Financial Sector Cybersecurity Regulations
(Bidgoli, 2006) describes the statutory approach in the United States as being sectorial in nature “because the laws are drawn along industry lines.” This contrasts other parts of the world, such as the European Union, which has a non-sectorial approach where, for example a comprehensive privacy law applies to all organizations regardless of their industry. (Schwartz, 2009) argues for the current sectorial approach in the United States as he notes that a model similar to the European Union would be “difficult to amend, and would, therefore, become outdated as technological changes undermine such a stature’s regulatory assumptions.” In the United States there are several federal cybersecurity regulations that apply to different industries. The Gramm-Leach-Bliley Act, which will be looked at in greater detail later in this section, applies directly to the financial industry.
The history of financial law has seen both increases and decreases in regulation correlated with events to enforce, correct and maintain the system. It is important to understand some of the legislative history of this industry and its importance in order to reflect on current day regulation with regard to cybersecurity issues. It wasn’t until the Great Depression, which followed the stock market crash of 1929, that specific laws were enacted to strengthen the banking system and re-instill trust with the public. The Glass-Steagall Act of 1913 “separated commercial banking from investment banks in the United States” Neal & White (2012). It also created the Federal Deposit Insurance Corporation to help restore confidence in the banking system. Further regulation continued with the Banking Acts of 1933 and 1935, which were put in place to reform banking abuses. By the 1980s, banks were finding difficulty in competing with other non-traditional financial organizations that weren’t subjected to the same amount of regulation. The Depository Institutions Deregulation and Monetary Control Act of 1980 and the Depository Institutions Act of 1982 were passed, which softened the distinction between banks and other financial institutions. Many have argued it was these pieces of legislation that contributed to the Savings and Loans (S&L) crisis of the 1980s (Zimring, 1993). After the crisis, a swing back to regulation occurred to address these problems through the financial Institutions Reform, Recovery and Enforcement Act which restructured the S&L insurance system. This was followed by the Federal Deposit Insurance Corporation Act of 1991 (FIRREA) to further improve the S&L industry.
Further de-regulation occurred at the end of the 20th century in the form of the Financial Services Modernization Act of 1999, otherwise known as the Gramm Leach Bliley (GLB) Act, originally enacted to eliminate legal barriers between financial institutions. The importance of this regulation brings us to the present day with combating cybersecurity vulnerabilities. Not only did the act deregulate certain earlier provisions of the Glass Steagall Act, but it also provided new rules for financial privacy (Janger & Schwartz, 2002). The law requires financial institutions to ensure the security and confidentiality of customer records and information, protect against anticipated threats or hazards, and protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer (Financial Services Modernization Act, 1999, 15 U.S.C. 6801(b)). The law also requires financial institutions provide disclosures to their customers on how they are gathering and using their information. In terms of cybersecurity provisions, one of the most substantial parts of GBL is a provision that mandates financial institutions create and implement a “comprehensive written information security program that includes administrative, technical, and physical safeguards” (Bidgoli, 2006). The law allows for flexibility in how such a program should be implemented at the individual organization, however it is regulated by various state and federal agencies.
Some argue that the flexibility GLB affords financial institutions fails to enforce effective and comprehensive cybersecurity practices. Senator Robert Menendez has been pushing for newer legislation that would not only create greater protections for customers, but it would allocate new money for cybersecurity research and scholarships (Gross, 2011). There are other laws at both the federal and state level that are not directly tied to the financial industry; however they do mandate businesses comply with legislation. Some of these include the Federal Trade Commission Act, Electronic Communications Privacy Act, Sarbanes-Oxley Act, the Uniform Computer Information Transactions Act, and the Computer Fraud and Abuse Act. All of these have been established to protect consumers and organizations involved with data collection and storage of sensitive information.
- Bidgoli, H. (2006). Handbook of Information Security. Bakersfield, CA: John Wiley & Sons, Inc.
- Financial Services Modernization Act, 1999, 15 U.S.C. 6801(b)). Retrieved from: http://www.ftc.gov/privacy/glbact/glbsub1.htm
- Gross, G. (2011). Senator: New Cybersecurity Regulations Needed for Banks. PC World Business. Retrieved from: http://www.pcworld.com/article/230814/article.html
- Janger, E., J., & Schwartz, P., M. (2002) The Gramm-Leach-Bliley Act, Information Privacy, and the Limits of Default Rules. Retrieved from: http://www.paulschwartz.net/pdf//minn-final.pdf
- L, Neal., & E N., White. (2012). The Glass–Steagall Act in historical perspective. Quarterly Review Of Economics And Finance, 52104-113. doi:10.1016/j.qref.2011.12.005
- Zimring, F.E. & Hawkins, G. (1993). Crime, Justice, and the Savings and Loan Crisis. In (Ed.) A. J. Reiss & M. Tonry, Beyond the Law: Crime in Complex Organizations (pp. 247-292). Chicago: University of Chicago Press.