Recently, the White House chief of staff announced that a major priority of the federal administration is de-regulation. According to the proponents of de-regulation, companies should be free to determine their own risks without governmental interference. This view is myopic and, if continued, will lead to increased risk to our financial system. Certainly, cybersecurity is not an area that should be part of any de-regulatory agenda.
The job of the regulator, particularly in the financial services industry, is to ensure the safety and soundness of an industry that serves the public. Promoting a compliance culture is a key part of the regulator’s job. For government actors to make political statements about the propriety of regulations as a binary proposition is a very bad idea. We have been there before and must resist the impulse to think it cannot happen again.
In 2007, our country experienced the worst financial crisis since the Great Depression, due in large part to the lax regulatory environment that preceded it. As a result of risk-taking, nine million jobs were lost and eight million homes went into foreclosure. It took eight years for the unemployment rate to return to a level consistent with the Federal Reserve’s employment objective. And, to top it off, public debt rose and the public trust in our financial institutions plummeted.
The lax regulatory environment that led to the financial crisis included “innovations” in subprime mortgage lending and the pooling of mortgages into collateralized debt obligations. Those so-called innovations put the financial system at great risk. The complex web of derivative exposures only added to the instability and near-collapse of the U.S. financial system.
We must heed the lessons learned from the financial crisis. In doing so, we should not focus solely on the particular subject areas that caused the crisis; we must also look more broadly to other risks that exist today that could imperil our financial system.
Cybersecurity is a prime example. No financial institution can legitimately argue against the very real threat of a cybersecurity attack. A cybersecurity attack not only can destroy a financial institution, it also can result in interconnected damage to the financial industry as a whole. In addition, a cybersecurity attack causes great disruption to the customers whose personal financial data has been stolen or compromised, affecting the safety and security of each individual victimized by the attack. In this age of foreign government interference in our elections, it is not difficult to imagine North Korea, Russia or China launching cybersecurity attacks for the purpose of stealing personal information and using that information for extortion or other serious crimes.
As Superintendent of the Department of Financial Services (“DFS”), I worked swiftly to promulgate New York’s nation-leading cybersecurity regulation (PDF: 97.5 KB) governing the financial services industry. In a few days, on March 1, 2019, the two-year implementation period for New York’s groundbreaking regulation will be concluded. Therefore, as of March 1, 2019, all banks, nonbanks, and insurance companies regulated by DFS will have risk-based cybersecurity policies and programs in place to protect customers’ private data; controls and plans to secure the data including by utilizing encryption, continuous monitoring and multi-factor authentication; and governance practices that ensure that the institution’s cybersecurity programs are part of c-suite discussions and approval. In addition, the final implementation deadline of March 1, 2019 requires that all DFS-regulated entities must now undertake the necessary due diligence on their third-party vendors to ensure that those vendors have adequate cybersecurity protections if they have access to the institution’s information systems and consumer financial information.
Many states have followed suit and enacted legislation for the insurance industry that is modeled after New York’s regulation. Much progress has been made at the state level. But where are the federal banking agencies? Where is the U.S. Treasury? Where is the Trump Administration? Do they believe that this is an area for de-regulation? While the mouthpieces for the administration trumpet their de-regulation agenda, they are sitting idly by and declining to impose strict requirements on the very large financial institutions that are regulated by the federal banking agencies.
Fortunately, many large banks recognize the need for strong cybersecurity protections and have taken steps to protect their information systems. However, we cannot rest on voluntary compliance to reach the necessary levels of prevention. Government has a critically important role to play. As we have seen before, where government fails to act, institutions will focus on profits and take greater risks. Where the federal government fails to act, our markets and consumers suffer.
We need leadership in Washington on cybersecurity. The complexity of the issue does not warrant further delay. Nor should the fact that our financial industry has multiple federal regulators be cited as a reason for the failure of action. The U.S. Treasury can be a strong voice in this area, if it wants to be, and that voice must include strong advocacy for the imposition of governmental requirements on the financial industry in order to protect the U.S. and global economy from the very real threat it faces.
At least in the area of cybersecurity, governmental regulation must be seen as essential to ensuring that our financial institutions take cybersecurity compliance seriously. Government is responsible for setting the rules that private industry must follow in order to protect our financial system. It is well past time for the federal government to act.
Maria T. Vullo is a senior fellow in the Program on Corporate Compliance and Enforcement at New York University School of Law and former Superintendent of the New York State Department of Financial Services.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.