Banks have a duty to safeguard the personal and financial information of their clients. They also have a duty to protect the entire financial system. Regulators have long worried that a coordinated attack on several major banks could have a disastrous ripple effect on our economy.
The Federal Deposit Insurance Corporation (FDIC), Federal Reserve and Office of the Comptroller of the Currency (OCC) all have existing cybersecurity rules. Some of those rules act more like guiding principles.
In 2016, the three regulatory agencies issued a joint proposed rulemaking. Those rules were designed to better protect customers, prevent hacking and limit the damage caused by cyberattacks.
Despite the fanfare that accompanied these proposed rules, nothing much has happened. The OCC and FDIC quietly scrapped their participation in the endeavor earlier this year. The Federal Reserve, however, says it is continuing to move forward.
We are somewhat surprised by the actions of the other two big bank regulators. After pulling out of the cybersecurity rulemaking, the OCC issued a risk report earlier this month in which the agency found a growing risk posed by outside vendors who do work for banks. The government things they may be the weak link for cybercriminals, “Cybercrime and espionage increasingly target third-party service providers to gain access to bank information or systems.”
The fall 2018 OCC semiannual risk report said,
“Severity of cyber threats is increasing in the number and sophistication of malicious actors. Evolving cyber risks present significant challenges to managing cyber threats and vulnerabilities across complex operational frameworks. Cyber threats target operational vulnerabilities that could expose large quantities of personally identifiable information and proprietary intellectual property, facilitate misappropriation of funds and data at the retail and wholesale levels, corrupt information, and disrupt business activities.”
So why is the OCC delaying new regulations?
We understand the frustration that the business community has in general with over-regulation. The political winds in Washington these days are to have less regulation, But as cyber threats increase both in number and sophistication, new rules are necessary to protect the public and the integrity of our financial system.
One agency that hasn’t wasted any time, however, is the New York State Department of Financial Services. New York passed comprehensive bank cybersecurity rules in 2017 that took effect March 2019. Those rules impact banks and insurance companies. One if the new rules requires financial institutions to report data breaches within 72 hours.
Whistleblower Rewards and Bank Cybersecurity
The new and proposed rules do not contain any reward provisions. Existing SEC and FIRREA whistleblower programs continue to apply, however. Public companies such as bank holding companies have comprehensive reporting requirements under the SEC program while federally insured banks are subject to FIRREA.
We do not believe a violation of the New York rules will give rise to an award under the New York whistleblower program.
The bottom line? If a bank doesn’t heed existing banking cybersecurity rules, rewards may be available. While we certainly need to strengthen the cybersecurity rules on banks and their vendors, rewards are already available.
To learn more, visit our cybersecurity whistleblower page. Ready to see if you qualify for an award? Contact us online, by email or by phone 202-800-9791. We accept cases nation and worldwide. All inquiries protected by the attorney – client privilege and kept confidential.