Congress is continuing to review federal data security privacy laws while businesses, especially in the financial services industry, face increasing risks to mitigate through best practices.
9/19/2019 9:00
Cybersecurity breaches, especially targeting small businesses, continue to rise as more consumers have a “digital identity” and companies operate their systems using artificial intelligence and machine learning.
In fact, according to the U.S. Small Business Administration, there were nearly 42,000 “online security incidents” internationally over the past year and approximately 43% of those incidents targeted small businesses.
The House Financial Services Committee’s Task Force on Artificial Intelligence discussed how to protect consumers and businesses from cyberattacks and the role of government to provide regulation in a Sept. 12 hearing, “The Future of Identity in Financial Services: Threats, Challenges, and Opportunities.”
U.S. Rep. Bill Foster, D-Ill., said during the task force hearing that financial services companies are at the forefront of cybersecurity risks.
“More than 25 percent of all malware attacks hit banks and other financial services organizations, which is more than any other industry,” Foster said. “In addition to the billions of dollars that financial institutions spend on cybersecurity, they also spend over $25 billion a year on anti-money laundering and ‘Know Your Customer’ compliance, with large institutions spending up to $500 million annually.”
Digital technologies, such as artificial intelligence, while beneficial for businesses and providing convenient services for consumers, may create some added risks.
For example, artificial intelligence can be used in authentication to verify a consumers’ identity before communicating about a payment or account; but databases used to confirm the identity are also susceptible to cyberattacks by bad actors.
“Data breaches, particularly ones where large amounts of personally identifiable information (PII) are exposed, provide much of the information that a bad actor may need to open account with a company, especially if the company uses credit reporting information in their data-verification process,” according to a memorandum from the task force hearing.
While Congress continues to consider a universal federal law mandating data security practices, such as multi-factor authentication, there are a variety of other federal and state laws pertaining to data protection and privacy to shape companies’ best practices.
For example, the Gramm-Leach-Bliley Act requires financial institutions to safeguard nonpublic personal information, according to the task force memorandum.
Currently, among several issues being discussed on Capitol Hill, a key question is whether any new federal privacy law would pre-empt state laws or coexist with them, ACA International’s Vice President and Senior Counsel of Federal Advocacy Leah Dempsey reports in a Collector magazine article on privacy policies.
In the meantime, the financial services industry and small-business owners may follow simple steps to address cybersecurity threats and protect their companies, clients as well as consumers’ personal data.
Beyond changing passwords, training employees on your company’s data security policies and procedures and regularly updating software, the Conference of State Bank Supervisors (CSBS) “Cybersecurity 101” Resource Guide has valuable tools available for businesses.
Here are a few tips from the guide, which can be tailored to fit your company’s specific needs and available resources:
- Use internal resources, such as audit reports, to conduct a risk assessment at least once per year and revise your risk management strategy if needed.
- Conduct a specific cybersecurity risk assessment to identify threats and vulnerabilities in your systems and designate personnel to respond to and mitigate threats. Also keep top leadership and your board of directors in the loop on cybersecurity threats and response strategies.
- If a significant data breach occurs outside of your institution, it’s a good time to evaluate your policies and procedures and risks that the threat may spread to other financial services companies.
ACA also regularly hosts online webinars about data security. View the events calendar for upcoming educational opportunities.
The latest episode of ACA Cast with Gordon Beck, president and COO of Valor Intelligent Processing LLC and ACA’s Education and Membership Development Director Harry Strausser III, IFCCE, MCE, features a discussion on embracing technology and artificial intelligence.
More resources from ACA International: