CSBS Issue Talking Points

Cybersecurity: Nonbanks

CSBS Position

The rise of nonbank cybersecurity risk is a concern to state regulators because of the potential harm to consumers and institutions. As a result, the CSBS Board of Directors approved nonbank cybersecurity supervision as a high priority by in March 2018 and included it in the 2021 Networked Supervision priorities. The Board also approved initiatives to support this position, including development of a nonbank cybersecurity exam program, cybersecurity and IT examiner training and a model data security law. Several trends occurring in the nonbank financial services industry have increased the need for robust cybersecurity and IT policies: a greater use and reliance on technology, nonbanks obtaining a larger percentage of industry market share and the possession of an ever-growing amount of consumer and business data. As these trends grow, so do the number and sophistication of cybersecurity attacks. According to recent congressional testimony, cyberattacks against the American financial sector increased by 238% in the first five months of 2020. In response, state regulators have issued and continue to develop supervisory solutions to ensure nonbank financial institutions have robust cybersecurity policies in place. Solutions available to state regulators include: • Baseline Nonbank Cybersecurity Exam Program: Focused on the critical parts of a cybersecurity program, this provides regulators a tool to examine the smaller, less complex nonbank institutions. • Enhanced Nonbank Cybersecurity Exam Program: This tool to examine larger nonbank institutions can be customized based on a set of core controls; an updated exam program will be released in early 2021. • CSBS Model Data Security Law: CSBS approved model statutory language to be used by state regulators wishing to address nonbank data security (cybersecurity). • Nonbank Ransomware Self-Assessment Tool, or RSAT: This ready-to-use tool can assess an organization’s efforts to control and mitigate risks associated with the threat of ransomware. As the primary regulator of nonbank financial institutions, state regulators have a responsibility to ensure these entities have robust cybersecurity policies and procedures. A security breach at a nonbank financial institution would lead to a loss of consumer information, disruption in business activities, and creates a reputational risk to state regulators. A high-profile security breach of a nonbank institution could also lead to calls for federal preemption. • Nonbank cybersecurity supervision was approved as a high priority by the CSBS Board of Directors in March 2018 and is included in the 2020 – 2023 CSBS Strategic Plan. • Robust cybersecurity and IT policies in the nonbank financial services industry are crucial in protecting companies and their customers; the need for these policies will only continue to grow. • State regulators have developed several tools (listed above) to ensure nonbank entities have the proper policies in place. • The risks of a cybersecurity breach include the loss of consumer information, disruption to business activities, reputational risk to state regulators and possibly federal preemption. Summary Why It Matters to State Regulators Talking Points

SME Contact: Mike Bray, Senior Manager, Nonbank Supervision & Enforcement: 202-559-1953 or mbray@csbs.org

Date Updated: January 2021

FOR STATE REGULATOR USE ONLY