2016 may be the year when financial services regulators “get tough” on cybersecurity. The head of the Commodity Futures Trading Commission recently said that his organization would likely push out cybersecurity standards. The Securities and Exchange Commission recently put out new examination priorities. And the New York Department of Financial Services sent a letter to federal regulators outlining its proposal for regulation.
All these regulators are well intentioned. They want to keep cybersecurity from becoming the same kind of systemic risk that high-risk mortgages were in the lead up to the 2008 financial crisis and recession. The only problem is that the sets of requirements that they are turning to are not likely to improve security very much.
I am a big fan of the NIST Cybersecurity Framework and other standards-based efforts when they are used as tools for companies to help themselves become more secure. They are much less effective when imposed from the outside, generally by a regulator, and used as an assessment tool. That which checks a box, is not that which protects thy data.
Where regulation is deemed to be necessary, regulators should find ways to specify the outcomes that they want to achieve, and craft incentives and penalties to motivate regulated entities to achieve it.
For instance, the Consumer Financial Protection Bureau (CFPB) could come up with a lengthy list of cybersecurity requirements for consumer banks to protect consumers from account takeovers and financial loss. The CFPB might require the banks have governance processes in place, patch vulnerabilities on a regular cycle, and exercise incident response. It might require them to force two-factor authentication on all their consumers’ online accounts. These measures might or might not be effective but the focus it would create on compliance would take away time, attention, and money from efforts to actually secure systems.
Another model, what regulators call outcome-based regulation, is a better approach. Instead of mandating security requirements, regulators who want to protect consumers from financial loss could simply require that banks reimburse consumers for any fraudulent transactions. Then banks can make business decisions about how much they want to spend on security, how much they are willing to inconvenience their account holders with security measures, and how much fraud they can accept as the cost of doing business.
That is in fact the law today. Contrary to what many people believe, the Federal Deposit Insurance Corporation (FDIC) doesn’t reimburse banks for fraud perpetrated against accounts. The FDIC only insures your account against the failure and collapse of the bank. As the FDIC explains, most banks have private insurance for fraud loss. The reason they carry this insurance is that Regulation E under the Electronic Funds Transfer Act makes them responsible for the losses.
Unfortunately, Regulation E only applies to consumer bank accounts, not those of small businesses and banks are pushing back against an expectation that they will reimburse small business-related losses. Banks argue that identifying and stopping fraudulent business transactions is much more difficult and prone to error than identifying and stopping fraudulent consumer transactions—individual businesses are in the best position to determine fraudulent activity.
While both banks large and small have been sticking to their guns, it’s possible that the banking industry could solve this problem on its own through competition. Banks that offer fraud protection for business accounts might be much more attractive to potential customers than those that don’t. Third party payment companies like MineralTree offer insurance as an incentive to use their tools. It just might be possible for the market to solve this problem before regulators need to step in. If not, copying and pasting Regulation E will be much faster and more effective than a long list of security requirements for banks to meet.