WASHINGTON — Credit unions and financial institutions are required to take steps to protect against cyberattacks, but small businesses that process payments are not doing enough to protect the security of the financial system, a credit union executive said Wednesday.
Jim Mooney, president and chief executive of the Chevron Credit Union of Oakland, Calif., told the House Small Business Committee that “It is very ambiguous right now” what cyber safeguards small businesses are required to put in place. He cited a report that found that 65% of all cyberattacks struck small and midsize businesses last year. Their larger counterparts remain a prime target, but they also tend to have more resources dedicated to protect against hacks.
Mooney said legislation is needed to ensure all businesses involved in the financial sector face similar data security standards.
“Securing consumers' personal information and financial accounts will require the entire payments ecosystem to take an active role in addressing emerging threats, and in turn require all industries to be proactive in protecting consumers’ personally identifiable and financial information from the onset,” Mooney said.
Mooney added that certain financial institutions, including credit unions and banks, are already held to a higher standard and that a similar concept could be applied to other industries.
“Under Gramm-Leach-Bliley, we are really given the duty that everybody has to be playing at the same level,” said Mooney, who was speaking on behalf of the National Association of Federally-Insured Credit Unions. “As GLBA has functioned, it is scalable, so the risk that a multinational institution has is going to be much different than a small credit union and the risk assessment is much different, but everybody is on the same page.”
Lawmakers attempted to tackle the data security issue in the last Congress, but they have had trouble sorting through competing ideas about a federal standard for data security.
Mooney cited legislation introduced by Sen. Tom Carper, D-Del., and now retired Rep. Randy Neugebauer, R-Texas, that would have expanded Gramm-Leach-Bliley Act standards to a broader set of industries.
Speaking at the same hearing, Charles Rowe, president and CEO of America’s Small Business Development Centers, acknowledged that cybersecurity is a problem for small businesses, but said it is difficult to determine what sort of requirements should be applicable to small businesses.
“If the small business has decent cyberprotection, is that reasonable amount? I honestly don’t know,” Rowe said. “The problem is that the bar keeps shifting as technology changes.”
Rowe added that “there should be significant concern that federal and state agencies will begin to develop conflicting and potentially contradictory procurement regulations, derived from the best intentions regarding security and privacy, but having a negative effect on small business participation.”
Another concern during the hearing was determining whether a small business had taken sufficient steps to protect customer payment data. Rowe said a regulatory framework would likely favor larger companies.
Rep. Blaine Luetkemeyer, R-Mo., said insurance could be a solution.
“Can we find a way to find a safe harbor," Luetkemeyer said, "or is the safe harbor something like an insurance policy that is put in place to protect a small business that doesn’t have the resources of a Target or Home Depot that have had some data breaches?”
But Rowe was skeptical. “There is a fledgling industry on cybersecurity insurance," he said, "but frankly, even if you are insured, I wonder how the actuarial effort would work.”
Rowe also said that, as Congress ponders legislative changes, technological innovations in blockchain technology will "massively" change payment and identity security.