Regulators are increasing enforcement actions and penalties against the big banks for failures in cyber risk management, and the rest better take notice. Between August and October of 2020, the Office of the Comptroller of the Currency (OCC), an independent bureau of the U.S. Department of the Treasury, imposed $625 million in fines on major financial institutions.1 Compared to the same period in 2019, no actions were taken against the banks (OCC, 2019,) underscoring the magnitude of the 2020 actions.
In a 2019 statement, however, FDIC Chairwoman Jelena McWilliams predicted that fines would increase. She also admitted that protecting banks and consumer data is “prohibitively expensive.”2 One may argue that we should have seen this coming, but realistically speaking, no one could have anticipated the ferocity in which regulators have gone after the banks these past few months. Nor could they anticipate the financial scale we have seen, especially with the acknowledgement that there isn’t enough money to properly defend against the breaches they are experiencing.
Fines Against Financial Institutions for Cybersecurity Failures
The OCC levied massive fines—on just four banks—citing cybersecurity failures as the reason. Let’s break down that $625 million in fines in Table 1.
|August 6, 2020||Capital One||$80 million||2019 hack of 100 million credit card applications3|
|October 7, 2020||Citibank||$400 million||Deficiencies in data governance, risk management, and internal controls4|
|October 8, 2020||Morgan Stanley||$60 million||Failing to properly decommission hardware containing sensitive data5|
|October 14, 2020||USAA||$85 million||Unsafe and unsound practices related to the bank’s compliance risk management program and IT risk governance program6|
Table 1 - Fines against financial institutions for cybersecurity failures in 2020
Previously, there was a considerable number of threats of enforcement against the banks, but actual regulatory damages were pretty limited. This new data shows that regulators are willing to take bold action to curtail bank behaviors they feel are insufficient. Interestingly, these enforcements have all come toward the later part of the year, indicating that regulators are finally getting their footing back following COVID-19-related impacts to their routines.
Fines Against Healthcare Organizations for Cybersecurity Failures
Now let’s look at how this compares to the only other commercial industry that is federally regulated for cybersecurity failures: healthcare. The healthcare industry is governed by the Health Insurance Portability and Accountability Act (HIPAA) through the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HSS). During that same period, August through October of 2020, the OCR settled fines totaling $11,046,500.7 Of the 11 actions, the three largest fines equaled $10,650,000, or roughly 96.4% of the total. Table 2 details the distribution of these three fines.
|September 21, 2020||Athens Orthopedic Clinic PA||$1.5 million||HIPAA noncompliance8|
|September 23, 2020||CHSPSC LLC||$2.3 million||Breach of Protected Health Information (PHI) affecting more than 6 million people9|
|September 25, 2020||Premera Blue Cross||$6.85 million||Breach of Protected Health Information (PHI) affecting more than 10.4 million people10|
Table 2 - Fines against healthcare organizations for cybersecurity failures in 2020
Compared to the same time period in 2019, there were only three fines against healthcare organizations totaling $2.2 million. The 2020 fines represent roughly a 392% increase. The trend is the same as in banking, but only 1.4% of the fines were imposed on the banks.
The Future of Cybersecurity Regulation Enforcement and Fines
Based on the trends, here are a few parting thoughts on what to look for going forward:
- Increased inspections. Regulatory inspections will increase in scope and velocity. Expect the rate of Requests for Information (RFIs) to go up and the required response times to go down.
- Fine-tuned frameworks. Focus of frameworks will increase by both banks looking for defensible strategies as well as regulators looking for clear-cut standards to access against.
- Delayed improvements. Cloud transitions will be the long-term beneficiaries of this. Most organizations will not be able to achieve real risk management improvements without substantial refactors. However, businesses will not be able/willing to invest in these major refactors without other business benefits such as speed, stability, and efficiency.
- Election-related shift. A democratic presidential win may increase the rate of enforcements.