The CFPB issued its Summer 2023 Supervisory Highlights, including a section on security protocols.

“The CFPB’s Supervision program evaluates information technology controls at supervised institutions that may impact compliance with Federal consumer financial law or implicate risk to consumers. The CFPB assesses the effectiveness of information technology controls in detecting and preventing data breaches and cyberattacks. For example, inadequate security for sensitive consumer information, weak password management controls, untimely software updates or failing to implement multi-factor authentication or a reasonable equivalent could cause or contribute to violations of law including the prohibition against engaging in UDAAPs.”  In footnote 42, the Bureau suggests that such inadequate security protocols may violate other laws, including the new GLBA Safeguards Rule.

Examiners found that institutions engaged in unfair acts or practices by failing to implement adequate information technology security controls that could have prevented or mitigated cyberattacks. More specifically, the institutions’ password management policies for certain online accounts were weak, the entities failed to establish adequate controls in connection with log-in attempts, and the same entities also did not adequately implement multi-factor authentication or a reasonable equivalent for consumer accounts.

The entities’ lack of adequate information technology security controls caused substantial harm to consumers when bad actors accessed almost 8,000 consumer bank accounts and made fraudulent withdrawals in the sum of at least $800,000. Consumers were also injured because they had to devote significant time and resources to dealing with the impacts of the incident. For example, consumers had to contact the institutions to file disputes to determine why funds were missing from their accounts and then wait to be reimbursed by the institutions. Consumers may have had to spend additional time enrolling in credit monitoring services, identity theft protection services or changing their log-in credentials.

The impacted consumers could not reasonably avoid the injury caused by the institutions’ inadequate information technology security controls. Consumers do not have control over certain aspects of an institutions’ security features, such as how many log-in attempts an institution allows before locking an account or the number of transactions it labels suspicious,
requiring additional verification. Similarly, only the institutions can implement measures to mitigate or prevent cyberattacks such as employing controls or tools to block automated malicious software (botnet) activity or ensuring sufficient authentication protocols are in place such as multi-factor authentication or an alternative of equivalent strength. Consumers do not have control over these security measures and were unable to reasonably avoid the injury caused by the cyberattacks. The injury to consumers outweighs any countervailing benefits, such as avoiding the cost of implementing information technology controls necessary to prevent these types of attacks.

In response to these findings, the institutions are implementing multi-factor authentication, or a reasonable equivalent, enhancing password management practices and implementing adequate controls for failed log-in attempts to prevent/mitigate unauthorized access to consumer accounts. Additionally, the institutions are providing remediation to impacted consumers.