With Washington deadlocked by partisanship, it's falling to states to inspect banks' cyber security practices, and that could mean trouble for some small institutions.
Government regulators' interest in banks' IT security practices has spiked recently in the wake of increasingly sophisticated cyber attacks, like the data breaches that stole credit card data from millions of consumers last December. In the last couple of months, the SEC released new cyber security guidelines for brokerages and investment firms, and New York became the first state to audit the cyber security defenses of financial institutions.
"We're seeing these big cyber attacks, and a regulatory framework is always part of the discussion in security. So we expect to see more regulatory attention on this," Roel Schouwenberg, principal security researcher at Kaspersky Lab, told us.
Carl Herberger, vice president of security solutions at Radware, said that, with no national cyber security legislation coming from Washington, states are forced to act to protect consumer data from hackers.
"It makes sense for states to conduct their own cyber security assessments where financial services is relevant, like in New York," Herberger said. "With regulations regarding data leakage, we already see California and Massachusetts taking the lead."
How cyber security standards are developed and implemented will determine how state-level regulations could impact banks. Schouwenberg said some companies are already shying away from doing direct business in Massachusetts because of its strict data privacy laws.
As the first state to conduct cyber security audits of banks, New York has provided an example of what banks can expect from regulators assessing this area. In a May report, New York's Department of Financial Services outlined several "pillars" of a compliant information security framework for banks under its jurisdiction, including having a written information security policy and training staff on the latest cyber security risks.
A 2013 Department of Financial Services survey found that more than 90% of large banks in the state have a security framework that meet the requirements. However, small banks (those with less than $1 billion in assets) were found to be lagging behind their larger counterparts in key areas. Only 62% of small banks conducted security audits of their IT vendors and partners, compared to 80% of large and midsized ones. And less than 25% of small banks participated in a threat information-sharing organization like the Financial Services Information Sharing and Analysis Center (FSISAC).
"I was surprised by the participation in FSISAC. I thought it would be much higher," Schouwenberg said. "Everyone should join that, and if some small financial institutions aren't doing that, then it makes me wonder what else they're not doing."
Paul Smocer, president of BITS, the technology arm of the Financial Services Roundtable, told us small banks often have fewer resources to throw at security issues, but they also have fewer risks, because attackers tend to target large institutions. But that doesn't dismiss the need for small banks to stay up to date on risks and best practices by engaging with the FSISAC. These banks often rely heavily on outsourcing IT services to vendors, so auditing those vendors is of particular importance for them.
"Smaller banks need to understand what their vendors and service providers are doing for them securitywise," he said. "You can outsource a service, but you can't outsource the risk."