Despite the extensive framework being in place and demonstrating how much financial institutions work under federal and state regulation, recent events (from a Data Breach caused by one of Pelican State Credit Union's vendors) have demonstrated that financial institutions are still susceptible to risk that is not accounted for by current regulations or expected in today’s market.

In the past, when banking regulations were created, it was assumed that and bank data existed primarily on bank servers and not that banks could connect to vendors for services, and that cyber risk was a relatively slower evolving issue; banks relied on a small number of vendors. As such, banks were able to defend their organisations against these forms of risk with a single point of defence.

Today’s banking landscape has changed dramatically, and we commonly see banks doing business with no fewer than 50 and sometimes thousands of other technology partners providing services ranging from customer communications through analytics, card processing, hosting of cloud services, and/or the provision of identity verification.

Every time an additional vendor or technology partner is added, the institution experiences an additional level of risk or exposure, and while each institution can monitor activity with each vendor, they cannot erase the risk associated with the use of these services intrinsically built into their business model.

A Regulatory Framework Designed in Another Time

Today's banking systems function independently of the regulatory parameters set forth when these regulating frameworks were first created. The Gramm-Leach-Bliley Act (GLB), the Federal Financial Institutions Examination Council (FFIEC), and various state privacy regulations all require banks to establish strong internal controls over their own data. However, this premise was based upon the belief that Banks Will Manage Their Own Data. This premise has changed considerably as technology has helped facilitate the growth of the modern banking system.

Cloud computing provides banks with solutions capable of managing large amounts of sensitive personal information and allow third-party software vendors to provide services that include processing information about accounts, generating marketing analytics, and providing digital consumer onboarding, as well as numerous mobile applications that enable consumers to perform financial transactions via mobile devices. The availability of these solutions promotes innovation and convenience; however, it creates a system of distributed risk whereby a single failure within any part of the entire Third Party Ecosystem may impact thousands of consumers at once.

Banks are still subject to rigorous regulations; however, they are also increasingly reliant on outsourced relationships with third parties that exist outside of the traditional supervision model. Third-party vendors may be subject to audits; however, those audits are typically not performed with the level of oversight as that which is imposed on regulated financial institutions. As such, cyber threats evolve much quicker than the certification cycle of most regulated financial institutions.

Breakdowns in Principle Oversight

Experts have identified three basic deficiencies that are fundamental to the current conversations regarding reform of regulations.

1. Vendors Are Not Accountable Equally
   While banks face strict cybersecurity standards, there is no corresponding standard for the vendors that support banks. This inconsistency has resulted in an environment where banks are responsible for maintaining all legal obligations, yet their vendors expose them to risk.
    
2. Monitoring Is Still Based on Scheduled Review
   Banks usually review the risk profile of their third-party vendors on an annual or quarterly basis; however, with the emergence of the automated threat environment, zero-day exploits, and supply chain attack vectors, a static review process cannot provide sufficient visibility into ongoing threats.
    
3. Reporting Rule Differences
   Some states require that affected parties provide notification of a data breach soon after becoming aware of it; other states require that affected parties report the potential “risk of harm” associated with the breach and permit a longer period for the total risk of harm to be assessed and subsequently reported. This disparity in reporting timelines increases the difficulty for consumers to ascertain their status as it relates to a breach.

These limitations are not a result of regulatory failures, but rather indicators that the banking environment has become increasingly more complicated than the rules intended to regulate it.

The Future of Banking Cybersecurity Regulations

While cybersecurity regulations for financial institutions have yet to see drastic changes from current regulations, there seem to be a few emerging trends that regulators are seeing.

1. Greater Vendor Monitoring and Reporting
   There is already an observable move from banks needing an annual attestation from vendors stating that they are compliant with a lender's cyber security requirements, towards the banks doing a continual monitoring of their vendor's compliance and reporting vulnerable areas immediately. Soon, banks may be required to show they are actively monitoring their vendors rather than just keeping records of the vendors.
    
2. Standardized National Breach Notification Requirements
   There are many different breach notification requirements in each state which creates confusion for consumers after a data breach occurs. Regulators are looking for a unified federal breach notification timeline to provide consumers with quicker notifications of breaches as well as a more streamlined process for banks to notify consumers of breaches.
    
3. Mandated Data Minimization
   Most banks and vendors store far more sensitive data than is necessary for their operations. Regulators have begun to signal the end of storing any sensitive information for anything other than its current operational use. Soon, there will be strict retention limits and requirements for anonymization of sensitive information and stricter access restrictions on sensitive information.
    
4. Joint Liability for Banks and Technology Vendors
   Future regulations are likely to assign multiple parties for preventable cyber security incidents to both the financial institution and the provider of technology used to conduct business with that financial institution.

Impacts to Customers

As a result of the increased regulation, consumers should expect that they will receive notifications regarding breaches much sooner, and that companies will have stricter controls over their customers' personal information, thus reducing opportunities for criminals to use fraudulent information once it has been breached. But no matter how many regulations exist, there is still no way to eliminate all of the risks associated with cyber crimes. Banks, like almost all businesses today, rely upon on many different technologies to run their business, making it difficult to identify the weakest element compared to the entire business process.

In order to protect themselves, consumers should continue using the same fundamental precautions they have always employed online with regard to digital security, such as reviewing their statements regularly, setting account alert notifications, changing their passwords frequently, and being cautious when responding to any unsolicited communications about banking-related issues or services.