FDIC Issues Customer Cybersecurity Guidance
On March 8, 2016, the Federal Deposit Insurance Corporation (“FDIC”) released a special edition of its FDIC Consumer News publication series covering cybersecurity issues impacting banking customers (“Cybersecurity Release”). The FDIC’s release features practical guidance for customers related to the protection of financial data online and describes the role of banks and government regulators in safeguarding customer information. The release, part of the FDIC Consumer News series that the agency has issued regularly since the early 1990s, also provides targeted data security advice for small businesses.
The FDIC’s Cybersecurity Release orients customers to the basics of securing computers, smartphones, and other mobile devices used for online banking transactions. For instance, the agency recommends implementing “strong” usernames and passwords for logging into accounts or conducting financial transactions, meaning passwords that include a combination of lower-case letters, upper-case letters, and symbols. The release further highlights other essential data security advice, such as the importance of maintaining up-to-date security software (including effective anti-virus programs), using a firewall to screen out unauthorized users, ensuring that online transactions are conducted only with reputable businesses, and being mindful of the risks inherent in using public computers and/or wireless networks.
The Cybersecurity Release also gives an overview of the role banks and bank regulators play in combating cyberthreats. It points out that “the FDIC and other regulators work with financial institutions to help protect customer information and money,” noting that “federal law and regulations have required that financial institutions have programs to ensure the security and confidentiality of customer information” since 2001. The FDIC also mentions that state and federal bank examiners perform exams of FDIC-insured entities to test compliance with applicable rules. In addition, the FDIC describes how “[b]anking regulators also work with institutions to share overviews of the cyberthreat landscape and discuss steps they can take to be prepared.” By way of example, last year, the agency “produced an educational video on cybersecurity to help boards of directors and senior management at banks protect against potential threats.” Further, the FDIC recommends that financial institutions “join industry organizations that provide reliable and timely information designed to help institutions protect critical systems from cyber threats.” The FDIC also describes the relevant federal laws and industry practices designed to protect victims from losses incurred in cyber attacks, such as a consumer’s maximum liability in the event their credit or debit card is compromised.
The FDIC’s Cybersecurity Release provides additional guidance specifically tailored to data security for small businesses. The FDIC points out that it is “important for small business owners to be vigilant in protecting their computer systems and data” because, among other reasons, “[f]ederal consumer protections generally do not cover businesses for losses they incur from unauthorized electronic fund transfers.” For the FDIC, a critical component of protecting small businesses and their employees from cyberthreats is the rollout of comprehensive cybersecurity procedures and training for personnel. The FDIC recommends training “employees about cybersecurity issues, such as suspicious or unsolicited emails asking them to click on a link, open an attachment or provide account information,” noting that “[b]y complying with what appears to be a simple request, your employees may be installing malware on your network.” The FDIC also notes that small businesses can take advantage of cybersecurity training resources available from the Small Business Administration. Further, the FDIC recommends that small businesses back up critical data and systems “at least once a week.”
The release concludes by identifying additional online resources that can educate consumers and businesses about cybersecurity issues, including the Federal Trade Commission’s computer security site (www.consumer.ftc.gov/topics/computer-security) and the Federal Bureau of Investigation’s computer protection site (www.fbi.gov/scams-safety/computer_protect).
The FDIC’s Cybersecurity Release demonstrates the federal government’s continued focus on data protection issues at financial institutions and provides helpful guidance for individuals and small businesses that may be inexperienced in the cybersecurity field. Even for large companies with a high degree of cybersecurity sophistication that have progressed beyond the basic tenets described by the FDIC’s release, it nonetheless stands as a valuable reminder of the regulator’s core expectations of businesses in this space.
Reporter, Kyle Sheahen, New York, +1 212 556 2234, [email protected]