| Entities | |
| Topics and Issues | Gramm-Leach-Bliley Act (GLBA) (3) Privacy (42) |
In February 2023, the Congressional Research Service released a report, Banking, Data Privacy, and Cybersecurity Regulation. The report has this introduction:
Financial data contains significant amounts of sensitive information, and ensuring the privacy of such data among financial institutions is a goal of many policymakers. In particular, Congress has demonstrated an interest in prioritizing data privacy standards in the financial system. Much of the legislative and regulatory data privacy framework established for banks and credit unions is constructed from a patchwork of cybersecurity provisions. Similarly, the implementation of cybersecurity supervisory programs among financial institution regulators is fragmented, and potential risks to the financial system have emerged as new technologies evolve.
Cybersecurity threats pose operational risk, reputational risk, and, potentially, systemic risk. Operational risk is the threat that an event such as a natural disaster, pandemic, or cyberattack limits or completely obstructs an institution’s ability to do business. Reputational risk is the threat that customers will avoid future business with an institution due to such an event. Systemic risk is the threat that an event may trigger instability in an entire industry or the overall economy.
No single law provides a framework for regulating cybersecurity in the United States. Instead, several laws cover different industries, and numerous laws cover aspects of cybersecurity for the financial system. The Gramm-Leach-Bliley Act of 1999 (GLBA; P.L. 106-102) is the most comprehensive of these laws and directs financial regulators to implement disclosure requirements and security measures to safeguard private information. GLBA provides a cybersecurity framework built upon two pillars: (1) privacy standards that impose disclosure limitations or limit financial institutions concerning disclosure of consumers’ information, and (2) security standards that require institutions to implement certain practices to safeguard the information from unauthorized access, use, and disclosure. The two major rules for implementing this framework are known as the Privacy Rule (Regulation P) and the Safeguards Rule, respectively. Other laws—such as the Sarbanes-Oxley Act of 2002 (P.L. 107-204), Fair and Accurate Credit Transactions Act (FACT Act; P.L. 108-159), Bank Protection Act (P.L. 90- 389), and Bank Service Company Act of 1962 (P.L. 87-856)—complete the general legislative framework for depository institution cybersecurity.
Banking regulators implement the cybersecurity legislative framework through rulemaking, and then supervise institutions to ensure that banks are following regulations. Oversight of bank cybersecurity reflects a complex and sometimes overlapping array of state and federal laws, regulators, regulations, and guidance—many of which predate the emergence of cybersecurity risk. Congress is debating the extent to which it should unify or modernize the legislative framework for depository institutions. For example, one issue is how new technologies that facilitate financial data sharing should be treated under the existing cybersecurity framework. Another issue is how and whether the data privacy protections that exist for data sharing should also apply to data collection. The Data Privacy Act of 2023, scheduled for markup in February 2023, examines several of these issues. Further, technology partnerships, particularly at smaller banks, with institutions such as cloud management companies, has led to new cybersecurity risks to the banking system. This has raised concerns among policymakers about the capacity of the existing framework to address new risks.