Cyber Threats, Consumer Data, and the Financial System (EventID=114214)

Video Description

Connect with the House Financial Services Committee Get the latest news: https://financialservices.house.gov/ Follow us on Facebook: https://www.facebook.com/HouseFinancialCmte Follow us on Twitter: https://twitter.com/FSCDems ___________________________________ On Wednesday, November 3, 2021, at 10:00 a.m. (ET) Consumer Protection and Financial Institutions Subcommittee Chairman Perlmutter and Ranking Member Luetkemeyer will host a hybrid hearing entitled, “Cyber Threats, Consumer Data, and the Financial System." - - - - - - - - Witnesses for this one-panel hearing will be: • Samir Jain, Director of Policy, Center for Democracy & Technology • Robert E. James, II, President & CEO, Carver Financial Corporation • Carlos Vazquez, Chief Information Security Officer, Canvas Credit Union • Jeff Newgard, President and Chief Executive Officer, Bank of Idaho, on behalf of the Independent Community Bankers of America Overview According to a recent report, a critical cyberattack on a large, systemically important company or regional utility could create economic losses greater than a major natural disaster. The financial services sector is a top target for cybercriminals seeking to steal financial assets, consumer and business data, or deploy ransomware, disrupt services, and shut down networks. According to financial regulators, cyber threats are increasingly more sophisticated, organized, and a growing area of concern. Major financial companies agree. Testifying before the House Financial Services Committee in May 2021, when asked what they see as the “greatest threat to our financial system right now,” four of the six CEOs of the largest U.S. banks' responses included cybersecurity. Cyberattacks on banks are also increasing in number. Through the first half of 2021, banks and credit unions experienced a 1,318% increase in ransomware attacks. According to one study, the likelihood of cybercrime being detected, reported, and enforcement action taken may be as low as 0.05%. This hearing will examine cybersecurity and consumer data protection challenges for financial institutions, efforts by the U.S. Department of Treasury (Treasury Department) and other government agencies to strengthen cyber defenses in the financial sector, and review the current legal framework governing data security. Cybersecurity and Consumer Data Laws Federal policy governing cybersecurity and data protection for financial institutions is often intertwined and spread across several laws, rules, and agencies. Additionally, as businesses collect more sensitive data from consumers, consumers face an increasing risk that their data will be lost, mishandled, or stolen. The Gramm-Leach-Bliley Act of 1999 (GLBA), the most comprehensive federal law on privacy and data security for financial institutions, directs financial regulators to institute a framework for consumer data privacy and security safeguards. Title V, Subtitle A of GLBA limits financial institutions from sharing nonpublic consumer data with unaffiliated third parties, requires financial institutions to disclose privacy policies to consumers and authorizes regulators to promulgate regulations. Title X of the Dodd-Frank Act Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) transferred rulemaking authority of consumer data privacy protections under GLBA to the Consumer Financial Protection Bureau (CFPB), which subsequently reissued rules under Regulation. The enforcement powers under Regulation P are shared among the federal banking regulators, the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), and the state insurance commissioners. Under GLBA’s data security provision, the financial regulators (except the CFPB) and FTC have promulgated versions of the Safeguards Rule. By statute, these rules require regulators to “establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards— (1) to ensure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.” Other laws also include cybersecurity and data privacy provisions. Under the Sarbanes-Oxley Act of 2002, public companies, foreign and domestic private issuers, and issuers of asset-backed securities must disclose internal and external risks and how they respond to such risks in reports filed with the SEC. The SEC has interpreted such risks to be inclusive to cybersecurity. The Fair and Accurate Credit Transactions Act of 2003 (FACT Act) amended the Fair Credit Reporting Act (FCRA) to... Hearing page: https://financialservices.house.gov/calendar/eventsingle.aspx?EventID=407959