[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]


                     CYBER THREATS, CONSUMER DATA,
                        AND THE FINANCIAL SYSTEM

=======================================================================

                             HYBRID HEARING

                               BEFORE THE

                  SUBCOMMITTEE ON CONSUMER PROTECTION
                       AND FINANCIAL INSTITUTIONS

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            NOVEMBER 3, 2021

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 117-59
                           
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

                               __________

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
46-248 PDF                 WASHINGTON : 2022                     
          
-----------------------------------------------------------------------------------   

                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                 MAXINE WATERS, California, Chairwoman

CAROLYN B. MALONEY, New York         PATRICK McHENRY, North Carolina, 
NYDIA M. VELAZQUEZ, New York             Ranking Member
BRAD SHERMAN, California             FRANK D. LUCAS, Oklahoma
GREGORY W. MEEKS, New York           BILL POSEY, Florida
DAVID SCOTT, Georgia                 BLAINE LUETKEMEYER, Missouri
AL GREEN, Texas                      BILL HUIZENGA, Michigan
EMANUEL CLEAVER, Missouri            ANN WAGNER, Missouri
ED PERLMUTTER, Colorado              ANDY BARR, Kentucky
JIM A. HIMES, Connecticut            ROGER WILLIAMS, Texas
BILL FOSTER, Illinois                FRENCH HILL, Arkansas
JOYCE BEATTY, Ohio                   TOM EMMER, Minnesota
JUAN VARGAS, California              LEE M. ZELDIN, New York
JOSH GOTTHEIMER, New Jersey          BARRY LOUDERMILK, Georgia
VICENTE GONZALEZ, Texas              ALEXANDER X. MOONEY, West Virginia
AL LAWSON, Florida                   WARREN DAVIDSON, Ohio
MICHAEL SAN NICOLAS, Guam            TED BUDD, North Carolina
CINDY AXNE, Iowa                     DAVID KUSTOFF, Tennessee
SEAN CASTEN, Illinois                TREY HOLLINGSWORTH, Indiana
AYANNA PRESSLEY, Massachusetts       ANTHONY GONZALEZ, Ohio
RITCHIE TORRES, New York             JOHN ROSE, Tennessee
STEPHEN F. LYNCH, Massachusetts      BRYAN STEIL, Wisconsin
ALMA ADAMS, North Carolina           LANCE GOODEN, Texas
RASHIDA TLAIB, Michigan              WILLIAM TIMMONS, South Carolina
MADELEINE DEAN, Pennsylvania         VAN TAYLOR, Texas
ALEXANDRIA OCASIO-CORTEZ, New York   PETE SESSIONS, Texas
JESUS ``CHUY'' GARCIA, Illinois
SYLVIA GARCIA, Texas
NIKEMA WILLIAMS, Georgia
JAKE AUCHINCLOSS, Massachusetts

                   Charla Ouertatani, Staff Director
     Subcommittee on Consumer Protection and Financial Institutions

                   ED PERLMUTTER, Colorado, Chairman

GREGORY W. MEEKS, New York           BLAINE LUETKEMEYER, Missouri, 
DAVID SCOTT, Georgia                     Ranking Member
NYDIA M. VELAZQUEZ, New York         FRANK D. LUCAS, Oklahoma
BRAD SHERMAN, California             BILL POSEY, Florida
AL GREEN, Texas                      ANDY BARR, Kentucky
BILL FOSTER, Illinois                ROGER WILLIAMS, Texas
JUAN VARGAS, California              BARRY LOUDERMILK, Georgia
AL LAWSON, Florida                   TED BUDD, North Carolina
MICHAEL SAN NICOLAS, Guam            DAVID KUSTOFF, Tennessee, Vice 
SEAN CASTEN, Illinois                    Ranking Member
AYANNA PRESSLEY, Massachusetts       JOHN ROSE, Tennessee
RITCHIE TORRES, New York             WILLIAM TIMMONS, South Carolina
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    November 3, 2021.............................................     1
Appendix:
    November 3, 2021.............................................    47

                               WITNESSES
                      Wednesday, November 3, 2021

Jain, Samir, Director of Policy, Center for Democracy and 
  Technology (CDT)...............................................     5
James, Robert II, Chairman, National Bankers Association (NBA)...     7
Newgard, Jeffrey K., President and Chief Executive Officer, Bank 
  of Idaho, testifying on behalf of the Independent Community 
  Bankers of America (ICBA)......................................    11
Vazquez, Carlos, Chief Information Security Officer, Canvas 
  Credit Union...................................................     9

                                APPENDIX

Prepared statements:
    McHenry, Hon. Patrick........................................    48
    Jain, Samir..................................................    50
    James, Robert II.............................................    59
    Newgard, Jeffrey K...........................................    65
    Vazquez, Carlos..............................................    73

              Additional Material Submitted for the Record

Perlmutter, Hon. Ed:
    Written statement of the American Bankers Association........    75
    Written statement of the Credit Union National Association...    90
    Written statement of the Electronic Transactions Association.    93
    Written statement of the National Association of Federally-
      Insured Credit Unions......................................    95
    Written statement of SentiLink...............................   102

 
                     CYBER THREATS, CONSUMER DATA,
                        AND THE FINANCIAL SYSTEM

                              ----------                              


                      Wednesday, November 3, 2021

             U.S. House of Representatives,
                Subcommittee on Consumer Protection
                        and Financial Institutions,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The subcommittee met, pursuant to notice, at 10:06 a.m., in 
room 2128, Rayburn House Office Building, Hon. Ed Perlmutter 
[chairman of the subcommittee] presiding.
    Members present: Representatives Perlmutter, Sherman, 
Green, Foster, Vargas, Lawson, Casten, Pressley, Torres; 
Luetkemeyer, Lucas, Posey, Barr, Williams of Texas, Loudermilk, 
Budd, Kustoff, Rose, and Timmons.
    Ex officio present: Representative Waters.
    Chairman Perlmutter. The Subcommittee on Consumer 
Protection and Financial Institutions will come to order.
    Without objection, the Chair is authorized to declare a 
recess of the subcommittee at any time. Also, without 
objection, members of the full Financial Services Committee who 
are not members of the subcommittee are authorized to 
participate in today's hearing.
    I want to thank our witnesses for being here today. With 
the hybrid format of this hearing, we have some Members and 
witnesses participating in person and others on the Webex 
platform. For those of you on the Webex platform, we have had 
some trouble with the timer, so I will have to step in if 
people are running over their time limit. But we should be 
fine.
    I would like to remind all Members participating remotely 
to keep themselves muted when they are not being recognized by 
the Chair. The staff has been instructed not to mute Members, 
except when a Member is not being recognized by the Chair and 
there is inadvertent background noise.
    Members are also reminded that they may only participate in 
one remote proceeding at a time. If you are participating 
remotely today, please keep your camera on, and if you choose 
to attend a different remote proceeding, please turn your 
camera off.
    Today's hearing is entitled, ``Cyber Threats, Consumer 
Data, and the Financial System.'' Legislation noticed with 
today's hearing includes H.R. 3910, ``the Safeguarding Non-bank 
Consumer Information Act;'' a discussion draft entitled, ``the 
Strengthening Cybersecurity for the Financial Sector Act,'' and 
a discussion draft entitled, ``the Enhancing Cybersecurity of 
Nationwide Consumer Reporting Agencies Act.''
    I now recognize myself for 4 minutes to give an opening 
statement.
    In both business and medicine, they have variations of what 
is known as the, ``Sutton Rule.'' And for those of you who 
don't know what the Sutton Rule is, it is based on an old urban 
legend about a famous bank robber named Willie Sutton. When he 
was asked by a reporter why he robbed banks, Sutton casually 
replied, ``Because that is where the money is.''
    The Sutton Rule suggests going after the obvious target. 
Banks and credit unions have long been targets for criminals, 
but today's criminals don't wield Tommy guns and they aren't 
only after cash. Cyber criminals also target financial 
institutions to steal consumer and business data, deploy 
ransomware, and disrupt services.
    Ransomware attacks have been growing in frequency and 
severity for years. Over the first half of this year, there was 
a 1,318 percent increase in ransomware attacks on banks and 
credit unions.
    Consumer financial and personal data is an attractive 
target for criminals. I doubt there is a person on this 
committee who has not had some of their personal or financial 
information exposed in a data breach. And I know I have been 
impacted by multiple data breaches over the last few years.
    Tech companies, financial institutions, and many other 
businesses are collecting and storing more consumer data than 
ever before. The 2017 Equifax breach exposed the data of 147 
million people, including 200,000 credit card numbers. And in 
2019, Capital One was hacked and 100 million credit card 
applications were stolen.
    The issues of cybersecurity and consumer data rights are 
intertwined, which makes cybersecurity critical for all 
financial institutions, large and small. Earlier this year, the 
CEOs of the largest banks in the United States testified before 
our committee. Congressman Huizenga asked them what was the 
greatest threat facing our financial system, or what was one of 
them, and the answers from four of the six CEOs included 
cybersecurity.
    Similarly, in a recent survey, 71 percent of community 
bankers listed cybersecurity as a significant risk. Many 
financial institutions have strong cybersecurity protections, 
but such efforts don't come cheap. For some of the largest 
banks, cyber defenses cost more than a billion dollars per 
year.
    In May of this year, President Biden issued an Executive 
Order on improving the nation's cybersecurity, to enhance 
information-sharing between the government and the private 
sector, modernize cybersecurity standards in government, 
improve software supply chain security, and make other 
improvements to cyber defenses.
    Additionally, the Treasury Department recently announced 
new efforts to counter the rise in ransomware, including 
sanctions against cryptocurrency exchanges for facilitating 
ransomware payments.
    The security and resilience of our financial system is not 
a partisan issue. Republicans, Democrats, and unaffiliated 
voters all share the desire to stop criminals from exploiting 
vulnerabilities and carrying out attacks on critical 
infrastructure, such as financial institutions.
    I was pleased to work with my friend from Missouri, Ranking 
Member Luetkemeyer, on this hearing, and I appreciate his ideas 
and commitment to strengthening cyber defenses in the financial 
sector. And I also appreciate working with my friend, 
Representative Kustoff, on this very same subject.
    I look forward to this discussion today to learn how we can 
work together to improve cybersecurity in the financial sector 
to protect businesses and consumers.
    With that, I will now yield to the vice ranking member of 
the subcommittee, the gentleman from Tennessee, Mr. Kustoff, 
for 5 minutes for an opening statement.
    Mr. Kustoff. Thank you, Mr. Chairman. Thank you for 
convening today's hearing.
    And thank you to the witnesses for appearing today, both in 
person and virtually.
    Without a doubt, our financial system is the envy of the 
world. I think we all agree with that. To make sure it stays 
that way, Republicans need to continue to embrace technology 
and support innovation. We do. In fact, both sides of the aisle 
do.
    Private-sector innovation has led us to more dynamic and 
inclusive financial institutions that are better-equipped to 
serve American consumers, but bad actors continue to evolve. We 
have seen cyber espionage from foreign adversaries such as 
China, Russia, and Iran, and they have all spiked. And that is 
why it is crucial that we remain one step ahead.
    Cyber attacks pose one of the greatest threats to our 
financial systems. And understanding what policies will better 
protect our financial institutions and consumers remains a top 
priority for this committee, again, on both sides of the aisle. 
As we have seen, there are vulnerabilities in the system, and 
they have to be identified and they have to be corrected.
    We know that financial institutions have been one of the 
leading targets for cyber criminals. Just recently, we 
witnessed the Colonial Pipeline ransomware attack. Attacks of 
this size are more common than ever before. And with that, 
financial institutions are more mindful that a similar attack 
could happen to them.
    We all know that such an attack could disrupt the flow of 
money to consumers, disclose closely-held personal information, 
and ultimately undermine confidence in the entire banking 
system.
    So, again, I do want to thank the witnesses for being here 
today. They face the daily challenges of cybersecurity, and I 
think will provide us today with a real-world perspective.
    This committee has already begun work on these important 
issues. We included bipartisan cybersecurity provisions in 
legislation just last year. And financial regulators are 
providing Congress with more information about cybersecurity 
risks.
    In January of this year, Republicans issued a report which 
found that the COVID-19 pandemic and related relief programs 
created an environment ripe for cybercriminal activity, which 
continues to threaten our financial system and American 
consumers today.
    As our economy recovers, protecting our financial system 
from cybercriminals assumes an even more important role. And we 
all know that technology is changing the way consumers and 
investors operate. Online commerce is becoming the norm, and 
people are working from home more than ever before. Cyber 
exposure continues to grow. More work can and certainly must be 
done. Private-sector innovation, not government mandates, can 
lead the way. One-size-fits-all government policies won't be 
the solution.
    With that, I do want to thank the chairman, and I also want 
to thank Ranking Member Luetkemeyer for convening this hearing, 
which I think will be both informative and helpful. I look 
forward to more bipartisan work on this issue.
    And, Mr. Chairman, before I yield back my time, I would ask 
unanimous consent to insert Full Committee Ranking Member 
McHenry's remarks into the record.
    Chairman Perlmutter. Without objection, it is so ordered.
    Mr. Kustoff. I yield back.
    Chairman Perlmutter. I thank the gentleman.
    The Chair now recognizes the Chair of the full Financial 
Services Committee, Chairwoman Waters, for one minute.
    Chairwoman Waters. Thank you very much, Chairman 
Perlmutter, for holding this important hearing on 
cybersecurity.
    Financial institutions have long been a top target for 
cybercriminals. Several years ago, Equifax experienced one of 
the largest cyber attacks, exposing the sensitive, personally 
identifiable information of nearly 150 million Americans. 
Government agencies and institutions are observing an alarming 
increase in the volume and sophistication of cyber attacks. 
According to one report, banks and credit unions experienced a 
1,318 percent increase in ransomware attacks during the first 
part of this year.
    So, I look forward to hearing from our witnesses on ways we 
can strengthen cybersecurity in the financial sector, including 
understanding how small institutions like minority depository 
institutions (MDIs) utilize third-party vendors to provide core 
processing and software, and what vulnerabilities arise from 
those partnerships that we need to address.
    Thank you, and I yield back the balance of my time.
    Chairman Perlmutter. The gentlewoman yields back.
    It is now my pleasure to welcome each of our witnesses, and 
I want to introduce our panel.
    First, we will begin with Samir Jain, the director of 
policy at the Center for Democracy and Technology, who is 
present in the hearing room today. Mr. Jain has decades of 
experience in private practice and government, including at the 
Department of Justice, and as a Senior Director for 
Cybersecurity Policy for the National Security Council.
    Second, we have Mr. Robert James II, the president and CEO 
of Carver Financial Corporation. Mr. James is also the director 
of strategic initiatives at Carver State Bank, and currently 
serves as the chairman of the National Bankers Association.
    Third, from my great State of Colorado, we have Carlos 
Vazquez, the chief information security officer of Canvas 
Credit Union in Colorado. Mr. Vazquez has decades of experience 
in information technology and security, and currently leads 
Canvas Credit Union's efforts in mitigating cybersecurity 
risks.
    And finally, our fourth witness is Jeff Newgard, the 
president and chief executive officer of the Bank of Idaho. He 
is testifying on behalf of the Independent Community Bankers of 
America. Previously, Mr. Newgard was president and CEO of 
Yakima National Bank, and he is a graduate of the Colorado 
Graduate School of Banking.
    Witnesses are reminded that your oral testimony will be 
limited to 5 minutes. I think our timer is now working. You 
should be able to see a timer on the desk in front of you or on 
your screen that will indicate how much time you have left. 
When you have 1 minute remaining, a yellow light will appear. I 
would ask you to be mindful of the timer, and when the red 
light appears, to quickly wrap up your testimony, so that we 
can be respectful of both the other witnesses' and the 
subcommittee members' time.
    And without objection, your written statements will be made 
a part of the record.
    I would also ask, just as a personal plea, to take your 
time with your testimony, and speak as clearly as you can, 
because, especially if you are on the platform, your testimony 
kind of reverberates in this room. So for these ears, I just 
would appreciate that.
    Mr. Jain, you are now recognized for 5 minutes for your 
testimony, sir.

    STATEMENT OF SAMIR JAIN, DIRECTOR OF POLICY, CENTER FOR 
                 DEMOCRACY AND TECHNOLOGY (CDT)

    Mr. Jain. Thank you, and good morning. CDT is a 
nonpartisan, nonprofit 501(c)(3) organization dedicated to 
advancing civil rights and civil liberties in the digital 
world. On behalf of CDT, I appreciate the opportunity to 
testify today.
    In my written statement, I discuss how the cyber threat 
environment has grown more dangerous. Two of you, I think, this 
morning, have already noted the statistic about a 1,318 percent 
increase in ransomware attacks in the last year.
    Today, I am going to briefly discuss a few of the 
challenges that the financial services sector in particular 
faces in addressing cyber threats, and two potential areas in 
which we can make progress to better protect consumers and 
their data.
    Even though the financial services industry has responded 
more proactively to cybersecurity challenges than most sectors, 
it still remains highly vulnerable.
    I will focus on three particular reasons. First, financial 
institutions are highly-interconnected with one another and 
with third-party service providers, which has significant 
implications from a systemic perspective. A cyber attack can 
spread rapidly across the financial sector as an attacker moves 
laterally across institutions between financial networks. 
Moreover, if many financial institutions rely on a common 
vendor, a successful attack on that single vendor can have 
sector-wide consequences.
    A second challenge is the gap between large and small 
financial institutions. The largest financial institutions have 
significant in-house cyber expertise and can develop or 
purchase sophisticated defensive products, but smaller 
financial institutions don't have those resources or 
capabilities. But they aren't immune from attack, just because 
they are small. In 2020, over a quarter of breaches involved 
small businesses.
    A third challenge is the increasing reliance on technology. 
Today, customers interact with the financial system through 
networks, even for traditional banking services. As a result, 
the financial sector is increasingly subject to disruption from 
cyber attacks. And that is all the more true once you look 
beyond traditional banks to the role of fintech, data 
aggregators, and large technology platforms.
    In the face of these challenges, both the government and 
the private sector have sought to address cyber threats for a 
number of years, but much work remains to be done.
    I will highlight two areas in particular. First, 
information-sharing remains a fundamental component of any 
successful cybersecurity strategy, but we have learned that 
effective information-sharing is hard. The most useful 
information is actionable. It can actually be used by network 
defenders to prevent or recover from a cyber incident. It also 
needs to be as close to real time as possible so that they can 
act on time. Any information-sharing needs to separate signal 
from noise. Otherwise, companies may not know what information 
they should pay attention to now and what they can safely 
ignore or leave for later.
    One step Congress should consider in connection with 
information-sharing is mandating that critical infrastructure 
entities report cyber incidents to the Federal Government. 
Today, no government agency has a complete picture of what 
institutions have suffered cyber incidents, and such 
information could clearly be valuable in bolstering cyber 
defenses.
    A second area to which Congress should look is baseline 
privacy legislation. Instead of one comprehensive set of rules 
to protect personal data throughout the digital ecosystem, we 
have a patchwork of sectoral laws with varying protections.
    One such law, the Gramm-Leach-Bliley Act (GLBA), applies to 
financial institutions. However, GLBA is inadequate to protect 
consumer financial data for at least two reasons.
    First, it applies only to financial institutions, a defined 
term that does not capture the full range of fintech and other 
technology companies and data aggregators that today process 
consumer financial information.
    Second, GLBA is limited in its privacy protections. It 
focuses on providing notice to consumers of certain forms of 
data-sharing and permits them to opt out. Yet, we all know that 
consumers don't read or rarely read online privacy policies, 
and that notice and consent, therefore, rests on a fiction. 
GLBA effectively adopts a broad default sharing of consumer 
financial information.
    The time has come for Congress to enact comprehensive 
privacy legislation that shifts the burden away from consumers 
and imposes obligations on the entities that collect, use, and 
share data. Privacy legislation should, among other things, 
require an entity to minimize the data it collects and 
processes, based on the purpose for which the entity needs the 
data. It should prohibit the secondary use or sharing of 
sensitive data, without the express opt-in consent of the 
consumer, and it should include data security requirements.
    Each of these steps will lower the risk to consumers from 
cyber attacks by reducing the amount of data that will be 
collected and shared and ensuring that whatever data is 
collected is handled with appropriate care.
    Moreover, a common privacy baseline that applies to all 
companies will avoid the situation we have today, in which the 
same data may receive some protection if processed by one 
entity but less protection if processed by another.
    Thank you, and I look forward to your questions.
    [The prepared statement of Mr. Jain can be found on page 50 
of the appendix.]
    Chairman Perlmutter. Thank you, Mr. Jain. I appreciate your 
testimony.
    Mr. James, you are recognized for 5 minutes for your 
testimony.

   STATEMENT OF ROBERT JAMES II, CHAIRMAN, NATIONAL BANKERS 
                       ASSOCIATION (NBA)

    Mr. James. Thank you, Chairman Perlmutter, Ranking Member 
Luetkemeyer, Vice Ranking Member Kustoff, Chairwoman Waters, 
and members of the subcommittee.
    We appreciate the opportunity to testify this morning on 
cyber threats, consumer data, and the financial system.
    My name is Robert James II, and I am the president of 
Carver Financial Corporation, the holding company for Carver 
State Bank in Savannah, Georgia. And I am also privileged to 
serve as chairman of the National Bankers Association (NBA).
    The NBA is the leading trade association for minority 
depository institutions (MDIs). Our mission is to advocate for 
MDIs on all legislative and regulatory matters concerning and 
affecting our members and the communities we serve. Our members 
are on the front lines of reducing economic hardship in 
minority communities, which are underserved by traditional 
banks and have been the hardest-hit by the pandemic.
    MDIs are critical economic development engines in minority 
and low-income communities, particularly due to our trusted 
relationships in these communities. Our internal teams work 
tirelessly to protect our systems and our customers from ever-
evolving cyber threats. We take these threats extremely 
seriously. Unfortunately, our small scale and lack of access to 
cutting-edge technology does not always allow us to move with 
the speed or agility required at times like these.
    A critical component of the resilience of the banking 
sector and its ability to assist underserved communities is the 
ability to adapt technologically. A host of different factors 
are intersecting to change the banking industry.
    Like most community banks, MDIs are heavily-reliant on a 
handful of large technology companies that provide core 
processing services for the technological systems of our 
operations. These companies have no incentives to help us adapt 
to the changing competitive landscape. We are consigned to 
long-term contracts with punitive early termination provisions, 
cannot easily plug in modern outside solutions that make it 
easier for our customers to do business or secure their data, 
and the fundamental technology of many of these systems is 
antiquated and leaves us incapable of making rapid changes.
    Because we are often the smallest clients of these giant 
firms, we receive the lowest priority for service. Our bank 
employees are constantly training and monitoring our internal 
systems, but we do not get the latest and best technology from 
the big core processors.
    We saw this play out during each round of the Paycheck 
Protection Program (PPP). Congress devised that program as a 
mechanism to aid small businesses who suddenly found themselves 
forced to close during stay-at-home orders, but a set of 
conditions favored larger businesses, and disadvantaged our 
banks in our communities.
    Many banks only approved loans for existing customers, 
delayed the applications of sole proprietorships, and didn't 
allow enough time for institutions like ours to work with small 
businesses through the application process. This combined to 
shut out many minority-owned businesses.
    Our banks found themselves sorely lacking in the technology 
needed to quickly respond. Unregulated companies were able to 
build technology solutions to address this market, but our 
banks, reliant on the core processors, were stuck with outdated 
processes that limited our ability to serve our customers.
    We also need our regulatory partners to help. We need to 
invest more in technology and the right people to implement it, 
but these investments can result in criticism when their 
earnings don't meet regulatory expectations. We can also find 
ourselves in situations where local or regional examiners 
impede our ability to implement new technological solutions.
    Several recent industry reports have attempted to detail 
how banks are responding to the challenge, whether through 
investment, data management, or new strategies to engage with 
customers. But with every step, there are obstacles, including 
potential workforce impact or just the burden of increased cost 
of technology investments.
    Even as customers primarily conduct transactions over 
mobile, banks are discovering that they still expect branch 
service to be an option. Young consumers are also open to going 
to technology firms for all of their financial services. In a 
recent global survey, Accenture found that 31 percent of bank 
customers would consider Google, Amazon, or Facebook if they 
offered such services.
    According to an FIS survey, the top 20 percent of firms are 
changing policy to promote and emphasize digital innovation. 
These firms are recruiting for digital technology expertise, 
encouraging more open innovation across roles, and appointing 
board-level roles with responsibility for digital innovation. 
It is difficult for our small banks to keep up.
    In conclusion, cultural shifts inside the financial 
services industry, including the core processors and the 
regulators, are necessary to help MDIs and other community 
banks better orient ourselves to meet new customer demands.
    Even though our teams are keeping our bank-side systems 
very safe, we are heavily-reliant on the big three core 
processors. Because of this concentration, our institutions are 
saddled with complex, onerous long-term contracts that stifle 
innovation in all areas, including security and identity 
verification.
    As the smallest banks, we get the worst service, and are 
the last to get innovations. So, our banks have a hard time 
competing with large banks and cannot easily offer our 
customers the latest technology. Our regulators do not always 
allow us to make needed investments in technology because of 
pressure on earnings. These factors, when combined, leave our 
customers and communities frustrated and vulnerable.
    We look forward to working closely with the committee and 
the subcommittee on ways we can level the playing field to 
ensure that our customers have access to the latest, most 
secure technology.
    Thank you.
    [The prepared statement of Mr. James can be found on page 
59 of the appendix.]
    Chairman Perlmutter. Thank you, Mr. James. I appreciate 
your testimony.
    Mr. Vazquez, you are now recognized for 5 minutes for your 
testimony.

    STATEMENT OF CARLOS VAZQUEZ, CHIEF INFORMATION SECURITY 
                  OFFICER, CANVAS CREDIT UNION

    Mr. Vazquez. Good morning, and thank you for inviting me to 
your subcommittee to discuss cybersecurity. We were provided 
with a few topics we would be discussing, so I would like to 
speak to these.
    The National Credit Union Administration (NCUA) is seeking 
legislative authority to have oversight over credit union 
service organizations and third-party vendors that offer 
services to credit unions. The NCUA sits on the Financial 
Stability Oversight Council (FSOC), yet is the only Federal 
agency that currently does not have this statutory authority as 
it relates to vendors that serve banking organizations.
    We believe credit unions deserve a Federal regulator with 
parity in this regard. Canvas Credit Union is supportive of 
parity for the NCUA, if the NCUA shares its information with 
State regulators and coordinates efforts with them whenever 
possible.
    It is important that vendors who have access to our 
members' data are held to the same standards as credit unions. 
It is the responsibility of Canvas to ensure that our members' 
financial data is safe and secure. We expect no less from our 
vendors. An additional level of comfort would be possible 
knowing that our vendors would also be scrutinized by a 
regulatory agency complementing our own vendor due diligence 
programs.
    On the efforts by government agencies to strengthen 
cybersecurity defenses, data-sharing is paramount in ensuring 
that credit union security departments are up-to-date in all 
threats affecting the security landscape. The Cybersecurity and 
Infrastructure Security Agency (CISA), the Department of 
Homeland Security (DHS), and the Financial Services Information 
Sharing and Analysis Center (FS-ISAC) are all doing a great job 
in disseminating threat information in a timely manner.
    Security webinars, conferences, and summits all provide 
important security information which allows for credit unions 
to remain current with the constantly-evolving threat 
landscape.
    In several recent summits, there was participation by CISA 
and Homeland Security as either guest speakers or presenters. 
Having these agencies present at these gatherings is very 
helpful and important, as the discussions presented provide 
vital information as well as reassurance that our government is 
standing with financial institutions in their battle against 
malicious actors.
    One service I would like to highlight is the automated 
network scanning tool provided by CISA. This free tool 
complements our tool chest for security systems that monitor 
and test our network. For Canvas, it is another tool to use, 
but for smaller credit unions, it could be the only tool they 
have. I would like to see more efforts placed on providing free 
services to help credit unions with their security frameworks.
    Canvas Credit Union follows the National Institute of 
Standards and Technology Cybersecurity Framework (NIST CSF), as 
do many financial institutions. We are thankful for the 
guidance this provides on many architectures, such as zero 
trust and identity management. These guidelines definitely help 
credit unions in their roles of ensuring that our members' data 
remains secure.
    FS-ISAC is a resource that provides collaboration tools and 
security education to member financial institutions. They do a 
fantastic job of ensuring that those who need help, get the 
help that they need.
    On consumer data protection challenges, people and 
technology are the challenges that credit unions face in 
ensuring that our members' data is protected. Statistics show 
that a massive shortage exists in skilled security 
professionals, which are required to manage the sophisticated 
tools in use today. Many in the security industry are working 
to address this shortage by providing access to security 
training at all educational levels. We would expect our 
government would also be focused on addressing this skill 
shortage.
    Technology will constantly be changing and improving to 
counter the threat landscape brought to us by the hackers bent 
on breaking into our networks to steal our data for their 
financial gain. Security teams are constantly on the defensive 
when it comes to protecting our networks. Security tools are 
improving, allowing for better detection to address 
vulnerabilities, but a focus by software vendors on security at 
the early stage of the development life cycle would ensure that 
most of these vulnerabilities are caught prior to going live 
with their product.
    Vendors need to have a better focus on security of both 
software development and how they store our data on their 
systems. As mentioned before, vendors should be held to the 
same standard as credit unions when it comes to protecting our 
members' data.
    In closing, cybersecurity will always be in a state of 
change. Yesterday, a threat was malware, viruses, or malicious 
executables inserted into our company's network. Today, as you 
have mentioned, ransomware, social engineering, and supply 
chain attacks are all threats today. And tomorrow, we will see 
the same, plus deepfake technology, and yet-unknown 
vulnerabilities in current hardware and software deployed by 
companies. Quantum process, which may allow for easy compromise 
of all of our current cyber technology is an added concern as 
well.
    I would like to thank the subcommittee for bringing a focus 
on cybersecurity, the challenges it presents, and the role all 
of us have in protecting our data. It is an honor and privilege 
to speak with you today, representing Canvas Credit Union.
    [The prepared statement of Mr. Vazquez can be found on page 
73 of the appendix.]
    Chairman Perlmutter. Thank you, Mr. Vazquez. I appreciate 
your testimony.
    Now, our final witness, Mr. Newgard, is recognized for 5 
minutes.

STATEMENT OF JEFFREY K. NEWGARD, PRESIDENT AND CHIEF EXECUTIVE 
OFFICER, BANK OF IDAHO, TESTIFYING ON BEHALF OF THE INDEPENDENT 
              COMMUNITY BANKERS OF AMERICA (ICBA)

    Mr. Newgard. Chairman Perlmutter, Ranking Member 
Luetkemeyer, and members of the subcommittee, I am Jeff 
Newgard, president and CEO of Bank of Idaho, a $700 million 
asset community bank headquartered in Idaho Falls, Idaho, and 
serving markets throughout the State. I am testifying today on 
behalf of the Independent Community Bankers of America (ICBA), 
where I am Chair of the Cyber and Data Security Committee.
    A community bank that does not successfully navigate cyber 
threats and safeguard its customers will lose their trust and 
cannot remain viable and independent. To enhance cybersecurity, 
we need support from policymakers in Congress, the 
Administration, and the agencies.
    Community banks need to be on the cutting edge of 
technology to remain relevant and to compete with larger 
institutions as well as newer fintechs, but we need to adopt 
technology in a way that protects our vulnerable customers and 
the financial system as a whole. We operate in an ecosystem 
that includes all financial institutions as well as retailers, 
core providers, and many others. We are all in this together. 
An attack on any one node of the ecosystem is an attack on all 
of the participants.
    Cyber threats have evolved in recent years from criminal 
attackers seeking profit to nation-states with massive 
resources and technological sophistication. The threats are 
greater than ever and continue to mount and evolve.
    How do we manage the complexity? Ten years ago, community 
bank technology was mostly provided in-house. Today, this is 
simply an unaffordable option. Disaster recovery mandates as 
well as new technologies, such as internet banking, mobile 
banking, and imaging, have escalated the cost of cybersecurity.
    In response, community banks have turned to core providers 
and other large third-party providers for their cybersecurity. 
At the same time, consolidation has occurred among the core 
providers. Today, just three or four providers dominate the 
market. This has increased their market power and leverage and, 
most importantly, it has put a target on their backs. Their 
connections to other institutions and servicers create a web of 
vulnerability.
    What do we need from policymakers? While I provide more 
detail in my written statement, our recommendations form three 
broad themes. First, close the gaps in law, standards, and 
examination; second, create greater uniformity and 
harmonization of regulatory efforts; and third, promote sharing 
of information and best practices across the ecosystem.
    The gaps in today's regulatory environment exist because 
not all parties that process and store sensitive information 
are subject to the Gramm-Leach-Bliley Act (GLBA), which 
requires safeguarding of sensitive data backed by examination 
to ensure compliance. Retailers and technology companies, for 
example, are not subject to GLBA. Core providers and other 
third-party providers as well as credit reporting agencies are 
not subject to examination.
    A gap in accountability also contributes to systemic 
failures. When a data breach occurs, we believe that liability 
for that breach should be assigned to incentivize stronger 
security. The costs of a breach should be borne by the party 
that incurs the breach, be that a retailer, a credit reporting 
agency, or a bank or credit union. Too often, the breached 
entity evades accountability while financial institutions are 
left to mitigate damages to their customers.
    Uniformity and harmonization will strengthen the ecosystem 
by eliminating redundancy, closing gaps, and strengthening weak 
links. Financial institutions are regulated, overseen, and 
examined by four agencies, which, unfortunately, do not 
adequately coordinate their data security efforts.
    Thank you for the opportunity to testify today. My written 
statement provides comments on the legislation before the 
subcommittee today. And I look forward to your questions.
    [The prepared statement of Mr. Newgard can be found on page 
65 of the appendix.]
    Chairman Perlmutter. Thank you, Mr. Newgard.
    I would now like to recognize the Chair of the full 
Financial Services Committee, Chairwoman Waters, for 5 minutes 
for questions.
    Chairwoman Waters. Mr. Perlmutter, I would like to thank 
you again so much for this hearing today. And I want to thank 
you for the way that you have provided leadership on 
bipartisanship to deal with a serious issue confronting this 
country and this world.
    I want to thank the witnesses who are here today, and I 
want to thank particularly, Mr. James, and of course, Mr. 
Newgard, whom we have heard from today. I am so very interested 
in all that we have learned about these core processors and the 
lack of competition and, of course, the cost to our smaller 
institutions, our minority depository institutions (MDIs), our 
Community Development Financial Institutions (CDFIs), and our 
community banks.
    And I would just like to ask Mr. James whether or not you 
agree with Mr. Newgard? He not only gave us a very vivid 
description of what is going on, but he talked about 
recommendations, which I was very pleased to hear. Do you agree 
with the recommendations that Mr. Newgard just shared with us 
and is giving us more information about?
    Mr. James. Thank you for the question, Madam Chairwoman. 
Yes, I actually agree wholeheartedly with Mr. Newgard. As you 
stated, all of our community banks are really subject to the 
whims of a handful of very large companies. And while we are, 
in a sense, secure, additionally secure, because there are ways 
for us to cut off access to consumer information at our bank 
locations, and our staff at Carver State Bank, and I'm sure the 
staff at Bank of Idaho work tirelessly, and train constantly, 
to keep up with various threats and landscapes.
    We are very dependent on these big core processors, and 
they have almost no incentives to work with our banks and make 
sure that we have the latest and greatest technology. I surmise 
that we are not necessarily getting the same level of service 
and attention that some of the larger institutions are getting, 
because we don't get the same level of service and attention 
when it comes to the customer-facing technology.
    I do know that the big core processors are attempting to 
keep their systems very safe, but they present a significant 
amount of risk to the entire system, so I think that they need 
to be subject to examination. And I certainly agree with Mr. 
Newgard's recommendations.
    Chairwoman Waters. Thank you very much.
    Mr. Chairman, just in this short period of time, I have 
heard enough from our witnesses today that leads me to believe 
that we must step up our action to deal with cybersecurity, 
particularly with our community banks, our CDFIs, and our MDIs, 
who are at the mercy of core processors who certainly attempt 
to do a good job, but I get the feeling that our smaller 
institutions are at the mercy of the work that is done for the 
larger institutions.
    The other thing that I would like to say to my colleagues 
on the opposite side of the aisle is, I can't think of a better 
subject or project that we could work on together than 
cybersecurity. And I want you to know that I will join with you 
for whatever it costs for us to ensure that they are able to 
deal with the sophisticated cybersecurity that they need.
    And, we really have to speed this up. We cannot linger as 
we deal with this, and then be forced to have to deal with the 
fact that there has been another big breach. We have to stop 
them, and we have to do it now. This is very important.
    I appreciate working with the opposite side of the aisle. I 
don't always, but I do now. And I think this is a great 
opportunity for us to work together. Let's get busy. Let's do 
it quickly, and let's make sure that our smaller institutions 
have the resources that they need to do the job.
    Thank you, and I yield back.
    Chairman Perlmutter. I thank the chairwoman. And I 
appreciate the comments about how this is a subject that all of 
us need to tackle together.
    And with that, I would like to yield 5 minutes to the 
ranking member of the subcommittee, the gentleman from 
Missouri, Mr. Luetkemeyer, for his questions.
    Mr. Luetkemeyer. Thank you, Mr. Chairman. And in the spirit 
of bipartisanship here that the chairwoman has set, before I 
begin my questioning, I want to take a moment to thank you for 
working with me in a bipartisan manner to hold this hearing 
today. I know we sat down and discussed the various topics to 
be able to find some common ground on, and this is one of them. 
And we were able to sit down and pick the subject as well as 
the witnesses. I appreciate your willingness to work across the 
aisle, and I am sure nothing last night had any sort of impact 
on what we are doing today.
    But along these lines, Mr. Newgard, you mentioned a minute 
ago something about some of these different entities that could 
enable the bad guy, so to speak, to access your records, and 
then the retailers or whomever escape liability for allowing 
the folks to access your records and documents and data.
    Would you like to expand just a little bit and explain how 
that happens, and what the reaction is and the costs that are 
associated with it?
    Mr. Newgard. Sure. Financial institutions are subject to 
examination, are subject to the GLBA. That does not go across 
the entire ecosystem. That is the issue. Retailers and the core 
processors are not subject to examination.
    And what happens in the real world is when customers get 
their information breached, and say, for example, a debit card 
is compromised, we work very hard to get that account closed 
and reissued. There is very little incentive from the retailer 
or from the entity that was breached to help out in that 
process, because they don't bear any of the cost. In fact, many 
times, the consumer does not bear the cost. The bank or the 
financial institution has to bear that cost. So, there is very 
little incentive to work together to strengthen the entire 
system. And that is the important thing, that it is an 
ecosystem.
    Mr. Luetkemeyer. How do you resolve that situation? What is 
your suggestion on how you fix that? Do the courts need to step 
in here? Do the courts need to step in and assign blame, assign 
liability? Do we need to have contracts that somehow explain 
where the liability lies for certain actions when they are 
taken? How do you fix this?
    Mr. Newgard. Yes. The retailers, the entities that are 
breached need to bear the cost. They need to be responsible for 
that breach. There is such a numbness within the consumer 
world. You hear about breaches all the time, and people are 
numb to it. There is no accountability. So, there needs to be a 
cost associated with having a breach instead of just 
assigning--they get out of it, basically. They sidestep it, and 
we are held accountable. In many cases, financial institutions 
have to pay for it.
    And the consumer is numb to it. There have been cases where 
I try to reissue the debit card, but the consumer really likes 
the convenience and doesn't want to change cards. They would 
rather have the convenience of using their card.
    Mr. Luetkemeyer. Very good. Thank you. I have a limited 
amount of time, so I want to move on here.
    Mr. James, I appreciate you being in front of us again. I 
always enjoy your comments. Thank you for being here.
    The chairwoman made a comment today about the smallest 
banks being vulnerable. I know you represent a lot of small 
banks, and so I was curious as to a concern I have that the big 
banks seem like they have unlimited resources to be able to do 
whatever it takes to protect themselves. And the small banks 
are really vulnerable from the standpoint that they can only 
purchase the amount of protection they can afford. How 
vulnerable does that leave them?
    Mr. James. Thank you, Ranking Member Luetkemeyer. It does 
leave us vulnerable. I walked through our bank's cybersecurity 
program with our chief technology officer yesterday. And what 
he explained to me is that we constantly train, we constantly 
test our employees. We constantly test our own systems that are 
sort of on the bank side. And because of the fact that we are 
plugged into these cores, we can cut off attacks at the local 
level and kind of minimize the damage.
    The flip side is that it is very challenging if the core 
processor gets attacked. That could shut down our ability to 
provide our customers with access to their funds. That could 
shut down our ability to transact business for them. So, that 
is really where the challenge comes in, because of the 
vulnerability of the core processors.
    Mr. Luetkemeyer. So, what you are saying is that the big 
guys can afford their own core processor, while the small guys 
are at the mercy of the core processors, whomever they may be, 
that service their needs?
    Mr. James. Yes.
    Mr. Luetkemeyer. Thank you. I apologize. I am out of time.
    Chairman Perlmutter. The gentleman's time has expired.
    I will now recognize myself for 5 minutes for questions. 
And, Mr. Newgard, I was chuckling about your anecdote about the 
guy who didn't want to change his credit card because it was 
inconvenient. Recently, Wells Fargo notified me of some 
unauthorized charges, one in Ohio, and one in South Carolina. I 
said, okay, I will close my credit card and get a new one. And 
then, I realized all of the different accounts that were 
attached to automatic payments on that credit card, usually 
when they turned off my TV, or I didn't pay for the Terminex 
pest guys.
     I can understand your customer saying they didn't want to 
change their card, because all of a sudden it really is 
inconvenient. So, we have to do our best to stop this at the 
beginning. But I did appreciate my bank notifying me of these 
unauthorized charges.
    Mr. Vazquez, I have a question for you. In your testimony, 
you call for the National Credit Union Administration to have 
parity with other financial regulators regarding oversight of 
third-party vendors. What are some of the challenges credit 
unions face in vendor management, and how might expanding this 
authority benefit credit unions such as yours?
    Mr. Vazquez. Yes, sir. Thank you for that question. The 
credit unions, as others have mentioned--you have small credit 
unions, and you have large credit unions. And the larger credit 
unions can have a very robust vendor management program while 
the smaller ones cannot. And it takes a huge program to be able 
to look at the vendor, review their contracts, look at their 
stock and look at their security landscape to ensure that they 
have the security that we have to match.
    So, what we are looking for is to say that we are being 
regulated to ensure that we are doing right by our members to 
hold their data safe and secure. Vendors that have our data 
that we contract with to better serve and provide services to 
our members now have our data, but they need to have the same 
security stance that we have. They need to have the same care 
that we have.
    So without that type of regulation, we don't have that 
comfort, especially smaller credit unions, to know that we are 
all on the same level field in protecting our data.
    Mr. Perlmutter. Thank you.
    Mr. Jain, this question may be better suited to the Science 
Committee, but I am hoping you or any of the panelists might 
have an answer. Somebody mentioned quantum computing and the 
potential benefits or concerns that something like that might 
have.
    In your studies, because you have had a pretty broad 
background, have you begun thinking about what quantum 
computing might do to enhance security or harm security?
    Mr. Jain. Thank you for that question. I think when we 
think about a lot of these new technological developments, 
whether it is quantum computing, whether it is the increased 
use of artificial intelligence, I think the difficulty is it 
can both help attackers and defenders, right? Because attackers 
can use these technologies, whether it is to try to overcome 
encryption or to automate their attacks and do them faster. On 
the other hand, defenders also potentially could take advantage 
of these technologies to help automate their defenses.
    Although this is an area where I think this disconnect that 
we have been talking about between large banks and large 
institutions and small institutions again will come into play, 
because it is going to be the large banks that can afford to 
try to take advantage and deploy some of these newer 
technologies, and it is going to be much harder for the smaller 
institutions and banks. And so, I think this is just going to 
exacerbate the sort of divide that we are seeing between the 
large and the small banks.
    Chairman Perlmutter. Thanks.
    Mr. Jain, as we saw in the SolarWinds hack and other cyber 
attacks, criminals are increasingly attempting to breach 
service providers. And for minority depository institutions and 
community banks, if one of the core service providers was 
compromised, how many financial institutions might be affected, 
if you can give us a guess?
    Mr. Jain. Sure. Chairman Perlmutter, one of the beauties of 
the American financial system is the diversity of financial 
institutions and community-oriented financial institutions that 
we have to serve customers and create those relationships.
    Our institutions really need to be able to protect our 
customers. On the banking side alone, there are probably 4,000 
or so banks that would be vulnerable in the event of attacks on 
the big core processors. And that is probably 80 percent of the 
banks that are regulated that are ensured by the FDIC. That is 
my guess.
    Chairman Perlmutter. Thank you, sir. My time has expired.
    I would now like to recognize my friend from Oklahoma, Mr. 
Lucas, for 5 minutes.
    Mr. Lucas. Thank you, Mr. Chairman. I appreciate that.
    Mr. Newgard, could you discuss how the COVID-19 pandemic 
has exacerbated cybersecurity threats, and what challenges your 
bank and others have seen as a result of the lost year, so to 
speak, which continues?
    Mr. Newgard. The biggest challenge is the mobility of the 
workforce. Everybody, as was mentioned previously, went home 
and worked from home. That created a vulnerability, as people 
relied on working remotely. So, that has been a big challenge 
as people have adapted. And criminals take advantage of that 
and use that as an opportunity to create fraud, and there is 
incentive to do that.
    Mr. Lucas. Along that line, I guess I have to ask, is there 
anything that the government can do to help institutions 
address this kind of an issue? Is there additional flexibility 
or is there any way to help you cope with that?
    Mr. Newgard. Yes, there are several, one of which is we 
talk about core providers, that we are at the whim of core 
providers and that it is very expensive. These contracts are 
expensive and they are long term. So if we go in, say, 2 or 3 
years into a contract and determine that this is the wrong 
course of action for us, that there may be a better provider, 
it is very expensive to exit out of that.
    If an examiner comes in and wants to weigh in on how that 
can be improved, it will take years for us to get out of the 
contract, and it is very expensive to do so. So, that is a big 
issue.
    The other thing is, there are gaps within the regulatory 
environment. We have four regulators, and there is a lack of 
coordination between all four, and that provides an issue for 
the service providers as well, because they have four different 
regulators to try to cope with, and sometimes they are not in 
sync; they are at cross purposes. So, having harmonization 
within the regulatory environment would be helpful.
    And then finally, more information-sharing across the 
ecosystem so that we can get ahead of these threats. We don't 
have Top Secret clearance, so we don't have information as it 
is becoming available through counterintelligence and all of 
the work we are doing on the government side.
    We would like to have more information regarding 
vulnerabilities so that we can get ahead of it, because we feel 
like we are about a half-step behind in this area.
    Mr. Lucas. Mr. Newgard, continuing along this line of logic 
and a very important discussion, in your testimony you discuss 
that we should focus on creating greater uniformity among the 
financial regulators' cybersecurity standards.
    Can you expand on this and, in particular, discuss what 
cybersecurity practices the Federal agencies now expect from 
you?
    Mr. Newgard. Yes. We are regulated by the FDIC and the 
Idaho State Department of Finance. And there are other 
regulatory agencies out there, including the OCC and the 
Federal Reserve. So, what we comply with may not be what, say, 
Wells Fargo has to comply with.
    And I am not saying that one-size-fits-all, but there 
should be some more harmonization so that we can have best-in-
class regulation. And this is an area where we really need to 
step up and work together.
    Mr. Lucas. Mr. Vazquez, could you discuss the challenges in 
training employees to be prepared for cybersecurity threats?
    Mr. Vazquez. Absolutely, sir, and thank you for that 
question. Our employees, as with any other company's employees, 
are part of our security stack, as we would say. They are part 
of our tool chest. We know that they are highly-targeted.
    In today's world, as I mentioned in my opening, social 
engineering is the easiest and fastest way for a malicious 
actor to get into our network. It is cheap for them to send a 
ton of emails that come through, and it just takes one click. 
It is amazing how a click allows a malicious actor to gain a 
foothold in and then go lateral into our critical data.
    It is super important that we maintain training for our 
employees, and we have done so. We test ourselves multiple 
times. We work with our learning department to ensure that we 
provide the materials to train our employees. We are sending 
out notices via our PSAs to remind them. We just went through 
the Cybersecurity Month, which highlighted the importance of 
cybersecurity and the role that our employees face.
    Mr. Lucas. Thank you. And thank you, Mr. Chairman.
    Chairman Perlmutter. Mr. Vazquez, the gentleman's time has 
expired.
    I now recognize the gentleman from Texas, Mr. Green, who is 
also the Chair of our Subcommittee on Oversight and 
Investigations, for 5 minutes.
    Mr. Green. Thank you, Mr. Chairman. I greatly appreciate 
your hosting this hearing. And I thank the ranking member as 
well.
    I am concerned about minority banks. I happen to have Unity 
National Bank in my congressional district. It is a small bank, 
but it serves a niche. And we want to do all that we can to 
protect all of our banks, especially these small banks that are 
helping communities that otherwise might not have the same 
opportunities to achieve their way of banking, because there is 
no bank in the community.
    Here is my question: We talk about these breaches in the 
abstract, to a certain extent. We talk about the costs 
associated with megabanks having all of the technology 
necessary to protect themselves, whereas the smaller 
institutions, such as the $100 million, or very small banks--
under $1 billion, you are a small bank; at $10 billion, you are 
still small.
    My question is this: What is the amount of money that we 
are talking about for a small bank to properly acquire the 
technology necessary to protect itself? And I say this 
understanding that just for data acquisition to run the bank, I 
happen to have been told that it can cost around $50,000 a 
month. That is just to have the technology necessary to process 
the information that you receive to make sure that you can deal 
with the financial aspect of banking.
    So, what does it cost? What are we talking about? I would 
like to get away from the abstract and save a lot of money and 
go right to a number. You don't have to be exact. Just give me 
some sense of it, please. I will allow whomever happens to have 
the necessary information to do so.
    Chairman Perlmutter. Somebody jump in there.
    Mr. James. Congressman Green, I will attempt to address it 
first. You are correct in identifying the very, very steep cost 
of just the basic technology.
    And so we have to think about it in terms of, the cost of 
the core processor is usually the second-largest cost on all of 
our balance sheets, our income statements, just behind people. 
And that is not including the people that it takes to run the 
technology. I would surmise that you are talking about a 
similar size investment in cybersecurity, which is really just 
going to be cost-prohibitive.
    What would be a more interesting approach would be perhaps 
the regulators could actually help us. There are some 
innovative things that are coming out of the FDIC. I heard the 
Chair of the FDIC just yesterday talk about the idea of having 
the FDIC actually pre-vet and do some vendor due diligence, on 
behalf of all community banks, on fintech companies and new 
technology providers, and essentially vetting those companies 
so that we know that we could plug into those companies safely 
and securely.
    So if the regulators themselves could do something similar 
to what Mr. Newgard proposed, which is to coordinate amongst 
themselves but actually conduct a lot of this due diligence for 
our institutions, we would not only have the opportunity to 
increase the technology and improve the technology we are 
offering to our customers, but also to improve the security of 
that technology and keep up and compete with these large banks 
that just have basically unlimited resources to devote towards 
both technology and innovation and security.
    Mr. Green. Thank you for your response.
    Mr. Newgard. If I may, I would--
    Mr. Green. Yes, sir, go right ahead.
    Mr. Newgard. --add to that, is that the cost is really 
based on size and what other offerings you have. Do you have 
mobility? Do you have internet banking? There are all sorts of 
different add-ons that you can have with those core providers, 
so it is tens of thousands of dollars, and hundreds of 
thousands of dollars, in some cases. And the issue that you 
really hit on--
    Mr. Green. Excuse me, if you don't own it but you are in a 
sense leasing it--
    Mr. Newgard. Yes.
    Mr. Green. --is that per month?
    Mr. Newgard. We have to sign a contract for years.
    Mr. Green. Yes, I understand.
    Mr. Newgard. Yes.
    Mr. Green. Okay, but I am trying to get some sense of what 
it is per month? What is it over the 10-year period? Give me 
more than it could be tens of thousands of dollars but not say 
per what amount of time.
    Mr. Newgard. Yes. It really depends on the contract per 
bank, depending on how big it is.
    Mr. Green. Well, give me a general number. Just assume you 
are doing all of the basics that you need. What would that be? 
Just basic banking.
    Mr. Newgard. It is hard to say. It would be $20,000, I 
would say. But I can get you more information on specifically 
what the cost is to our bank.
    Mr. Green. I would appreciate it. Thank you.
    Here is why I would like to know. I want to make the 
argument that if we want to maintain smaller banks and keep 
them in business, the government is going to have to play a 
role in this. We are losing small banks at a rapid pace, and I 
want to do what I can to make sure that we do all that we can 
to protect them.
    Mr. Chairman, thank you so much. You have been generous 
with the time.
    Chairman Perlmutter. The gentleman's time is expired.
    I would like to recognize Mr. Posey for 5 minutes, but I 
can't see him on the screen.
    Mr. Posey, are you out--there you are.
    Mr. Posey. Yes.
    Chairman Perlmutter. The gentleman from Florida is 
recognized for 5 minutes.
    Mr. Posey. Okay. Thank you very much, Chairman Perlmutter, 
for holding this hearing.
    Mr. Newgard, cybersecurity looks something like other kinds 
of menaces that we manage through government action. For 
example, we have police forces to prevent crime and enforce 
deterrence, but we may expect people to behave rationally to 
avoid being victims of crime. In fire prevention, we may impose 
fire codes on individuals and businesses and also publicly 
provide a fire department to fight fires. In cybersecurity, we 
apparently impose regulations on financial institutions, and we 
also have agencies in government who fight cyber attacks and 
cybercrime and enforcement laws.
    Are we achieving the right balance between regulating 
financial institutions and law enforcement to prevent cyber 
attacks and protect our financial institutions and the people 
that they serve?
    Mr. Newgard. Yes, thank you. There needs to be more 
coordination between the police force, if you will, the 
regulators, and more harmonization so that we are getting the 
best-in-class approach to that policing, if you will. And then, 
it is not just us. That is the issue here, is that we are truly 
in an ecosystem where you can focus on just the financial 
institution, but you can have a breach.
    And the criminals are going to go after the weakest link. 
So, they are going to go after the most unsophisticated 
customer or the smallest business to try to get in. And the 
retailers, the other fintechs, the screen scrapers, all of 
these entities are not subject to the same examination and 
regulation. So the police force isn't--they are ignoring that 
area where they are very focused on us, which is great, we 
embrace that regulation, but it needs to be throughout the 
whole ecosystem.
    Mr. Posey. Thank you. When a government agency like the 
Consumer Financial Protection Bureau (CFPB) imposes regulations 
on financial institutions to fight cyber attacks and 
cybercrime, we would expect that the agency would perform a 
cost-benefit analysis or a cost-effective analysis to ensure we 
are getting official regulation or at least minimizing the cost 
regulation. Can you please share your experience with us in 
that regard?
    Mr. Newgard. The cost of the regulation?
    Mr. Posey. Yes. Does the CFPB look at alternative ways of 
regulating in this regard or to pick the most efficient way to 
achieve the goal or do they merely impose their preferred 
alternative without looking at other needs?
    Mr. Newgard. I am not as familiar with them in particular. 
We are regulated by the FDIC and the Idaho State Department of 
Finance, and we have a great relationship with them. But they 
are, again, looking for more harmonization with the OCC and the 
Federal Reserve, to get best-in-class regulation.
    Mr. Posey. Yes. Looking at a broad array of cybersecurity 
issues, it looks like we have a number of Federal agencies 
regulating financial institutions to improve security. Do you 
believe it would make sense to have a single agency or a 
private-sector standards bureau to design the cybersecurity 
standards we impose on financial institutions? Would it help to 
make cybersecurity regulation more efficient and less 
redundant?
    Mr. Newgard. Yes. Right now, we have a patchwork throughout 
all the States, and that becomes very problematic, so having 
standardization would be good. I would say that one size does 
not fit all institutions, so we do need to keep that in mind, 
that we are not the same as Wells Fargo. We have to keep that 
in mind, but having some standardization and harmonization 
would be great.
    Mr. Posey. One of the clear roles of government is 
protecting individual rights and especially private property 
rights. Without those protections, our market economy can't 
operate effectively, if it can operate at all. Is the Federal 
Government investing enough resources in cybersecurity 
countermeasures and law enforcement to adequately deter cyber 
attacks and protect our financial institutions and the public 
they serve?
    Mr. Newgard. I think there is a tremendous effort on 
counterintelligence. Where I live, the Idaho National Lab has a 
great effort in that area. There is a lot of information out 
there, but it doesn't always flow down to the smaller banks and 
financial institutions. And I am a big advocate of sharing that 
information throughout our entire system and in a timely way. 
To learn a week later after a proposed attack is too late. We 
need to be much more timely on these issues.
    Mr. Posey. I see my time has expired. Thank you, Mr. 
Chairman, and I yield back.
    Chairman Perlmutter. Thank you, Mr. Posey.
    I will now recognize the gentleman from Illinois, Dr. 
Foster, who is also the Chair of our Task Force on Artificial 
Intelligence, for 5 minutes.
    Mr. Foster. Thank you. And, Mr. Chairman, is it likely that 
there will be time for a second round of questions?
    Chairman Perlmutter. I will talk to my counterparts over 
here, but yes.
    Mr. Foster. If you could get us a reading on that, it would 
be great.
    Many of our witnesses noted that small financial 
institutions are becoming increasingly dependent on third-party 
core processors. Credit unions in particular frequently rely on 
third-party technology providers for the processes that credit 
unions need, but these aren't cost-efficient to provide in-
house, particularly for smaller ones. In some cases, however, 
these vendors might not follow the cybersecurity standards that 
are consistent with what is required of credit unions or they 
might not be familiar with the financial regulations concerning 
credit unions.
    Now, once upon a time, the National Credit Union 
Administration (NCUA) had temporary authority to examine third-
party vendors to address, in that case, the Y2K issue, but that 
authority expired in 2002. Now, recently, the NCUA, the 
Financial Stability Oversight Council (FSOC), and the U.S. 
Government Accountability Office (GAO) have all requested that 
this authority be reinstated for modern cyber threats.
    My bill that is being noticed today, the Strengthening 
Cybersecurity for the Financial Sector Act of 2021, would 
simply make credit unions, Federal Home Loan Banks, and 
Government-Sponsored Enterprises subject to the Bank Service 
Company Act, which would give the NCUA and the Federal Housing 
Finance Agency (FHFA) the same oversight of third-party vendors 
that bank regulators have for banks.
    And I have to mention how gratified I am that at a time 
when it seems like nobody is able to get along with each other 
in Washington, that even above getting Democrats and 
Republicans to work together, we have been able to get the 
banks and the credit unions behind the support for this 
legislation. So, I am very grateful for that.
    Mr. Vazquez, could you describe a little more about the 
need for stronger regulation of the service providers in this 
area, particularly in light of the increasing market 
concentration that we see in this industry?
    Mr. Vazquez. Absolutely, sir, and thank you for that. 
Everything you just mentioned we agree with, in that the NCUA 
should have greater authority to be able to regulate our 
vendors.
    As mentioned before, and I think Mr. Newgard mentioned it, 
the vendors seem to have a playbook where they know a breach is 
coming. Breaches are coming so fast that it is almost--it 
doesn't affect us as it used to. A vendor now probably has a 
playbook to safely get a breach. All we have to do is wait for 
the next news cycle and it will go away. We will do a little 
bit of marketing to get our reputation back, and they move on. 
There is nothing that prevents them from doing so.
    I think that to help at least with the credit unions, to 
ensure that we value our members' data, we want to make sure 
that nobody has access to that, we want to ensure that the 
vendors have that same feeling, that there is some kind of 
process for them to understand that if they have access to our 
data, it is not just a commodity to them to make money and to 
move forward, but that they need to protect that data as well 
as we protect the data.
    Mr. Foster. Thank you. And is there a second level of sort 
of correlated risk that we should be worrying about? For 
example, the same way that a core provider can go down and 
impact many banks, if several core providers, for example, all 
use the same cloud service, they all use Amazon Web Services 
(AWS) or they all use SolarWinds, would the legislation we are 
proposing adequately cover the ability to look upstream and 
above just directly at the core processors but the people they 
are dependent on? Does it go all the way upstream, and is there 
a need for it?
    Mr. Vazquez. I think there is a need for that, and I will 
give an example. I believe Cloudstar was just a company that 
was victim of ransomware, and Cloudstar hosts in their systems 
many title companies as they do their business. We work with a 
title company that used Cloudstar. Because Cloudstar is a 
third-party vendor, we don't have access to Cloudstar to ask 
about our data that may have been on their systems.
    So, we worked with our title company vendor to see if they 
were affected. They were. They had to rebuild from scratch 
everything that they had to do. But they could not provide us 
back what Cloudstar had, what Cloudstar went through, what 
Cloudstar data was affected.
    Having more regulations upstream, as you mentioned, going 
to the third-party contractors would definitely help us ensure 
that we have the comfort of knowing that if a vendor that we 
contract with subcontracts out to other areas to have their 
data, that flow continues on.
    Mr. Foster. Thank you. My time is up, and I yield back.
    Chairman Perlmutter. The gentleman's time has expired.
    The gentleman from Kentucky, Mr. Barr, is recognized for 5 
minutes for his questions.
    Mr. Barr. Thank you. Thank you, Chairman Perlmutter. I 
appreciate your leadership in holding this very, very important 
hearing.
    And I appreciate the sentiments of Chairwoman Waters in 
talking about the need to tackle this in a bipartisan way. I 
think we can, and we should. It is overdue. This is a huge 
matter.
    There has been some discussion about what is the right 
approach here, more harmonized regulation. I think there is a 
private-sector innovation point to be made. It is not black and 
white; it can be both.
    But, Mr. Newgard, can you give us an example of some 
private-sector innovation that has made the financial system 
more secure from cyber attacks?
    Mr. Newgard. Okay. Of course, our core providers, those 
would be private sector, and we really, as I mentioned before, 
rely on them for that innovation, almost solely. And the 
fintechs are coming online. That is private sector. By the way, 
we pay about--
    Mr. Barr. Sorry to interrupt, but they are providing 
increasingly-innovative solutions for your institution?
    Mr. Newgard. Yes, absolutely. We want them to do more in 
terms of innovation.
    Mr. Barr. Let me ask you about regulation then. Are there 
regulatory requirements that cause institutions like yours, 
smaller banks, to shift more resources onto regulatory 
compliance rather than investing in cybersecurity and 
strengthening cybersecurity? In other words, are regulatory 
compliance burdens hampering your ability to invest in 
financial technology cybersecurity?
    Mr. Newgard. Absolutely. The increased regulation makes it 
very difficult for small banks, and that is why [inaudible] to 
scale. That is why you are seeing banks consolidate.
    Mr. Barr. Okay. Sorry, sir. Let me get into this issue of 
core processors. And I have heard this from my constituent 
community institutions, the take-it-or-leave-it kind of 
contract approach, that they express--vociferously they are 
expressing frustration with that. And I take seriously the 
suggestion, the recommendation from both you and Mr. James 
about harmonization of regulation and my colleague's 
legislation to bring these third-party vendors under 
supervision. I am open to that.
    But my question is, the problem appears to be inadequate 
competition, so how do we get more competition in financial 
technology and among the core processors so you have greater 
choices of contracts for these services, which would not only 
bring down costs potentially, but also encourage greater 
private-sector innovation in this space? And is it a concern 
that more regulation on them could potentially have the 
opposite effect of actually encouraging greater consolidation 
among core providers, which we don't want?
    Mr. Newgard. Yes. We pay $51,500 that we budget a month in 
costs for our core provider with Fiserv. It is very expensive. 
We rely on them for technology, but the problem is, they don't 
keep up with innovation. So then, fintech comes in and provides 
that solution, but they are very unproven, very new, and they 
don't have the regulatory guidance, so they are at risk for 
cyber attacks.
    Mr. Barr. But if I could shift over to Mr. James, because I 
am very sympathetic to the problem that MDIs and other small 
institutions face, in your testimony, you talked about needing 
to level the playing field. And my last question here is, how 
do we level the playing field for MDIs and small banks? I 
assume you are able to, through the Tax Code, deduct your 
investments in technology as a business expense, but, clearly, 
the economies of scale of your larger competitors puts you at a 
disadvantage. Besides the regulatory harmonization, what else 
would help MDIs and community banks level the playing field and 
access the technology you need?
    Mr. James. Mr. Barr, I think it is a great question. I 
think some of the answer there lies in regulation, but some of 
it does lie in competition and being able to access competitors 
to these companies. Oftentimes, what happens is when a good 
competitor comes along to one of the big core processors, they 
will go and buy that company rather than allow them to grow 
enough to be able to provide services to more of our 
institutions.
    I think we really need to look at those contracts and we 
need to look at encouraging more competition so that we can 
move to different providers that are more flexible and more 
secure and provide our customers with better service.
    Mr. Barr. Thank you. I yield back.
    Chairman Perlmutter. The gentleman's time has expired.
    The gentleman from California, Mr. Sherman, who is also the 
Chair of our Subcommittee on Investor Protection, 
Entrepreneurship, and Capital Markets, is recognized for 5 
minutes.
    Mr. Sherman. Naturally, this hearing is focusing on 
defending ourselves from cyber attack and hacking. We shouldn't 
just be focused on defense, but perhaps in classified sessions, 
focused on offense, especially when we are dealing with state 
actors or actors that are protected by states.
    The U.S. has done little or nothing in this area. There was 
action taken against Iran's nuclear program that delayed it for 
a while by either Israel or the United States. Our intel 
community conjures up an image that they could make the lights 
flicker in the Kremlin or turn off the Internet Research 
Agency's operations in Saint Petersburg; they just choose not 
to.
    I have no idea if that is correct, but I do know that 
Congress should be fully apprised of what are our offensive 
capacities, what could we do to develop them, and what should 
be our policies as to whether to threaten to use them or 
actually use them or maybe not.
    Instead, we are here, as we are in many hearings, talking 
about a shield without ever talking about a sword. If we are 
not in a position to deter what some foreign governments are 
doing or deliberately allowing and encouraging, we are going to 
have an even bigger problem.
    Turning to the private sector, we want to make sure the 
private sector spends more and does the best possible job. 
Basic economic theory says that the cost of a data breach 
should be imposed on those who could invest in safety measures 
and who should spend the appropriate amount of money and care 
in safeguarding data.
    When Americans focus on the issues of this hearing, their 
first thought is on the big and well-publicized, and sometimes 
smaller and not well-publicized, data breaches where their 
personal information, particularly their credit card 
information, comes into the hands of ne'er-do-wells and 
criminals.
    But our policy has been that if a big retailer has millions 
of credit card data files stolen, they don't face any 
liability. If it is a really big one, they may face some 
reputational risk, but all the costs are borne by the financial 
institutions.
    Mr. James, would we get better investment by big retailers 
in safeguarding data if it was the retailers that had to pay 
the money that was occasioned by the breach?
    Mr. James. Mr. Sherman, I definitely think that you would 
see a renewed interest in protecting this data if some of those 
retailers, who were a part of this ecosystem that Mr. Newgard 
so eloquently described, bore some responsibility.
    If our institution has a debit card that is breached or a 
checking account number that is breached, ultimately, we bear 
the responsibility for recouping that customer's funds. And 
those retailers that have--particularly very, very large 
retailers that have massive data operations are not really 
subject to any responsibility for protecting consumer data, 
certainly not the way that we are.
    I certainly don't want to impose onerous costs on our small 
businesses, our small customers that are retailers, but even 
they are dependent on--
    Mr. Sherman. I would just interrupt and say that the big 
hackers are not going after the small businesses. The treasure 
trove is in the big ones.
    I do have a question for Mr. Vazquez. With regard to the 
question of expanding the National Credit Union Administration 
(NCUA) oversight of credit union third-party vendors, a primary 
concern is the risks with credit union service organizations 
(CUSOs). In your view, do these credit union service 
organizations and vendors pose the same level of risk to credit 
unions and customers? And if not, are there specific types of 
risks that would be more appropriate for NCUA oversight than 
others?
    Mr. Vazquez. Sir, I thank you for that question. And I do 
believe that they have the same type of risk. When a credit 
union such as Canvas partners with a CUSO or a vendor and we 
provide them our data so that our members can have a better 
service, we are basically--in some areas, people would think 
that we are transferring our risk to the vendor. And some 
people would think that we are now hands-off with that risk. We 
are expecting our vendor to take that risk. But, ultimately, 
that risk still resides with Canvas. That is our members' data. 
And we could try and transfer it, but it is really ours.
    And we hope and expect that the vendors and the CUSOs that 
have our data would have maintain that same recognition of 
securing that data and have the same risk that we have.
    Mr. Sherman. Thank you.
    Chairman Perlmutter. The gentleman's time has expired.
    The Chair will now recognize the gentleman from Texas, Mr. 
Williams, for 5 minutes.
    Mr. Williams of Texas. Thank you, Mr. Chairman.
    We have seen a wave of new proposed regulations coming out 
of the Biden Administration that will cause banks to dedicate a 
significant amount of money towards new compliance costs. For 
smaller community banks, like the ones I deal with and most 
people, this means they will have less resources available to 
lend money into their communities or dedicate to cybersecurity 
efforts, and bottom line, it hurts Main Street America.
    Whether it is asking banks to report account information 
from their customers to the IRS, or being forced to comply with 
a 900-page rule coming out of the CFPB on reporting small 
business loan information, these actions will force banks to 
divert significant amounts of resources--there is no question 
about that--because they have no clue what it is going to cost 
them.
    So, Mr. Newgard, can you tell us how your bank has been 
adjusting with some of these potential new compliance costs 
coming down the pipeline?
    Mr. Newgard. Yes. It is extremely expensive and it 
continues to ramp up. So, we are looking at hiring additional 
people to comply with things such as Bank Secrecy Act, and all 
of the other compliance burdens. And, simply, you have to get 
scale in order to be able to bear that cost. That is why you 
are seeing a tremendous amount of consolidation in our 
industry, because it is so expensive to comply, and the burden 
of the regulation continues to go up.
    Mr. Williams of Texas. Well, in the end, your customer is 
hurt.
    As cyber threats are getting more sophisticated, there is a 
need for financial institutions to understand the threats and 
outages facing their third-party service providers. 
Unfortunately, I have heard from some of my market participants 
in Texas that the financial regulators are working on a new 
rule regarding computer incident notification requirements that 
could impose a significant new burden--here we go, a new 
burden--on community banks.
    I understand the need to have transparency in the digital 
systems of the financial system to ensure that proper steps can 
be taken when something else goes wrong; however, I am 
concerned that the rule, as currently proposed, could both make 
community banks responsible for deciphering complex cyber 
incident notifications and cause market participants to share 
so much information with the regulators that they will not be 
able to determine what issues deserve attention.
    Mr. Newgard, again, can you give us your thoughts on how we 
can strike the correct balance with cyber notifications so that 
banks can receive timely information from their service 
providers without creating an overly-burdensome review and 
reporting process for banks and, again, hurting Main Street?
    Mr. Newgard. That's right. We already comply with good 
cybersecurity practices, and what we would ask is for 
harmonization within the regulatory bodies, and then to spread 
that risk and liability to those that don't have it today: the 
retailers; the core providers; and the other people within the 
ecosystem. I will leave it at that.
    Mr. Williams of Texas. Okay. Lastly, I have talked with 
many different fintech firms in my district that have been 
dealing with a patchwork regulatory system of data security 
requirements coming out of different States. From my 
experience, what works in California, doesn't work in Texas. I 
repeat, what works in California, does not work in Texas.
    Mr. Newgard, can you briefly discuss the benefits that your 
institution would see should a uniform data security standard 
come out of Washington? That is pretty scary.
    Mr. Newgard. Yes. We are not in favor of a one-size-fits-
all approach. We do need harmonization, I will stress that 
again, but definitely a one-size-fits-all approach doesn't 
work.
    Mr. Williams of Texas. Okay. So I would just say, in 
closing, as a business person who employs hundreds of people, 
and still has my business, that regulations hurt community 
banks, make them sometimes not competitive, and at the end of 
the day, affect your borrowers who are trying to grow their 
company and put more people to work. So, regulations do not 
help Main Street.
    And with that, Mr. Chairman, I yield back.
    Chairman Perlmutter. The gentleman yields back.
    The gentleman from California, Mr. Vargas, is recognized 
for 5 minutes for his questions.
    Mr. Vargas. Thank you very much, Mr. Chairman. I appreciate 
very much this hearing, and I want to thank the ranking member 
also.
    I have to say, though, there was a quip, stated something 
like, ``what happened last night, of course, had no influence 
on the bipartisanship.'' I have to say, for me, zero, none, 
because I really don't like the Atlanta Braves or the Houston 
Astros, either one of those teams. Now, if it had been the 
Rockies or my beloved Padres that had won, well, then it is 
different. But since they weren't there, I really don't care 
too much about what happened last night.
    Now, Mr. Newgard, I do want to ask you, you said that there 
is very little cost to the core providers when there is a 
breach. You also said the contracts are very expensive and they 
are only long term. The way the market is supposed to work is, 
if this is the case, there should be another actor that comes 
in, another participant with innovation to bring the cost down. 
Why hasn't that happened?
    Mr. Newgard. The core providers are three or four. And, by 
the way, we pay about--we budget $51,500 a month for that 
service. So, we really push on those core providers to 
innovate, and many times they are slower than we would like 
them to be, and slower than our consumers and the small 
businesses would like to move.
    So, that is where the fintechs come in. That is why we have 
a whole industry of fintech, because of innovation. The issue 
is, they are not subject to regulation like the GLBA, and the 
issue is they are startups, so they are brand new, and don't 
have much history--
    Mr. Vargas. I understand that, but I am asking why--in the 
core providers, why aren't there new startups there? In other 
words, why isn't there competition? That is usually what 
happens in our market side.
    Mr. Newgard. Yes. Mr. James stated this very well, that 
once one starts up, it is purchased, so it just becomes part of 
the whole. They don't even hardly let them get legs under them 
before they are consolidated.
    Mr. Vargas. Now, it has been interesting, because I think 
Mr. Barr, and certainly Mr. Williams and others have said, ``We 
don't like regulation.'' And yet, a lot of the witnesses today 
seem to want to extend regulation to the core providers.
    It has been fascinating to listen to what you on the 
private side have said tonight. Almost everyone says that the 
Gramm-Leach-Bliley Act (GLBA) should be extended, the Privacy 
Act should be extended, there should be harmonization. I assume 
you mean to make sure that the core providers, fintech, and 
everybody else has these regulations that they don't have now. 
Is that correct?
    Mr. Newgard. That is correct.
    Mr. Vargas. Okay. Then I do, because we always have that 
fight that no regulation is good regulation. And we always 
think, well, no, you have to have regulations, then we just 
solve it. Going through this pandemic, a lot of banks didn't 
fail because we had some good regulations.
    I do want to ask Mr. Jain, if I could, government 
information-sharing, you talked about that and said that we 
should have more of that and it should be actionable in real 
time. Could you comment a little bit more about that? Because 
we do spend a lot of money at the Federal Government level with 
respect to cybersecurity. What are we doing wrong?
    Mr. Jain. We have talked about information-sharing for many 
years, and I think we have learned that information-sharing or 
effective information-sharing is hard because it is not just a 
matter of sharing some isolated technical indicators.
    What you really need is context and enough information in 
real time and actionable information that if a network defender 
receives the information, they can look at it, and they can 
say, oh, here is a copy of a phishing email that is being sent 
around that people are using to get access to people's 
networks. I can block that email, or I can look for that kind 
of email and block it.
    Mr. Vargas. Mr. Jain, I am going to interrupt you just for 
a second, because my time will run out. Why aren't we doing 
that? I understand that part. You told us that. Why aren't we 
doing that? Why can't we do that?
    Mr. Jain. I think we are getting there. I think it has 
taken us a while to realize that is what we need. And I think 
some of the innovations coming out of CISA, around the joint 
collaborating center that they just announced, I think is 
moving in this direction. But I think it is going to take more 
resources trying to get it economy-wide, and it is going to 
take time. So, I think we are moving in that direction, but we 
still need more time to get there.
    Mr. Vargas. Yes. I only have 4 seconds left. The only thing 
I would say is, ``Go Padres!''
    Thank you, Mr. Chairman.
    Chairman Perlmutter. Okay. The gentleman yields back on 
that note.
    And the gentleman from Georgia, Mr. Loudermilk, is here to 
talk about the Atlanta Braves, I will bet, but he is now 
recognized for 5 minutes.
    Mr. Loudermilk. Mr. Chairman, I appreciate my colleague 
from California. And I understand that there was no California 
team good enough to make it to the World Series, so I 
understand why he was not affected by the game last night. But, 
``Go Braves! Go Braves, America's team!'' And, by the way, Mr. 
Chairman, the Braves are in my district, so we are celebrating 
here today.
    Chairman Perlmutter. Okay. The gentleman gets an extra 30 
seconds because the Braves were in his district.
    Mr. Loudermilk. Thank you, Mr. Chairman. I will use it 
wisely.
    Cybersecurity and cyber threats is one of the issues that I 
have been working on since I have been in Congress. I spent 
some time in the military, in intelligence. Of course, security 
is a big issue for those in that field, especially protecting 
the data, the information that we have. I also spent 20 years 
running and owning an IT business, where, again, security was a 
main concern for our customers and we wanted to make sure that 
their networks were secure.
    However, being here in Congress, I see that quite often, we 
will take one step forward and two steps backwards. Sometimes, 
we will go six steps backwards. I am going back to some of the 
basic tenets of what it means to secure data, and one of the 
primary tenets that we were taught in the military, and that I 
have kept throughout my businesses is this one principle: You 
don't have to protect what you don't have. You don't have to 
protect what you don't have, meaning, do not keep something 
that could be vulnerable just for the sake of having it.
    And what we do here in the Federal Government, through 
mandates and regulations, and especially the idea that is being 
proposed right now for the banks to spy on everyone's bank 
account, and then all of that information by small 
institutions, large institutions, whatever is going to be sent 
to the Federal Government, which is, again, data that they 
don't need and they don't need to have.
    And we have seen this continual flow of taking on more and 
more responsibility, the government either forcing businesses 
to keep data that they really don't need or forcing the 
businesses to send it to the Federal Government, which is a 
huge cybersecurity risk in itself, in my opinion.
    So, I think we take one step forward and several steps 
backwards in trying to figure out better ways of securing data, 
where the bad guys are always going to be one step ahead of 
you, and when we really don't need to have this data to secure.
    Another issue that I have been working on is the need for 
some type of uniform national data security breach notification 
standard. One of the issues is we have so many different 
standards throughout the nation that institutions have to 
comply with, various State laws, and those are often 
conflicting with the Gramm-Leach-Bliley Act and other Federal 
requirements, and it adds unnecessary complexity to the 
cybersecurity efforts, in my opinion.
    So, Mr. Newgard, if banks were able to operate under a 
single set of rules, would that allow you to spend more of your 
time and resources defending against cyber attacks?
    Mr. Newgard. Yes, having harmonization within the 
regulatory bodies would help significantly. And then 
voluntarily, we ask to share that breach information. And what 
we really need is to have more information shared from the 
government to us. I loved your comment about having too much 
data sent. That doesn't make sense. I think you are spot on 
there.
    Mr. Loudermilk. That is one of the areas that we just tend 
to gloss over, and I have been bringing this up over and over 
in this committee, is that we keep talking about cybersecurity. 
We have put the onus on the businesses to be more secure, but 
then we require them to take more and more information, which 
they don't need to be taking. So, I appreciate that.
    Another issue I have been focused on is payments fraud. 
Point-of-sale payments fraud has significantly declined, thanks 
to the adoption of chip technology, but the problem has shifted 
toward digital payments.
    Mr. Vazquez, what are credit unions doing to enhance the 
security of digital payments?
    Mr. Vazquez. Thank you, sir, for that question. We partner 
with CO-OP Financial Services for our digital payments, and we 
work with them to ensure that they are monitoring for fraud. 
And we have a department ourselves that monitors for fraud.
    Even though we spend quite a bit of money on my area, which 
is cybersecurity, we do spend the same amount of money in our 
fraud area to make sure that we have the right tools and the 
right people to monitor it. And it is important that the tools 
that we have are real-time tools, so that they are not a day 
old and the fraud that is happening isn't escaping while we are 
waiting for the information to come in. We are working with our 
vendors to ensure that the data we have is in real time so we 
can prevent the fraud.
    Mr. Loudermilk. Thank you. I see my time is expired, so I 
will submit my other questions for the record. But thank you, 
Mr. Chairman.
    Chairman Perlmutter. The gentleman's time has expired. And 
we should all applaud the Braves. They played a good game last 
night.
    We have Ms. Pressley next, and then Mr. Rose, and then, if 
you wish, we will do a second round.
    I am also going to make a suggestion that, Mr. Loudermilk, 
you get together with Mr. Foster and talk about this kind of 
stuff, because I think between the two of you, and after 
listening to this panel, we are going to have some good ideas 
as to what we should do.
    So now, I would like to recognize the--
    Mr. Foster. Mr. Chairman, Representative Loudermilk and I 
are already primary sponsors of some key legislation on digital 
identity.
    Chairman Perlmutter. See? Okay, good. It is already 
working.
    Mr. Foster. Your wish is our command.
    Chairman Perlmutter. Okay. I would now like to recognize 
the gentlewoman from Massachusetts, Ms. Pressley, who is also 
the Vice Chair of this subcommittee, for 5 minutes.
    Ms. Pressley. Thank you, Mr. Chairman. You forgot to 
mention in my introduction, ``and the Congresswoman for the 
Massachusetts Seventh District, proudly representing the Boston 
Red Sox.''
    Thank you, Mr. Chairman, for convening this important 
hearing.
    Chairman Perlmutter. I apologize.
    Ms. Pressley. That's okay. Let the record reflect that.
    But in all seriousness, through the first half of this 
year, banks and credit unions experienced a 1,318 percent 
increase in ransomware attacks, where attackers held private 
data hostage, and threatened to publish it should the victim 
not pay. You heard that right, 1,318 percent. So, this is a 
substantial and immediate threat to consumers in our financial 
system that really does require a substantial and immediate 
response.
    The largest financial institutions devote tremendous 
resources to addressing cyber risk, yet smaller, regional, and 
community financial institutions don't have those resources or 
capabilities, even though cyber attacks on smaller institutions 
can also harm consumers and cause serious disruption. In fact, 
in 2020, over 25 percent of cybersecurity breaches involved 
were small business victims.
    So, Mr. Jain, what sorts of challenges do financial 
institutions face in the prevention and detection of these 
attacks, especially when it comes to smaller, regional, and 
community financial institutions?
    Mr. Jain. Thank you for that question. I think they face a 
number of challenges. As we have talked about, they have 
significantly less resources, obviously, than the big players, 
both in terms of monetary resources to invest, but also in 
terms of access to in-house expertise. We have a shortage in 
the cyber workforce, I think, around this country, and so 
smaller institutions in particular, I think, have a harder time 
getting the in-house expertise they need.
    The information-sharing, as we have talked about, is 
important. And while the big institutions are able to, for 
example, have people in the government centers that are 
designed for information-sharing, that is obviously not 
possible for the smaller institutions. And so, finding the 
right ways for information to get to smaller institutions in a 
way that is actionable in real time remains, I think, a 
challenge.
    And then, I think, in many ways, smaller institutions have 
a greater dependence on vendors and other service providers 
because the big banks can provide a lot of these capabilities 
or develop them in-house. And as we have talked about, vendors 
create all sorts of security problems.
    Ms. Pressley. Thank you, Mr. Jain. And just building on 
that, I think that certainly makes the case for exactly why we 
need to address the fact that there are nearly 500,000 unfilled 
cybersecurity jobs across the nation. And this is why the Build 
Back Better Act makes these robust investments in cybersecurity 
workforce development with training opportunities at community 
colleges, Historically Black Colleges and Universities (HBCUs), 
and for our veterans.
    The Biden Administration is partnering with private 
companies such as IBM, headquartered in my district, which is 
committed to training more than 150,000 people in cybersecurity 
skills over the next 3 years, working with more than 20 HBCUs 
to build a more diverse cyber workforce.
    Mr. Jain, just sticking with you for a moment here, how 
will these investments that I just enumerated help our nation 
combat growing cybersecurity risks in the financial services 
sector?
    Mr. Jain. I think it is crucial because, as you say, we do 
have a huge shortage of cybersecurity workers. And our system 
is set up where we are expecting every business, every small 
business to have that kind of cybersecurity expertise, and so 
that mismatch creates a real problem.
    And, obviously, when you have that kind of shortage, just 
the basic law of supply and demand means that they can--
cybersecurity workers can demand really large salaries, which, 
again, becomes a handicap for smaller institutions. So, I think 
there is no doubt that one part of this has to be to increase 
our cyber workforce.
    Ms. Pressley. Thank you, Mr. Jain. And before my time 
totally runs out, yes, these investments are certainly 
necessary to ensure that we have an equitable recovery to 
provide those good-paying jobs and to diversify this sector.
    Transitioning to the issue of consumer justice and 
cybersecurity, under the Gramm-Leach-Bliley Act, covered 
financial institutions must inform customers of their data-
sharing practices and allow customers to opt out of sharing 
their information with third parties. But most consumers, as 
you all know--we are consumers ourselves--don't have the time 
to read privacy policies and others may not understand the 
policy, or that they even have opt-out rights. So as a result, 
many of these folks are not opting out.
    Mr. Jain, you argue that this opt-out system places the 
burden of privacy protection on the individual consumer and 
that the result of this shortcoming is that the GLBA 
effectively adopts a default of broad sharing of consumer 
financial information. So, how would you recommend that 
Congress change this data privacy burden so that more of it 
falls on the companies and not the consumer?
    Mr. Jain. Yes. I think we need to move away from this idea 
of notice and consent, that as long as consumers have notice, 
we have this fictional idea that they have consented, and start 
imposing some basic obligations on the entities that are 
collecting and processing this information, so among other 
things, to require them to only collect the information they 
really need to provide the product or service for which the 
individual signed up.
    And if they want to use it for another purpose, then they 
have to come back to the consumer and say, hey, we want to 
share your data for this reason, is that okay? And if the 
consumer then expressly opts in, fine, but not sort of default 
to sort of, hey, we can hide this stuff in the privacy policy, 
and if you don't take the time to read it and check this box to 
opt out, we can do what we want.
    Chairman Perlmutter. Thank you. The gentlewoman from 
Boston's time has expired.
    Ms. Pressley. Thank you.
    Chairman Perlmutter. The gentleman from Tennessee, Mr. 
Kustoff, is now recognized for 5 minutes.
    Mr. Kustoff. Thank you, Mr. Chairman, and thank you again 
for convening today's hearing. And thank you again to the 
witnesses.
    And, Mr. Jain, thank you for personally appearing today. 
Mr. Jain, if I could ask you, going back to your prior life in 
government, both with DOJ and the National Security Council, 
can you compare and contrast, if you will, how the cyber threat 
environment has changed from the time you left the government 
to now?
    Mr. Jain. Yes. I think it has become more problematic. I 
think we are seeing an increased number of sophisticated cyber 
actors, not only nation states, but increasingly, criminal 
enterprises that have access to sophisticated capabilities. So, 
in that sense, it has become significantly more challenging.
    We are also seeing more brazen attacks. Previously, 5 or 10 
years ago, most of the attacks you saw were either things like 
denial of service or theft, whether it was of information or 
even money. But today, we are seeing so many more attacks that 
are actually disruptive, operationally disruptive, as we saw 
with the Colonial Pipeline and the likes, where they are really 
attacking critical infrastructure and really disrupting 
people's lives and basic services that people need. So I think 
in that respect, it has actually become a more serious problem 
for us.
    Mr. Kustoff. And if I could, Mr. Jain, specifically about 
financial institutions, can you characterize how the threat or 
threats have changed during the time you left government to now 
as it relates specifically to financial institutions?
    Mr. Jain. Sure. One obvious change has been the rise of 
ransomware. I think a number of you have now mentioned the 
statistic about the 1,300 percent increase in ransomware 
attacks on banks. And that, in a financial institution context, 
obviously has major issues because it means that consumers, for 
example, may not be able to access their accounts or may not be 
able to use banking and financial services in a timely manner 
when they really need it. So, I think that is one example of 
where it has really had an effect.
    And I also think it is important to recognize--we have 
talked a lot about the financial system as an ecosystem, but it 
is not only a financial ecosystem, but it is a broader 
ecosystem than that. For example, financial institutions rely 
on power, so to the extent that power companies and utilities 
are at risk for cyber attacks, that is going to have a 
downstream effect on financial institutions as well. And so, 
the risk to critical infrastructure broadly affects all 
companies, including in the financial institutions space.
    Mr. Kustoff. Thank you, Mr. Jain.
    And, Mr. Newgard, if I could maybe follow up on what Mr. 
Jain just talked about as it relates to the ecosystem, and, of 
course, you mentioned that interconnected ecosystem in your 
written testimony. Can you talk about that, and how an attack 
on big banks ultimately could filter down to smaller banks and 
community banks, et cetera?
    Mr. Newgard. Sure. An attack on any financial institution, 
whether it be a large bank, whether it be a credit union or a 
small community bank, impacts significantly the overall 
financial system, and it hurts trust and it hurts communities.
    Mr. Kustoff. Essentially, it is a domino effect. One attack 
on the large or larger banks is a domino to other banks down 
the ecosystem.
    Mr. Newgard. That is right, certainly. But I would also say 
that an attack on a service provider, a core provider, if they 
get in there, if a perpetrator gets in there, look at how many 
community banks would be affected. We are talking about 
thousands of community banks and communities being affected by 
an attack on them as well.
    Mr. Kustoff. So, not necessarily a direct attack on a 
community bank or a smaller bank, but from a best-practices 
standpoint, what could a community bank do to protect itself 
against attacks at larger financial institutions or banks?
    Mr. Newgard. I would say having the harmonization of the 
regulators and also having those service providers be examined 
and have them be accountable to those requirements, because the 
bigger institutions have their own cores, if you will. They do 
a lot of this in-house, where we are reliant on third parties.
    Mr. Kustoff. Thank you. My time has expired. I yield back.
    Chairman Perlmutter. The gentleman yields back.
    Another gentleman from Tennessee, Mr. Rose, is now 
recognized for 5 minutes.
    Mr. Rose. Thank you, Chairman Perlmutter and Ranking Member 
Luetkemeyer, for holding this hearing, and to our witnesses for 
being here with us today.
    Unfortunately, cyber attacks across Tennessee and our 
nation are on the rise. While the ransomware attack that 
targeted the Colonial Pipeline, and the cyber attack on JBS in 
the meatpacking sector, have dominated the headlines this year, 
there have been countless other attacks affecting millions of 
Americans, and the financial sector in particular is routinely 
a major target of malicious cyber actors.
    In order for our nation to meet the unique challenges posed 
by cyber attacks, it is essential that we have an adequate 
number of qualified cybersecurity professionals. However, it is 
becoming increasingly clear that there is a substantial 
shortage of qualified cybersecurity professionals in this 
country.
    According to the data gathered under the Commerce 
Department grant, and as Representative Pressley just pointed 
out, there are nearly 465,000 unfilled cyber jobs in the United 
States. To help combat the shortage of cybersecurity 
professionals, the Department of Homeland Security and the 
National Security Agency have designated centers of academic 
excellence in cybersecurity.
    I am proud to represent one such center of academic 
excellence in my district. The Cybersecurity Education, 
Research, & Outreach Center located at Tennessee Tech 
University in Cookeville, Tennessee, my alma mater, was 
established in 2015 in an effort to integrate university-wide 
initiatives in cybersecurity, education, and research.
    One of the goals at the Tennessee Tech Center of Excellence 
is to help supply highly-trained students to the cybersecurity 
workforce. While I think we can all be appreciative of the work 
being done at Tennessee Tech to help fill these critically 
important jobs, there is clearly more work to be done.
    Mr. Newgard, as the Chair of the Cyber & Data Security 
Committee at the Independent Community Bankers of America, 
would you talk a little about the challenges the financial 
sector faces when it comes to recruiting qualified 
cybersecurity professionals?
    Mr. Newgard. This is a huge issue, and I would say that 
Governor Little from Idaho has created a cybersecurity task 
force to address some of these workforce issues.
    This is bigger than we realize, because as the threat 
continues to increase, so does the demand for cyber 
professionals. We need more people. The issue within the 
financial institutions is our ability to pay for these talented 
people, because they get scooped up by other entities that are 
bigger and can pay larger salaries. So, it is a challenge to 
keep and attract good talent in the cyber area.
    Mr. Rose. Thank you, Mr. Newgard. I have spent my career in 
the IT training space, and have spent quite a bit of time 
through my own business helping to train cybersecurity 
professionals. And one of the old sayings we had in that 
industry is, if you train your employees--and you make 
reference to this--if you train your employees, they will leave 
you and go on to better opportunities. The only thing worse 
than that is not training them and having them stay. And I am 
sure, Mr. Newgard, you probably agree with that.
    Mr. Jain, I would also welcome your input here regarding 
any challenges that you see when it comes to recruiting 
qualified cybersecurity professionals.
    Mr. Jain. Sure. As Representative Pressley alluded to, I 
think one of our challenges is making sure that we are drawing 
from our entire citizenry in terms of encouraging them to enter 
into the cyber workforce. We know that for a long time, for 
various reasons, women and girls have been more reluctant to 
get into technology. And we know that minorities sometimes 
don't see the same opportunities.
    So, I think part of the solution to increasing the number 
of cyber workers that we have is making sure that we are doing 
everything we can to reach out and provide the opportunities 
really across-the-board to everyone, including underrepresented 
communities, because I think that is going to be critical in 
order for us to actually get the number of cyber workers we 
need.
    Mr. Rose. I am wondering, Mr. Jain and Mr. Newgard, if you 
believe that there is adequate credentialing or verification of 
the talents and capabilities of cybersecurity professionals 
today, or if you think there is more work to be done there? I 
mentioned the program at Tennessee Tech, but, historically, 
there has been some question about whether our cybersecurity 
professionals really know their stuff. Could you all comment on 
that in the remaining seconds we have?
    Mr. Newgard. Sure. I am a big fan of certifications. I 
think certifications keep up quite well. We just need to have 
the workforce to do that, and potentially grants to help fund 
those.
    Mr. Jain. And I would just add in 2 seconds that I think it 
is also important to recognize that we shouldn't just assume 
that to be a cybersecurity professional, you need a computer 
science degree. I think we need to have different kinds of 
certifications and recognize that different kinds of skills can 
be useful.
    Mr. Rose. Thank you both.
    I see my time has expired. And thank you, Chairman 
Perlmutter, for indulging me.
    Chairman Perlmutter. The gentleman's time has expired.
    The gentleman from Florida, Mr. Lawson, is recognized for 5 
minutes.
    Mr. Lawson. Thank you, Mr. Chairman.
    And I would like, again, to welcome everyone to the 
committee. This has been quite interesting. And I would like to 
thank Ranking Member Luetkemeyer also, because this issue is 
critical now.
    My question is going to go to Mr. Newgard first. As you 
know, we are in an age where there is an increased reliance on 
technology, and with that comes an increased need to protect 
consumers' sensitive data. Financial institutions are pairing 
with technology services to provide other third-party vendors 
that are not versed in Federal regulations that protect 
consumers.
    Based on your experience, do you believe programs that help 
close the gaps and establish digital cybersecurity 
infrastructure plans will be utilized by financial 
institutions?
    Mr. Newgard. We are extremely reliant on third parties, and 
so anything that can make them more accountable is good. The 
other thing is, as part of this ecosystem, having retailers, 
core providers, everybody else within that ecosystem made 
accountable for consumer information and the liability 
associated with that as well. If they have a breach, they have 
to pay. That would go a long way.
    Mr. Lawson. Okay. Thank you.
    And, Mr. Jain, it has been stated that cybercrimes could 
cost the world up to $10.5 trillion annually by 2025, which is 
right up the way. With cybercrime cases on the rise, how can 
Federal policy help aid and recovery for financial institutions 
that are victim to cyber attacks? Most of the proposed 
solutions today discuss preventive measures, but what action 
can we take to shape policy that would help mitigate the 
staggering effect of a data breach and help financial 
institutions effect recovery?
    Mr. Jain. Just to give a couple of examples, I think one 
thing that we should be thinking harder about from a policy 
perspective is whether there are points in the ecosystem where 
imposing requirements or requiring certain security practices 
can have benefits that sort of propagate across the ecosystem.
    If you think, for example, of software providers or 
internet service providers, to the extent they up their 
security game, they eliminate a bug or a bug doesn't get into 
software, that has benefits that propagate across the whole 
ecosystem.
    If you think of a program like Windows, when Windows has a 
problem, it affects everybody. But if we can fix it or we can 
create incentives so that commonly-used software providers or 
internet service providers who are serving tens of thousands of 
customers, if we can incentivize them to up their security 
game, that has benefits for everybody throughout the ecosystem.
    So, I do think one thing that we should be thinking harder 
about is identifying those kinds of points in the ecosystem, 
what we can do there to improve security and sort of benefit 
everybody?
    Mr. Lawson. And the $10 million question that is always 
asked, Mr. Jain, is, what action could Congress take to improve 
cybersecurity and prepare to respond to attacks on the 
financial system, which may impact the entire community and 
other sectors of our economy?
    Mr. Jain. One action, as I mentioned before, that I think 
Congress should take is to adopt Federal privacy legislation, 
because I think it really gets to a point that Representative 
Loudermilk made earlier, albeit from a different perspective, 
which is that if you have privacy legislation that, for 
example, requires providers to minimize the amount of data that 
they are collecting, minimize the amount of sharing that they 
do, that means there is just less data sloshing around the 
whole ecosystem so that if there, in fact, is a breach, there 
is less data that is being taken or fewer people's data that is 
being taken.
    I actually think there is a really strong link between 
privacy legislation on the one hand, and reducing the negative 
effects of data breaches and the like on the other hand.
    Mr. Lawson. My time has almost run out, but I wanted to 
leave with you, is cybercrime international in scope with other 
countries now?
    Mr. Jain. Oh, absolutely. I think cybercrime is definitely 
international and requires international solutions for that 
reason.
    Mr. Lawson. Okay. With that, Mr. Chairman, I yield back.
    Chairman Perlmutter. The gentleman yields back.
    The gentleman from South Carolina, who is also the Vice 
Chair of the Select Committee on the Modernization of Congress, 
Mr. Timmons, is recognized for 5 minutes.
    Mr. Timmons. Thank you, Mr. Chairman. I appreciate you 
holding this hearing. This is extremely important.
    And I am just going to begin--I am actually not going to 
ask questions during my first 5 minutes, because I am going to 
take advantage of the second 5 minutes. But please listen to 
just how I am going to frame this.
    In 2012, the Obama Administration proposed the 
Cybersecurity Act, that would largely address critical 
infrastructure. It failed. The Democrats at that time had a 58-
seat majority. And the right didn't like it because it was 
overly prescriptive. It was too burdensome on businesses. And 
portions of the left didn't like it because of privacy 
concerns. It was too invasive.
    So, let's talk about what has happened since then. We have 
had billions and billions of dollars worth of damage from 
cybersecurity breaches, both in the business community and in 
government: Epsilon; Target; Home Depot; Experian; T.J.Maxx; 
Sony; the Department of Veterans Affairs; and the U.S. Office 
of Personnel Management (OPM). They are increasing in number, 
and they are increasing in disruptive capacity.
    Most recently, Colonial Pipeline, which affected my 
district, resulted in 75 percent of the gas stations in the 
Fourth Congressional District of South Carolina not having any 
gas. They did not have any gas. And I was getting calls all the 
time. And this is because they didn't have dual-factor 
authentication on their logins. So, this is basic stuff.
    The EU passed the General Data Protection Regulation (GDPR) 
in 2016. A lot of people think that was overly prescriptive. It 
has created a lot of challenges. California has done the 
California Consumer Privacy Act (CCPA). That was in 2018. 
Colorado just signed one into law in 2021. Legislation is 
currently pending in Massachusetts, New Jersey, North Carolina, 
Ohio, and Pennsylvania.
    If we are going to try to do something in Congress: one, we 
are kind of late; and two, think about how challenging it is 
going to be. It would go through at least eight committees in 
the House, and probably five or six in the Senate. We don't 
need to just address the financial services component of 
cybersecurity and data privacy; we need to address the whole of 
the economy and the Government of the United States.
    This is going to become increasingly problematic. And I 
know that we generally only legislate in crisis moments, but we 
have an opportunity to get ahead of that. And there are a lot 
of different ways you can try to craft legislation that would 
accomplish this objective, but I don't know if we have the will 
to do it because committee jurisdiction people are very 
protective of their committee's jurisdiction. There is a 
possibility of perhaps doing a joint select committee on 
cybersecurity.
    We have to find a way to get everybody's buy-in before we--
it needs to be a collaborative process, because the perfect 
will always be the enemy of the good, and we have to get the 
experts to write this legislation.
    And it needs to be self-updating. We can't keep coming back 
and addressing every new development in technology. We don't 
have the ability--Congress doesn't do things like that.
    So, we are going to get to the questions in my next 5 
minutes, but one other thing I want to point out is preemption. 
What do you think the California delegation is going to do when 
we say that we are going to do away with the CCPA by Federal 
preemption, we are going to get rid of the law they have worked 
so hard on? They are going to go crazy.
    But we can't have a patchwork framework of regulations. It 
would create such an incredible regulatory burden, such a 
compliance burden for your banks and your credit unions and for 
all of the businesses.
    And I guess I am going to end with this: We are only as 
good as our weakest link. Small businesses or larger businesses 
that are breached, let's just use--we will go with Target or 
Home Depot. How much money do you think the banks had to spend 
to reissue tens of millions of debit cards? That is a 
compliance cost which is then passed along to the end users, to 
the customers.
    This affects so many people. It affects every aspect of our 
economy, every aspect of our government. We are ill-equipped as 
a body to address it. We are running out of time.
    So, that is the doom-and-gloom approach that I am going to 
begin with, and I am going to ask questions in the second 
round. But I look forward to you all weighing in on that 
assessment of the situation.
    And with that, Mr. Chairman, I yield back.
    Chairman Perlmutter. The gentleman yields back.
    And to close out this initial round of questioning, we will 
have Mr. Torres from New York ask his 5 minutes of questions. 
Then, with the witnesses' indulgence, I assume that Mr. Foster 
and Mr. Timmons would like to ask some questions in a second 
round, and anybody else--Mr. Lawson, Mr. Torres, you are 
welcome to do the same.
    With that, I yield to the gentleman from New York City, Mr. 
Torres, for 5 minutes.
    Mr. Torres. Thank you, Mr. Chairman.
    SolarWinds serves as a wake-up call about the vulnerability 
of the software supply chain. A malicious actor can target a 
computer network of a financial institution, not only directly, 
but also indirectly via the supply chain. So, we have a 
critical interest in securing the vulnerable supply chain that 
supports the financial system.
    My first question is for Mr. Newgard. Big banks like 
JPMorgan can invest a billion dollars a year in cybersecurity. 
Do small banks have sufficient resources for cybersecurity, in 
your estimation?
    Mr. Newgard. We do a very good job, I would say, as an 
industry. What we have done is relied on our core providers, 
because we simply don't have the ability to have all the 
redundancies and security at that level that the core provider 
does.
    I have actually toured those facilities, those data 
centers, and they have very robust redundancies and security 
that we couldn't provide.
    Mr. Torres. Thank you. If I can just interject for a 
moment, what percentage of a small bank's budget typically goes 
toward cybersecurity?
    Mr. Newgard. Just on the core side, we spend $51,500 a 
month, and that is just on our core provider. We have a whole 
department dedicated to cybersecurity and IT into the hundreds 
of thousands of dollars.
    Mr. Torres. And, Mr. Vazquez, same question for you. Do you 
feel credit unions have sufficient resources for cybersecurity, 
and what percentage of a credit union's budget, on average, 
goes toward cybersecurity?
    Mr. Vazquez. Yes, sir, thank you for that question. I feel 
I can answer the same. Credit unions, both large and small, are 
doing the best they can with the resources they have to 
mitigate the cybersecurity risks.
    For us, I can't tell you exactly what the percentage is, 
but I can tell you that just our cybersecurity budget for tools 
that we need to ensure that our data is safe is close to a 
million dollars. That does not incorporate the cost of the 
employees, and as mentioned earlier, that cost continues to go 
up as we fight for the right resources to get the right people 
in to manage these sophisticated tools that we have.
    A lot of smaller credit unions don't have the budget that 
we have. I am very, very thankful that our board and our 
executives are all bought in with cybersecurity and provide 
that budget for us to be able to buy the right tools, train our 
people, and ensure that we are doing the right thing.
    Mr. Torres. Mr. Newgard, you are the head of a bank, 
correct?
    Mr. Newgard. CEO.
    Mr. Torres. Do you typically assess the cyber hygiene of 
your technology service providers before hiring them or doing 
business with them?
    Mr. Newgard. Yes. We have an extensive vendor due diligence 
that we go through, and in the cyber area, we are increasing 
our level of reliance on them. We just went to a managed 
Security Operations Center (SOC) with DefenseStorm recently, 
which is a cost, but gives us more security.
    Mr. Torres. Do you know if all of your technology service 
providers have a chief information security officer?
    Mr. Newgard. Do I know if they have them? Yes.
    Mr. Torres. Do all of them have multi-factor authentication 
(MFA)?
    Mr. Newgard. I couldn't answer that broadly. I don't have 
knowledge of all of the providers.
    Mr. Torres. Do all of those technology service providers 
have third-party assessments of their cybersecurity practices?
    Mr. Newgard. I believe so.
    Mr. Torres. And, Mr. Vazquez, do you know if credit unions 
typically assess the cyber hygiene of their technology service 
providers before doing business with them?
    Mr. Vazquez. Yes, sir, we do. Fortunately, for Canvas, we 
do have a very robust vendor management program, and that 
allows us to query our vendors with contracts, ask for their 
SOC information, ensure that they are following the same 
practices that we expect them to.
    To answer an earlier question, most do have MFA. Some still 
only have a single sign-on with using a password. And, 
obviously, we fight to have them change that, but not all 
vendors will do that. But, yes, we have them.
    Mr. Torres. My time has expired, and it might be easier 
said than done, but if I were a credit union or a bank, I would 
never do business with any service provider that did not have 
multi-factor authentication. That is the barest standard of 
cyber hygiene in the 21st Century.
    I yield back.
    Chairman Perlmutter. The gentleman yields back.
    We will move to a second round. And, with that, I yield to 
the gentleman from Illinois, Dr. Foster, for 5 minutes.
    Mr. Foster. Thank you, Mr. Chairman.
    I guess this is probably best for Mr. Newgard or Mr. 
Vazquez: Is the list of the market shares of all of the core 
processors publicly available? Are they well-known firms or are 
they sort of specialist firms? Just if you could, we will be 
asking--yes.
    Mr. Newgard. Yes, they are pretty well-known. Fiserv is the 
one that we use, but there are about three others that dominate 
that area.
    Mr. Foster. Okay. If you could respond for the record, just 
so we get a feeling who the big players are in that?
    Now, Mr. James, Mr. Newgard, and others, you mentioned 
problems with the noncompetitive markets for core processors, 
partly due to a consolidation, but also due to vendor capture 
due to the high cost of switching vendors for core processing. 
This strikes me as very much like the market for electronic 
health records, which will effectively capture hospital chains 
or doctors' offices because of the high cost of switching over 
to a different competitor for these systems.
    So, one of the things that we have attempted to do in 
Congress to make a more competitive operation is to have data 
portability standards and interoperability standards so that it 
is more realistic to switch vendors on this.
    Is there a need for something like this in this market, so 
you can make it a realistic threat to jump to a competitor? 
Have there been any discussions on this?
    Mr. James. I will jump in, Mr. Foster, and give you a quick 
example. We had one of our members, a Black-owned bank, that 
purchased another Black-owned institution that was not doing 
quite as well, and they just closed on the merger about 3 weeks 
ago.
    The purchasing bank was on one core provider, and the 
target bank was on a different core. They had to pay $1.2 
million to the target bank's core provider in order to move 
that data over to their core. And so, there is an enormous 
amount of cost.
    So, if we could have some kind of consistency and data 
portability across these providers, that would really free up 
competition, because it is extremely onerous. Even if you wait 
until your contract is expired and you want to move to a new 
core provider, it is still going to cost you into the high six 
figures in order to do a conversion, which is one of the 
reasons why a lot of our banks end up staying with the same 
company over and over again for these long-term contracts. It 
makes us less competitive. It is very costly. And if we could 
have some consistency in standards, I think you would introduce 
more competition into the marketplace.
    Mr. Foster. No, no, it is remarkable. There are markets 
where it is best that government just gets the heck out, like 
plain old internet, where we have said, okay, industry, figure 
it out, and any computer can talk to any other. But then there 
are markets, like electronic health records or apparently this 
market, where I guess the natural tendency toward monopoly is 
just so strong and toward vendor capture.
    Many of you have also mentioned identity fraud and 
synthetic identity fraud, social engineering, and phishing 
attacks. And there is a pretty broad consensus that we have to 
get away from password-based systems to more secure systems.
    There has been progress on this, including on the consumer-
facing thing, with the rollout of Mobile ID, sometimes called 
digital driver's licenses, by many States. They were a standard 
that was developed by NIST, and iPhone and Android are now 
supporting them. It is a big part of their recent rollout of 
new updates to their operating system. And several States are 
rolling these out.
    This allows you to essentially turn your cell phone into a 
security dongle that is associated with a REAL ID-compliant 
driver's license or other ID or a passport. And these things 
have the potential to really get rid of a lot of the agony that 
business and government sees with identity fraud.
    Has the rollout in States gone far enough that you have 
really seen an effect of using these for Know Your Customer 
(KYC) requirements and so on, or is it still early days? Are 
any of you sort of aware of the use of this?
    Mr. James. Yes. We are generally aware of the trend, but it 
is still very, very early. I know in the State of Georgia, 
where our bank is located, we have not seen that yet. I am not 
sure about any of the other panelists, but it is still early 
days for us.
    Mr. Vazquez. Yes, sir. And I would agree with Mr. James 
that the technology is in its infancy. We are aware of it and 
are paying attention to it, because we do actually believe, as 
you just mentioned, that passwords are a huge area that allows 
for compromise. If we can take that away and move to something 
of what you have and get away from passwords, that would be the 
perfect solution. But right now, the technology is in its 
infancy. And as soon as it matures, we will definitely be 
looking at that to bring into Canvas.
    Mr. Foster. Yes. I believe the technology is actually 
mature and--
    Chairman Perlmutter. The gentleman's time has expired.
    The gentleman from South Carolina, Mr. Timmons, is now 
recognized.
    Mr. Timmons. Thank you, Mr. Chairman.
    Mr. Jain, do you agree that Congress should preempt States 
and pass a comprehensive cybersecurity and data privacy 
framework for the U.S. economy?
    Mr. Jain. I definitely agree that Congress should pass that 
kind of legislation. I think on the preemption question, I 
would say two things. One, it is hard to answer the preemption 
question without knowing how strong the substantive protections 
are, because, obviously, if it is a really weak substantive 
privacy law, then that would, I think, mean that we wouldn't 
support preemption.
    And the second point I would make is that I don't think 
preemption is an all-or-nothing thing. In other words, it is 
not we preempt everything or we preempt nothing. I think there 
are some laws, like you have referenced, like the California 
law and the Colorado law, which would be fairly parallel in 
some ways to a Federal privacy law where if it were strong 
enough, it may make sense to preempt.
    On the other hand, there are other laws of general 
applicability that sometimes may read on privacy, whether it is 
civil rights laws that protect against discrimination or unfair 
and deceptive trade practice laws that deal with people who are 
deceptive in describing the privacy practices, where 
preemption, I think may not make sense. But I think there is 
room there to talk.
    Mr. Timmons. Sure. I have concerns about Congress' capacity 
to craft such legislation. Not that we are not competent in 
many ways, but this is very challenging.
    Do you think this is something that we could incorporate or 
ask NIST to take a first swipe at if we were to give them a 
general framework, to kind of work out some of the kinks on the 
front end and then maybe make it easier to go through the 
various committee jurisdictions?
    Mr. Jain. I would make two observations. One, there are 
actually quite few bills out there, both on the Republican and 
Democratic side, that I think are credible efforts, and sort of 
move us down this road.
    I think it is quite possible that what legislation should 
do is to set forth basic duties and principles and then ask 
whether it is NIST or the FTC or some other regulatory agency, 
to try to fill those out and also, therefore, also be a little 
bit more nimble in sort of responding to new developments, as 
you noted earlier. But I think there are some credible efforts 
that are already out there in terms of bills.
    Mr. Timmons. Do you think a joint select committee would 
increase the likelihood of success of such an endeavor?
    Mr. Jain. I leave that to you, to some degree. I think the 
Commerce Committee in the Senate, and the Energy and Commerce 
Committee here in the House have, as I understand it, been 
taking the lead to the extent there has been activity around 
this. Whether that is sufficient jurisdictionally, I am not 
enough of an expert in congressional committee jurisdiction to 
be able to answer that.
    Mr. Timmons. I have a feeling that the chairwoman of this 
committee might want to have a piece of the conversation in 
here. But the same can probably be said for a number of other 
committees, and that is the biggest challenge that we have.
    Would you agree that GDPR and CCPA have perhaps gone a 
little bit too far in certain regards, and Congress should be 
careful not to take an overly-burdensome approach and perhaps 
try to facilitate some free-market solutions for enforcement 
mechanisms? I think one of the biggest challenges is growing 
government and creating standards when we are really just 
trying to facilitate best practices. What are your thoughts on 
that?
    Mr. Jain. I am not sure if I would characterize it 
necessarily as them going too far, so much as I would say that 
we need to move in a slightly different direction, which is 
that a lot of existing privacy laws focus on the idea of notice 
and then give consent on the part of consumers.
    And as I talked about in my testimony, we all know that 
most consumers never read those 30-page privacy policies. And 
so, I think a privacy law that is based on the assumption that 
people are going to do that just doesn't really make sense and 
doesn't match with the real world.
    What I do think we need to do is move more to a system in 
which we say, hey, there are some basic rules that if you are 
going to collect personal data, you have to follow. You have to 
minimize the data that you are going to collect. You shouldn't 
be sharing it in ways that are going to surprise consumers 
unless you go back and get permission, express permission from 
the consumers.
    And you put those kinds of rules in place so that you can't 
bury in the privacy policy somewhere, hey, we are going to 
share this with these 10 parties. I think what we need to do is 
move in that direction, which I think is less about is GDPR 
going too far or too less, but sort of shifting the paradigm a 
little bit.
    Mr. Timmons. Sure. I guess, last question: The U.S. economy 
is important, but the global economy also has an important role 
to play. What do you think about Congress trying to extend 
these protections to people abroad?
    Mr. Jain. We clearly have to pay attention to what is going 
on abroad, because most of our big companies obviously operate 
in multiple markets, and as a practical matter, it is very 
difficult for a large company to do different things, based on 
different geographies. That is why you see, for example, that a 
lot of companies follow GDPR sort of across the world, because 
it is just easier. Having implemented it, it is just easier for 
them to do that.
    I think if it is going to be hard for Congress to pass a 
privacy law, I think it is probably hard to negotiate a 
worldwide privacy law. But having said that, I think paying 
attention and trying to figure out how what we passed works and 
meshes with laws in other countries is an important piece of 
this.
    Mr. Timmons. Sure. Thank you for your time.
    I yield back.
    Chairman Perlmutter. The gentleman's time is expired.
    Mr. Jain, one of the things we used to call the contracts 
you are talking about, we called them adhesion contracts, where 
the consumer really doesn't have much choice and has to adhere 
to whatever it was that the other contracting party was 
demanding. And here, it is people who haven't even read the 
contract, much less have much say as to how it is drafted.
    I will now yield 5 minutes to the gentleman from New York 
City, Mr. Torres, for the last questioning. And I just want to 
thank the panel for allowing us to take extra time.
    Mr. Torres. Thank you, Mr. Chairman.
    According to a report from Trend Micro, in the first half 
of 2021, there has been a 1,318 percent increase in ransomware 
attacks against banks and credit unions. According to 
suspicious activity report data from the Financial Crimes 
Enforcement Network (FinCEN), in the first half of 2021, the 
ransom amount paid out was $590 million, compared to only $416 
million in all of 2020.
    This question is for Mr. James. Mr. James, the internet has 
been around for a while. Cryptocurrency has been around for a 
while. What is driving this inexplicable explosion of 
ransomware, particularly against financial institutions?
    Mr. James. I think that it was mentioned earlier, Mr. 
Torres, that these bad actors are going where they find the 
money. And they are attacking what they think are 
vulnerabilities in our overall system. So, they are going to 
attack those institutions that they perceive as vulnerable and 
they are going to attack those systems that they perceive as 
vulnerable, particularly those that have the ability to pay.
    And so our institutions, community banks, and minority 
depository institutions in particular, are being extremely 
vigilant about protecting our systems from these kinds of 
attacks, not only in terms of the amounts of money that we pay 
our core processors--at our institution, it is about $25,000 a 
month--but that all of the additional investments that we are 
making in training and people and consulting and infrastructure 
to try to keep up with the rapid rate of change and the rapid 
increase in these attacks.
    Mr. Torres. And do we know if the ransom payments are 
primarily coming from small banks or big banks? Do we know the 
distribution?
    Mr. James. I think it is primarily coming from larger 
institutions, rather than many of our members, but our members 
are being very, very vigilant and keeping aware of these 
situations.
    Most of our institutions are carrying cyber insurance 
contracts, cyber insurance policies that would help to mitigate 
the cost. But the cost of the premiums of those contracts also 
is increasing exponentially, and we really need to be mindful 
of that cost as well as we face additional attacks in the 
ransomware space.
    Mr. Torres. It seems to me that one of the greatest 
challenges to cybersecurity is a lack of enforcement. Almost 
all crimes in cyberspace go unpunished, with less than 1 
percent resulting in enforcement actions.
    According to Third Way, for every 1,000 cybercrimes, only 3 
of them will actually result in an arrest. Criminals are 
rational actors, so if the risks are low and the rewards are 
high, then cybercriminals have an incentive to commit 
cybercrimes in greater and greater numbers, at a faster and 
faster pace, and on a greater and greater scale.
    And the data is crystal clear that cybercrime is on an 
exponential curve. According to Cybersecurity Ventures, the 
cost of cybercrime will go from $3 billion in 2015, to a 
projected $6 billion in 2021, to a projected $10.5 trillion in 
2025. So, I am concerned about the trajectory of cybercrime, 
particularly as it relates to financial institutions.
    Mr. Jain, I have a question about Section 1033. I am a 
strong supporter of Section 1033, but there are some legitimate 
concerns about cybersecurity and legitimate concerns about data 
aggregators, which tend to be largely unregulated and 
unsupervised.
    How would you assess the state of cybersecurity with 
respect to data aggregators?
    Mr. Jain. I think there are some real issues there. In 
particular, I think what we have seen early on in the industry 
was the use of basically a technique called screen scraping, 
where essentially a consumer was turning over their credentials 
to the data aggregator, and the aggregator was scraping the 
information from the screen. And that clearly presented all 
sorts of security issues.
    I think we are starting to move toward a system in which 
the data aggregators are communicating with financial 
institutions through application programming interfaces (APIs) 
or sort of interfaces designed for that, which I think is a 
positive step. Nonetheless, data aggregators, in general, don't 
fall within the purview, for example, of Gramm-Leach-Bliley, 
which sets sort of the privacy and security standards for other 
actors in the financial system.
    So, I think it is important to impose privacy and security 
regulations on entities like data aggregators, ideally through, 
as we have been talking about, broad baseline privacy 
legislation, but short of that, then maybe bringing them within 
Gramm-Leach-Bliley at least as a transitional measure.
    Mr. Torres. Excellent. Thank you for the answer.
    Thank you, Mr. Chairman.
    Chairman Perlmutter. Thank you. The gentleman's time has 
expired.
    I want to thank our panel for your expert testimony today. 
And we really do appreciate you giving us a little extra time. 
Obviously, this is a hot topic for all of us, one that we 
really need to try to get our arms around.
    I think, as the chairwoman said, and as Mr. Luetkemeyer 
said, this is one area where there is a lot of common desire to 
minimize the attacks that we all face in the financial industry 
and elsewhere by cybercriminals and by nation-states and other 
bad actors.
    So, thank you all very much for your testimony today.
    I want to thank Mr. Thornton for putting these hybrid 
hearings together. It is not easy to have somebody in person 
and a number of folks on the platform, and it worked very well 
today. And I want to thank you for that, sir.
    The Chair notes that some Members may have additional 
questions for these witnesses, which they may wish to submit in 
writing. Without objection, the hearing record will remain open 
for 5 legislative days for Members to submit written questions 
to these witnesses and to place their responses in the record. 
Also, without objection, Members will have 5 legislative days 
to submit extraneous materials to the Chair for inclusion in 
the record.
    And without objection, statements will be entered into the 
record on behalf of the following organizations: the National 
Association of Federally-Insured Credit Unions (NAFCU); the 
Electronic Transactions Association; the American Bankers 
Association; and the Credit Union National Association.
    With that, thank you all very much. This hearing is now 
adjourned.
    [Whereupon, at 12:39 p.m., the hearing was adjourned.]

                            A P P E N D I X


                            November 3, 2021
                            
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                [all]