News

Actions

Banks could get fined for cyber breaches, top regulator says

Posted at 7:14 AM, Aug 01, 2019
and last updated 2019-08-01 09:14:29-04

Cybersecurity is the biggest threat facing America’s banks, FDIC Chairman Jelena McWilliams told CNN Business.

“It’s something we take very seriously,” McWilliams said during an interview this week.

Capital One, which is not regulated by the FDIC, recently revealed a massive cyber breach thatexposed sensitive information on more than 100 million customers.

McWilliams, a Trump-appointed regulator who helps oversee about 4,000 mostly smaller lenders, said the FDIC could fine a bank that suffers a major breach after failing to fix weak cyber defenses flagged by the agency.

“We could certainly have an enforcement action,” she said at the KBW Community Banking Investors Conference.

Beyond a fine, McWilliams said shoddy cyber defenses could force regulators to downgrade their ratings on bank management teams.

Last month, Facebook was hit with an unprecedented $5 billion fine by the Federal Trade Commission over how the company lost control of massive amounts of personal data. It was the largest fine in FTC history.

McWilliams said the FDIC is “monitoring” the cyber defenses and “continuously” testing the safety and structure of banks’ networks and firewalls. The agency then flags deficiencies, orders banks to fix them and monitors whether progress has been made.

An FDIC spokeswoman told CNN Business that the agency has in the past taken enforcement actions against banks for IT-related issues, including for failure to monitor third-party service providers. The FDIC declined to say whether those actions included fines.

McWilliams noted that the FDIC has “limited ability” to examine third-party service providers.

In the Capital One breach, the hacker exploited a misconfigured web application firewall, according to authorities. That gave the hacker access to 140,000 Social Security numbers, 1 million Canadian Social Security numbers, 80,000 bank account numbers and an undisclosed number of people’s names, addresses, credit scores and other information.

McWilliams warned that more high-profile breaches could occur in the future.

“I don’t suspect that the hackers will stop doing what they do,” she said, adding that banks must “continuously” update their protections and firewalls to prevent attacks.

Some major American banks have spent billions of dollars on technology, including investing in cybersecurity and anti-money laundering. Banks have also tried to hack their own systems and even offered awards to ethical hackers who discover weaknesses.

“Protecting the banks and protecting consumer data is prohibitively expensive,” McWilliams said.

The FDIC chief said that cybersecurity is the No. 1 risk facing large banks and the banking system as a whole

In addition to cyber, community banks are also facing competitive pressure from credit unions, nonbank lenders and even tech companies.