As if banks couldn’t be more nervous about the cybersecurity threats facing the industry, 2018 opens up with a new method of attack: jackpotting, in which criminals install malware to take control of ATMs to gain vast amounts of cash. It’s no wonder that Robin Wiessmann, the secretary of the Pennsylvania Department of Banking and Securities, says that cybersecurity is the top issue for her department, and that she was one of the first state regulators to create a task force to focus on the issue. In this interview, which has been edited for length and clarity, she shares her thoughts on this top risk, as well as her views on safe and sound partnerships between banks and fintech firms.
BD: As your state’s banking regulator, what are the top issues you’re looking at relative to the banking industry right now?
RW: I think the overarching goal of the department is to ensure that the industry is healthy, and viable, and competitive. Specifically, as relates to the top issues, I think the overall challenge for community banks and banks of all types is adaptation to the new banking models, and that’s driven by a number of things. One [are the changes] in technology and the way the delivery of services [is] provided, as well as banks choosing what services they want to provide to their particular marketplaces. That is a fundamental question or challenge for banks right now. Technology is changing the business models, but they also have to make a decision about how they’re actually going to utilize fintech. I don’t think it’s a question of whether or not they should or not. It’s hard to not do it.
And then the other overarching challenge is that of cybersecurity—making sure that there is confidence in our banking and our financial services sector.
So those are the three major elements: adaptation to the new banking models, changing the choice of services and the delivery of services—how they’re going to apply fintech—and how they’re going to deal with the necessity for cybersecurity.
BD: You wrote recently that cybersecurity is the word of the year for your agency. Why is this the issue for 2018 for the entities that the agency regulates?
RW: I think our role is to provide a focus on the most pressing matters of the day, as well as the long-term viability and the vitality of [the] commercial banking marketplace. And I don’t think there’s any other challenge greater at this point in time than cybersecurity. This is not obscure; it’s not theoretical any longer—it’s got real practical implications and if we can’t manage that—we know we can’t prevent it all but if we don’t manage it properly, we will not only lose the confidence of the marketplace, we can potentially lose the ability to function in our marketplace through hacking. The risk of security breaches grows exponentially every day, and it’s not only disruptive in terms of our personal information but also the very framework of our business and our economy. That’s why it’s at the top of the list.
BD: What are your expectations for bank boards around cybersecurity?
RW: I’ve been on boards previously…and I’ve seen the evolution to more focus on the audit committee which has historically been [the] bottom line of defense in terms of the reporting out of operations and actual operations. But [the audit committee has] now evolved into a broader risk management, and that’s for the business model—how economically viable it is—as well as the operations. So, I would expect that the boards today are dealing with the classification of risk management—either inside the audit committee or as a stand-alone committee, because risk management encompasses a lot.
The companies that do pay attention to this existential risk will do well, and those who don’t provide that particular focus leave themselves to be very vulnerable. We know the responsibilities [of] corporate board directors have increased and bank directors, of course, perhaps even more so. Any organization that does not recognize the threat really does risk the loss of their customer base, their partners, their vendors. So, it requires a particular focus, a separate monitoring if you will, by the board of directors.
BD: We’re seeing more partnerships between banks and fintech firms. As a regulator, what do you want to see occur to ensure that those are safe and sound relationships?
RW: What we have observed in terms of fintech companies is, they’re financial services [firms] that are driven by technology—that’s the way I think about it—but many of these fintech firms think of themselves as technology companies, so they may not be aware of how they actually are regulated in terms of whether or not they’re money transmitters, if that’s what they’re doing, or if they’re lenders, or they’re investing or any combination thereof. So fundamentally, we want to make sure that there’s knowledge and awareness of their responsibilities under the law. For the fintech firms.
Now obviously the partnerships between banks and fintech firms, they have to figure out where that balance lies. Are there requirements for separate registrations? If they’re partnering with a company—a lot of them are going to [ask], do we buy, do we build or do we partner? And each one of [those options] has a different implication, obviously. Building the technology internally is clearer from a regulatory standpoint, but it may take longer, and there may be things in the marketplace that suit their interests. I think we’re going to see a lot of buying of these technologies, because I think that’s part of the goal of some of these technologies, is to be acquired at a premium price.
But I do think there may be many, maybe most, situations where there’s real partnering, and the responsibility will ultimately rest with the bank to make sure their partners are complying with whatever laws they need to, because the partners may be doing business in 50 different states, and there are different laws and regulations applying to them.
So, it’s about due diligence, it’s about thinking through very carefully and figuring out literally where the buck stops. Because if you put the overlay of cybersecurity on top of these partnerships, then you really appreciate that if you’re partnering with someone, you want to be sure that your clients’ information is safe, so how do you create a firewall? How do you manage that information sharing while protecting the privacy of the data? And where are vulnerabilities, and under what circumstances, if there was something that happened to your partner—and we’ve seen this recently in a number of corporate situations as it relates to identifying information—if there’s something that happens to your partner, what do they have in place to handle it? Do they have policies and procedures in place, and what are their responsibilities to you as an entity, in terms of not just informing but managing the situation?
There’s great upside for business models, but there’s also great [exposure] for security and operational risk, and you just have to deal with that.