.
Chairman Perlmutter. The gentleman yields back.
And to close out this initial round of questioning, we will
have Mr. Torres from New York ask his 5 minutes of questions.
Then, with the witnesses' indulgence, I assume that Mr. Foster
and Mr. Timmons would like to ask some questions in a second
round, and anybody else--Mr. Lawson, Mr. Torres, you are
welcome to do the same.
With that, I yield to the gentleman from New York City, Mr.
Torres, for 5 minutes.
Mr. Torres. Thank you, Mr. Chairman.
SolarWinds serves as a wake-up call about the vulnerability
of the software supply chain. A malicious actor can target a
computer network of a financial institution, not only directly,
but also indirectly via the supply chain. So, we have a
critical interest in securing the vulnerable supply chain that
supports the financial system.
My first question is for Mr. Newgard. Big banks like
JPMorgan can invest a billion dollars a year in cybersecurity.
Do small banks have sufficient resources for cybersecurity, in
your estimation?
Mr. Newgard. We do a very good job, I would say, as an
industry. What we have done is relied on our core providers,
because we simply don't have the ability to have all the
redundancies and security at that level that the core provider
does.
I have actually toured those facilities, those data
centers, and they have very robust redundancies and security
that we couldn't provide.
Mr. Torres. Thank you. If I can just interject for a
moment, what percentage of a small bank's budget typically goes
toward cybersecurity?
Mr. Newgard. Just on the core side, we spend $51,500 a
month, and that is just on our core provider. We have a whole
department dedicated to cybersecurity and IT into the hundreds
of thousands of dollars.
Mr. Torres. And, Mr. Vazquez, same question for you. Do you
feel credit unions have sufficient resources for cybersecurity,
and what percentage of a credit union's budget, on average,
goes toward cybersecurity?
Mr. Vazquez. Yes, sir, thank you for that question. I feel
I can answer the same. Credit unions, both large and small, are
doing the best they can with the resources they have to
mitigate the cybersecurity risks.
For us, I can't tell you exactly what the percentage is,
but I can tell you that just our cybersecurity budget for tools
that we need to ensure that our data is safe is close to a
million dollars. That does not incorporate the cost of the
employees, and as mentioned earlier, that cost continues to go
up as we fight for the right resources to get the right people
in to manage these sophisticated tools that we have.
A lot of smaller credit unions don't have the budget that
we have. I am very, very thankful that our board and our
executives are all bought in with cybersecurity and provide
that budget for us to be able to buy the right tools, train our
people, and ensure that we are doing the right thing.
Mr. Torres. Mr. Newgard, you are the head of a bank,
correct?
Mr. Newgard. CEO.
Mr. Torres. Do you typically assess the cyber hygiene of
your technology service providers before hiring them or doing
business with them?
Mr. Newgard. Yes. We have an extensive vendor due diligence
that we go through, and in the cyber area, we are increasing
our level of reliance on them. We just went to a managed
Security Operations Center (SOC) with DefenseStorm recently,
which is a cost, but gives us more security.
Mr. Torres. Do you know if all of your technology service
providers have a chief information security officer?
Mr. Newgard. Do I know if they have them? Yes.
Mr. Torres. Do all of them have multi-factor authentication
(MFA)?
Mr. Newgard. I couldn't answer that broadly. I don't have
knowledge of all of the providers.
Mr. Torres. Do all of those technology service providers
have third-party assessments of their cybersecurity practices?
Mr. Newgard. I believe so.
Mr. Torres. And, Mr. Vazquez, do you know if credit unions
typically assess the cyber hygiene of their technology service
providers before doing business with them?
Mr. Vazquez. Yes, sir, we do. Fortunately, for Canvas, we
do have a very robust vendor management program, and that
allows us to query our vendors with contracts, ask for their
SOC information, ensure that they are following the same
practices that we expect them to.
To answer an earlier question, most do have MFA. Some still
only have a single sign-on with using a password. And,
obviously, we fight to have them change that, but not all
vendors will do that. But, yes, we have them.
Mr. Torres. My time has expired, and it might be easier
said than done, but if I were a credit union or a bank, I would
never do business with any service provider that did not have
multi-factor authentication. That is the barest standard of
cyber hygiene in the 21st Century.
I yield back.
Chairman Perlmutter. The gentleman yields back.
We will move to a second round. And, with that, I yield to
the gentleman from Illinois, Dr. Foster, for 5 minutes.
Mr. Foster. Thank you, Mr. Chairman.
I guess this is probably best for Mr. Newgard or Mr.
Vazquez: Is the list of the market shares of all of the core
processors publicly available? Are they well-known firms or are
they sort of specialist firms? Just if you could, we will be
asking--yes.
Mr. Newgard. Yes, they are pretty well-known. Fiserv is the
one that we use, but there are about three others that dominate
that area.
Mr. Foster. Okay. If you could respond for the record, just
so we get a feeling who the big players are in that?
Now, Mr. James, Mr. Newgard, and others, you mentioned
problems with the noncompetitive markets for core processors,
partly due to a consolidation, but also due to vendor capture
due to the high cost of switching vendors for core processing.
This strikes me as very much like the market for electronic
health records, which will effectively capture hospital chains
or doctors' offices because of the high cost of switching over
to a different competitor for these systems.
So, one of the things that we have attempted to do in
Congress to make a more competitive operation is to have data
portability standards and interoperability standards so that it
is more realistic to switch vendors on this.
Is there a need for something like this in this market, so
you can make it a realistic threat to jump to a competitor?
Have there been any discussions on this?
Mr. James. I will jump in, Mr. Foster, and give you a quick
example. We had one of our members, a Black-owned bank, that
purchased another Black-owned institution that was not doing
quite as well, and they just closed on the merger about 3 weeks
ago.
The purchasing bank was on one core provider, and the
target bank was on a different core. They had to pay $1.2
million to the target bank's core provider in order to move
that data over to their core. And so, there is an enormous
amount of cost.
So, if we could have some kind of consistency and data
portability across these providers, that would really free up
competition, because it is extremely onerous. Even if you wait
until your contract is expired and you want to move to a new
core provider, it is still going to cost you into the high six
figures in order to do a conversion, which is one of the
reasons why a lot of our banks end up staying with the same
company over and over again for these long-term contracts. It
makes us less competitive. It is very costly. And if we could
have some consistency in standards, I think you would introduce
more competition into the marketplace.
Mr. Foster. No, no, it is remarkable. There are markets
where it is best that government just gets the heck out, like
plain old internet, where we have said, okay, industry, figure
it out, and any computer can talk to any other. But then there
are markets, like electronic health records or apparently this
market, where I guess the natural tendency toward monopoly is
just so strong and toward vendor capture.
Many of you have also mentioned identity fraud and
synthetic identity fraud, social engineering, and phishing
attacks. And there is a pretty broad consensus that we have to
get away from password-based systems to more secure systems.
There has been progress on this, including on the consumer-
facing thing, with the rollout of Mobile ID, sometimes called
digital driver's licenses, by many States. They were a standard
that was developed by NIST, and iPhone and Android are now
supporting them. It is a big part of their recent rollout of
new updates to their operating system. And several States are
rolling these out.
This allows you to essentially turn your cell phone into a
security dongle that is associated with a REAL ID-compliant
driver's license or other ID or a passport. And these things
have the potential to really get rid of a lot of the agony that
business and government sees with identity fraud.
Has the rollout in States gone far enough that you have
really seen an effect of using these for Know Your Customer
(KYC) requirements and so on, or is it still early days? Are
any of you sort of aware of the use of this?
Mr. James. Yes. We are generally aware of the trend, but it
is still very, very early. I know in the State of Georgia,
where our bank is located, we have not seen that yet. I am not
sure about any of the other panelists, but it is still early
days for us.
Mr. Vazquez. Yes, sir. And I would agree with Mr. James
that the technology is in its infancy. We are aware of it and
are paying attention to it, because we do actually believe, as
you just mentioned, that passwords are a huge area that allows
for compromise. If we can take that away and move to something
of what you have and get away from passwords, that would be the
perfect solution. But right now, the technology is in its
infancy. And as soon as it matures, we will definitely be
looking at that to bring into Canvas.
Mr. Foster. Yes. I believe the technology is actually
mature and--
Chairman Perlmutter. The gentleman's time has expired.
The gentleman from South Carolina, Mr. Timmons, is now
recognized.
Mr. Timmons. Thank you, Mr. Chairman.
Mr. Jain, do you agree that Congress should preempt States
and pass a comprehensive cybersecurity and data privacy
framework for the U.S. economy?
Mr. Jain. I definitely agree that Congress should pass that
kind of legislation. I think on the preemption question, I
would say two things. One, it is hard to answer the preemption
question without knowing how strong the substantive protections
are, because, obviously, if it is a really weak substantive
privacy law, then that would, I think, mean that we wouldn't
support preemption.
And the second point I would make is that I don't think
preemption is an all-or-nothing thing. In other words, it is
not we preempt everything or we preempt nothing. I think there
are some laws, like you have referenced, like the California
law and the Colorado law, which would be fairly parallel in
some ways to a Federal privacy law where if it were strong
enough, it may make sense to preempt.
On the other hand, there are other laws of general
applicability that sometimes may read on privacy, whether it is
civil rights laws that protect against discrimination or unfair
and deceptive trade practice laws that deal with people who are
deceptive in describing the privacy practices, where
preemption, I think may not make sense. But I think there is
room there to talk.
Mr. Timmons. Sure. I have concerns about Congress' capacity
to craft such legislation. Not that we are not competent in
many ways, but this is very challenging.
Do you think this is something that we could incorporate or
ask NIST to take a first swipe at if we were to give them a
general framework, to kind of work out some of the kinks on the
front end and then maybe make it easier to go through the
various committee jurisdictions?
Mr. Jain. I would make two observations. One, there are
actually quite few bills out there, both on the Republican and
Democratic side, that I think are credible efforts, and sort of
move us down this road.
I think it is quite possible that what legislation should
do is to set forth basic duties and principles and then ask
whether it is NIST or the FTC or some other regulatory agency,
to try to fill those out and also, therefore, also be a little
bit more nimble in sort of responding to new developments, as
you noted earlier. But I think there are some credible efforts
that are already out there in terms of bills.
Mr. Timmons. Do you think a joint select committee would
increase the likelihood of success of such an endeavor?
Mr. Jain. I leave that to you, to some degree. I think the
Commerce Committee in the Senate, and the Energy and Commerce
Committee here in the House have, as I understand it, been
taking the lead to the extent there has been activity around
this. Whether that is sufficient jurisdictionally, I am not
enough of an expert in congressional committee jurisdiction to
be able to answer that.
Mr. Timmons. I have a feeling that the chairwoman of this
committee might want to have a piece of the conversation in
here. But the same can probably be said for a number of other
committees, and that is the biggest challenge that we have.
Would you agree that GDPR and CCPA have perhaps gone a
little bit too far in certain regards, and Congress should be
careful not to take an overly-burdensome approach and perhaps
try to facilitate some free-market solutions for enforcement
mechanisms? I think one of the biggest challenges is growing
government and creating standards when we are really just
trying to facilitate best practices. What are your thoughts on
that?
Mr. Jain. I am not sure if I would characterize it
necessarily as them going too far, so much as I would say that
we need to move in a slightly different direction, which is
that a lot of existing privacy laws focus on the idea of notice
and then give consent on the part of consumers.
And as I talked about in my testimony, we all know that
most consumers never read those 30-page privacy policies. And
so, I think a privacy law that is based on the assumption that
people are going to do that just doesn't really make sense and
doesn't match with the real world.
What I do think we need to do is move more to a system in
which we say, hey, there are some basic rules that if you are
going to collect personal data, you have to follow. You have to
minimize the data that you are going to collect. You shouldn't
be sharing it in ways that are going to surprise consumers
unless you go back and get permission, express permission from
the consumers.
And you put those kinds of rules in place so that you can't
bury in the privacy policy somewhere, hey, we are going to
share this with these 10 parties. I think what we need to do is
move in that direction, which I think is less about is GDPR
going too far or too less, but sort of shifting the paradigm a
little bit.
Mr. Timmons. Sure. I guess, last question: The U.S. economy
is important, but the global economy also has an important role
to play. What do you think about Congress trying to extend
these protections to people abroad?
Mr. Jain. We clearly have to pay attention to what is going
on abroad, because most of our big companies obviously operate
in multiple markets, and as a practical matter, it is very
difficult for a large company to do different things, based on
different geographies. That is why you see, for example, that a
lot of companies follow GDPR sort of across the world, because
it is just easier. Having implemented it, it is just easier for
them to do that.
I think if it is going to be hard for Congress to pass a
privacy law, I think it is probably hard to negotiate a
worldwide privacy law. But having said that, I think paying
attention and trying to figure out how what we passed works and
meshes with laws in other countries is an important piece of
this.
Mr. Timmons. Sure. Thank you for your time.
I yield back.
Chairman Perlmutter. The gentleman's time is expired.
Mr. Jain, one of the things we used to call the contracts
you are talking about, we called them adhesion contracts, where
the consumer really doesn't have much choice and has to adhere
to whatever it was that the other contracting party was
demanding. And here, it is people who haven't even read the
contract, much less have much say as to how it is drafted.
I will now yield 5 minutes to the gentleman from New York
City, Mr. Torres, for the last questioning. And I just want to
thank the panel for allowing us to take extra time.
Mr. Torres. Thank you, Mr. Chairman.
According to a report from Trend Micro, in the first half
of 2021, there has been a 1,318 percent increase in ransomware
attacks against banks and credit unions. According to
suspicious activity report data from the Financial Crimes
Enforcement Network (FinCEN), in the first half of 2021, the
ransom amount paid out was $590 million, compared to only $416
million in all of 2020.
This question is for Mr. James. Mr. James, the internet has
been around for a while. Cryptocurrency has been around for a
while. What is driving this inexplicable explosion of
ransomware, particularly against financial institutions?
Mr. James. I think that it was mentioned earlier, Mr.
Torres, that these bad actors are going where they find the
money. And they are attacking what they think are
vulnerabilities in our overall system. So, they are going to
attack those institutions that they perceive as vulnerable and
they are going to attack those systems that they perceive as
vulnerable, particularly those that have the ability to pay.
And so our institutions, community banks, and minority
depository institutions in particular, are being extremely
vigilant about protecting our systems from these kinds of
attacks, not only in terms of the amounts of money that we pay
our core processors--at our institution, it is about $25,000 a
month--but that all of the additional investments that we are
making in training and people and consulting and infrastructure
to try to keep up with the rapid rate of change and the rapid
increase in these attacks.
Mr. Torres. And do we know if the ransom payments are
primarily coming from small banks or big banks? Do we know the
distribution?
Mr. James. I think it is primarily coming from larger
institutions, rather than many of our members, but our members
are being very, very vigilant and keeping aware of these
situations.
Most of our institutions are carrying cyber insurance
contracts, cyber insurance policies that would help to mitigate
the cost. But the cost of the premiums of those contracts also
is increasing exponentially, and we really need to be mindful
of that cost as well as we face additional attacks in the
ransomware space.
Mr. Torres. It seems to me that one of the greatest
challenges to cybersecurity is a lack of enforcement. Almost
all crimes in cyberspace go unpunished, with less than 1
percent resulting in enforcement actions.
According to Third Way, for every 1,000 cybercrimes, only 3
of them will actually result in an arrest. Criminals are
rational actors, so if the risks are low and the rewards are
high, then cybercriminals have an incentive to commit
cybercrimes in greater and greater numbers, at a faster and
faster pace, and on a greater and greater scale.
And the data is crystal clear that cybercrime is on an
exponential curve. According to Cybersecurity Ventures, the
cost of cybercrime will go from $3 billion in 2015, to a
projected $6 billion in 2021, to a projected $10.5 trillion in
2025. So, I am concerned about the trajectory of cybercrime,
particularly as it relates to financial institutions.
Mr. Jain, I have a question about Section 1033. I am a
strong supporter of Section 1033, but there are some legitimate
concerns about cybersecurity and legitimate concerns about data
aggregators, which tend to be largely unregulated and
unsupervised.
How would you assess the state of cybersecurity with
respect to data aggregators?
Mr. Jain. I think there are some real issues there. In
particular, I think what we have seen early on in the industry
was the use of basically a technique called screen scraping,
where essentially a consumer was turning over their credentials
to the data aggregator, and the aggregator was scraping the
information from the screen. And that clearly presented all
sorts of security issues.
I think we are starting to move toward a system in which
the data aggregators are communicating with financial
institutions through application programming interfaces (APIs)
or sort of interfaces designed for that, which I think is a
positive step. Nonetheless, data aggregators, in general, don't
fall within the purview, for example, of Gramm-Leach-Bliley,
which sets sort of the privacy and security standards for other
actors in the financial system.
So, I think it is important to impose privacy and security
regulations on entities like data aggregators, ideally through,
as we have been talking about, broad baseline privacy
legislation, but short of that, then maybe bringing them within
Gramm-Leach-Bliley at least as a transitional measure.
Mr. Torres. Excellent. Thank you for the answer.
Thank you, Mr. Chairman.
Chairman Perlmutter. Thank you. The gentleman's time has
expired.
I want to thank our panel for your expert testimony today.
And we really do appreciate you giving us a little extra time.
Obviously, this is a hot topic for all of us, one that we
really need to try to get our arms around.
I think, as the chairwoman said, and as Mr. Luetkemeyer
said, this is one area where there is a lot of common desire to
minimize the attacks that we all face in the financial industry
and elsewhere by cybercriminals and by nation-states and other
bad actors.
So, thank you all very much for your testimony today.
I want to thank Mr. Thornton for putting these hybrid
hearings together. It is not easy to have somebody in person
and a number of folks on the platform, and it worked very well
today. And I want to thank you for that, sir.
The Chair notes that some Members may have additional
questions for these witnesses, which they may wish to submit in
writing. Without objection, the hearing record will remain open
for 5 legislative days for Members to submit written questions
to these witnesses and to place their responses in the record.
Also, without objection, Members will have 5 legislative days
to submit extraneous materials to the Chair for inclusion in
the record.
And without objection, statements will be entered into the
record on behalf of the following organizations: the National
Association of Federally-Insured Credit Unions (NAFCU); the
Electronic Transactions Association; the American Bankers
Association; and the Credit Union National Association.
With that, thank you all very much. This hearing is now
adjourned.
[Whereupon, at 12:39 p.m., the hearing was adjourned.]
A P P E N D I X
November 3, 2021
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]