December 10, 2014


WASHINGTON – U.S. Senator Mike Crapo (R-Idaho), Ranking Member of the Senate Banking, Housing and Urban Affairs Committee, today delivered the following remarks during a Banking Committee hearing
Thank you, Mr. Chairman.  This morning, we are holding what may be the final Banking Committee hearing chaired by Chairman Johnson.
Mr. Chairman, let me reiterate what a pleasure it has been to work with you.  You and I have had a great working relationship for many years.  It has been a privilege to serve with you in the Senate, on this Committee and as Chairman and Ranking Member for the past two years, and I wish you the best of luck in the future.
Today, we have gathered to discuss cybersecurity in the financial sector.  A “60 Minutes” segment that aired last week called 2014 “the year of the data breach.”  One recent study estimated that sixty percent of companies overall have experienced a breach in the last two years.  This includes a number of high-profile breaches in which hackers have stolen personal and financial information from millions of consumers.
These breaches can result in frustrating experiences for consumers, including obtaining new credit or debit cards, monitoring accounts for fraudulent activity and the disruption of pre-authorized payments.  Additionally, financial institutions, especially community banks and credit unions, face significant costs in reissuing cards and covering losses. 
The financial sector itself is also a primary target for hackers because, as some have pointed out, “that’s where the money is.”  The largest banks are under constant attack every day and spend hundreds of millions of dollars per year on cyber defense.  What many may not realize is that the cost of defending against cyber attacks is remarkably disproportionate compared to the cost of attacking.
Hackers can purchase tools to exploit vulnerabilities for a just few hundred dollars, while firms must spend upwards of a million dollars or more to defend against specific cyber attacks.  The costs and burdens on smaller financial institutions to defend against attacks can be enormous.  JP Morgan Chase, the nation’s largest bank by assets, was attacked this summer, when hackers stole personal information from 76 million households and 7 million small businesses.  While this is certainly concerning, I am encouraged that despite spending weeks inside JP Morgan’s systems, the criminals reportedly were unable to steal any financial account information.
Maintaining a strong perimeter defense is one essential component of cybersecurity; minimizing damage if hackers get inside is another.  The impact of a major cyber attack against our financial system would be dire; in the words of Treasury Secretary Lew, “successful attacks on our financial system would compromise market confidence, jeopardize the integrity of data and pose a threat to financial stability.”
Many of your agencies have made cybersecurity a priority, and I applaud you for doing so.  In addition, the financial industry has devoted substantial resources to protecting its information systems, and is widely viewed as one of the most advanced sectors in terms of prioritizing cybersecurity.  Today, I hope to learn more about how the federal government is partnering with industry to ensure that our financial system is protected from cyber threats. 
What is the government’s process for obtaining threat information and delivering it to the private sector?  How can we improve this process to get the information where it needs to go more quickly? 
It is good that cybersecurity is getting attention from so many different agencies and offices and working groups.  While positive steps are being taken, we must make sure the process has not become so complicated that it slows down the outflow of information and hinders coordination.  Law enforcement, the Departments of Treasury and Homeland Security, the Intelligence Community and banking regulators must all work together effectively to maximize the speed of information sharing and to minimize the risk of and damage from cyber attacks.  I also hope to learn about the work being done by the FFIEC’s cybersecurity working group, and how that will inform exam procedures and policies moving forward. 

Thank you, Mr. Chairman, for holding this hearing, and I look forward to hearing testimony from each of the witnesses.