Forget Thor, it’s time for Maslow’s Hammer

Haters gonna hate and regulators gonna regulate. And the Federal Reserve Board is no exception, especially when it comes to banks.

The latest target of Fed attention – and potential oversight – is cybersecurity. Not that the central bank is looking to expand its regulatory reach to the cybersecurity industry, but it could well be taking a closer look at how banks are dealing with the threat of cyber-attacks.

The subject came up recently at the Midwest Cyber Workshop held jointly by the Federal Reserve Banks of Chicago, Kansas City and St. Louis. In her welcoming remarks, Fed Board of Governors member Michelle Bowman spoke directly about the threat posed by cyber-attack, especially on smaller banking organizations.

Bowman said that in 2021 there were more than 1,400 reports of ransomware attacks – a software designed to block computer access until a sum of money is paid – worth nearly $1.2 billion, and ransomware “disproportionately affects smaller banks that may not have sufficient resources to protect against these attacks.”

Bowman said one of the reasons for the increase in cyber-attacks is the spread of digital products and services offered by banks, and more customers moving to digital banking, which in turn creates new opportunities for cyber-attacks.

But the potential regulatory solution may surprise you. Rather than add another layer of oversight on the backs of smaller banks – which already face a heavier burden than their large, national and multi-national cousins – Bowman offered another way. Call it a third-party way.

The increase in digital banking and the demand by consumers for more innovation and convenience increased banks’ reliance on third-party vendors to provide those new technologies. Not only does that, in turn, create even more opportunities for cyber criminals, it adds another side of oversight to the already full plates of banking organizations.

“We should consider the appropriateness of shifting the regulatory burden from community banks to more efficiently focus directly on the service providers,” Bowman said, referring to the third-party vendors used by financial institutions to offer more services.

That seems reasonable and has a lot of appropriateness.

But some will still see it as regulatory overreach. And while it is always a good idea to monitor government oversight, that doesn’t mean the government overseers never have any good ideas of their own. Given the nature of the threat from cyber criminals and the economic, social and political havoc that would ensue if left unchecked, banks should be concerned about it and regulators should make sure they stay concerned.

Abraham Maslow was right when he said, “If the only tool you have is a hammer, you tend to see every problem as a nail.” But what Bowman describes isn’t policymakers wielding Maslow’s Hammer in an effort to enlarge an oversight regime. The Fed added to its supervisory toolbox after the Great Recession of the aughts and then again with the Covid-19 pandemic, so they have more than a regulatory hammer.

But in the fight against cyber-crime, it just may be a nail worth pounding.