The Federal Communications Commission last week added Moscow-based cybersecurity software company Kaspersky to a list of companies whose products pose “a threat to national security.”
Although a company spokeswoman declined to say how many U.S. banks the privately owned company serves, the company is known to serve banks internationally, and in 2015 it identified a cyberattack targeting financial institutions. Kaspersky said recently on its website it protects the data of “over 400 million users” and that it has 240,000 corporate clients around the world.
Kaspersky-branded products have long been a top pick among independent reviewers, including AV Test, PC Magazine, TechRadar and Tom’s Guide and a popular choice among U.S. banking consumers. Among the features in its consumer software is Safe Money, a web browser extension designed to protect consumers online where they enter bank or payment information.
Though last week’s announcement from the FCC about Kaspersky is not the first action against the company by the U.S. government, it is a timely message about the government’s stance on the company’s suite of products. According to Reuters, the government began privately warning some companies the day after Russia invaded Ukraine that Moscow could manipulate Kaspersky software to cause harm.
“Today’s action is the latest in the FCC’s ongoing efforts, as part of the greater whole-of-government approach, to strengthen America’s communications networks against national security threats, including examining the foreign ownership of telecommunications companies providing service in the United States and revoking the authorization to operate where necessary,” said FCC Chairwoman Jessica Rosenworcel.
Before the FCC declared that Kaspersky products pose a national security threat, Germany’s Federal Office for Information Security said on March 15 that any Russian IT manufacturer “can conduct offensive operations itself, be forced to attack target systems against its will, be spied on without its knowledge as a victim of a cyber operation or be misused as a tool for attacks against its own customers.”
The Italian Data Protection Authority said on March 18 it had begun a “fact-finding exercise” regarding Kaspersky products in response to alerts from “several IT security agencies both in Italy and in Europe regarding use of the software to wage cyber-attacks against Italian users.”
Kaspersky responded to the German statement by saying it was “not based on a technical assessment of Kaspersky products” but rather “made on political grounds.” The company said it relocated its cyberthreat-related data processing infrastructure to Switzerland in 2018 and that it had other processing operations in Canada, Germany and elsewhere.
“The security and integrity of our data services and engineering practices have been confirmed by independent third-party assessments: through the SOC 2 Audit conducted by a ‘Big Four’ auditor, and through the ISO27001 certification and recent re-certification by TÜV Austria,” a company statement reads.
Kaspersky doubled down on its line about politics after the FCC’s announcement last week, saying the government action was “a response to the geopolitical climate rather than a comprehensive evaluation of the integrity of Kaspersky’s products and services.”
A Kaspersky spokeswoman told American Banker the company’s technologies “are trusted by hundreds of global technology and OEM partners” and that it works together with law enforcement agencies including Interpol and Europol. The spokeswoman also said Kaspersky “does not have any ties to the Russian government.”
Critics pointed out Kaspersky counts the Russian government as one of its clients, attacked company CEO Eugene Kaspersky for his statement on Russia’s invasion of Ukraine and said his Russian employees could become targets of government coercion. Product review publication PC Magazine, which Kaspersky had previously held up as a positive reviewer, said it could “no longer recommend Kaspersky products.”
The FCC’s action last week cited a directive issued by the Department of Homeland Security in 2017, requiring all federal agencies to drop any reliance on Kaspersky products. Congress later passed a law affirming the action, and President Donald Trump signed it. The company responded by suing the government on a claim that it had been deprived of due process.
A judge later dismissed the lawsuit and a second case the company filed questioning the constitutionality of the related law, saying that although the actions could well have an adverse effect on the company, “that does not make them unconstitutional.”
The Jackson, Mississippi, company will use proceeds from the sale of its Fisher Brown Bottrell Insurance unit to restructure its investment portfolio, moving $1.6 billion of low-yield securities off the balance sheet.
The store-branded card issuer is raising annual percentage rates and adding fees for paper statements to compensate for lost revenue. The Consumer Financial Protection Bureau's new regulation is scheduled to take effect on May 14.
At the banks' annual meetings, shareholders at both companies struck down proposals that would have split the board chair and CEO roles. Two other proposals also failed to win shareholder support, one concerning energy financing and another on pay gap analysis.
Congressional Review Act resolutions are ramping up ahead of the 2024 election cycle. Experts say that, although none are likely to become law, the resolutions are still powerful messaging and political tools.
The ABA is testing an information-exchange network to allow banks to share their fraud data with each other. Companies including Baselayer are also building solutions.
Republicans on the House and Senate Small Business committees are accusing the SBA of being irresponsible in granting Funding Circle permission to participate in its flagship loan-guarantee program.