CSBS Issue Talking Points - March 2021

Cybersecurity: Nonbanks

CSBS Position The rise of nonbank cybersecurity risk is a concern to state regulators because of the potential harm to consumers and institutions. As a result of this concern, nonbank cybersecurity supervision was approved as a high priority by the CSBS Board of Directors in March 2018 and is included in the 2021 Networked Supervision priorities. The board also approved various initiatives to support this position that include the development of a nonbank cybersecurity exam program, cybersecurity and IT examiner training and a model data security law. Summary Several trends occurring in the nonbank financial services industry are increasing the need for robust cybersecurity and IT policies: a greater use and reliance on technology, nonbanks obtaining a larger percentage of industry market share, and the possession of an ever-growing amount of consumer and business data. As these trends grow, so do the number and sophistication of cybersecurity attacks. According to recent congressional testimony, in the first five months of 2020, cyberattacks against the American financial sector increased by 238%. In response to these trends, state regulators have issued and continue to develop supervisory solutions to ensure nonbank financial institutions have robust cybersecurity policies in place. Solutions available to state regulators include: • Baseline Nonbank Cybersecurity Exam Program: Focused on the critical parts of a cybersecurity program and was created to provide regulators a tool to examine the smaller, less complex nonbank institutions. • Enhanced Nonbank Cybersecurity Exam Program: A tool to examine the larger nonbank institutions and can be customized based on a set of core controls. An updated exam program will be released in early 2021. • CSBS Model Data Security Law: CSBS approved model statutory language to be used by state regulators wishing to address nonbank data security (cybersecurity). • Nonbank Ransomware Self-Assessment Tool (RSAT): A ready-to-use tool to assess an organization’s efforts to control and mitigate risks associated with the threat of ransomware. Why It Matters to State Regulators As the primary regulator of nonbank financial institutions, state regulators have a responsibility to ensure these entities have robust cybersecurity policies and procedures. A security breach at a nonbank financial institution would lead to a loss of consumer information, disruption in business activities, and creates a reputational risk to state regulators. A high-profile security breach of a nonbank institution could also lead to calls for federal preemption.

Talking Points

• Nonbank cybersecurity supervision was approved as a high priority by the CSBS Board of Directors in March 2018. It is also included in the 2020 – 2023 CSBS Strategic Plan.

FOR STATE REGULATOR USE ONLY