Atlantic Council Event on Risk and Resilience for the Financial Sector
ON MARCH 19TH, THE ATLANTIC COUNCIL held its monthly Cyber Risk Panel. Speakers included John Carlson, Executive Vice president for Technology Risk, Financial Services Roundtable (FSR); Brian Peretti, Acting Director, Office of Critical Infrastructure Protection and Compliance Policy, U.S. Dept of the Treasury; and Lilly Thomas, Vice President, Independent Community Bankers of America (ICBA).
The Cyber Environment
Carlson said he has seen a migration in the cyber environment going from fraud to disruptive attacks, including hacktivists, nation state backed attacks, Distributed Denial of Service (DDOS) attacks, and even the recent data breaches at major retailers. “The problem,” Carlson explained “is reputational risk, not significant losses.” Down the road Carlson is concerned about attacks that can change information or question the integrity of data, which can disrupt the market.
Peretti stated that from the government’s perspective, they must figure out how to develop tools to service large and smaller institutions. Larger institutions, he said, have the resources to defend themselves, where as smaller institutions do not.
Thomas, speaking for smaller financial institutions, said that with cyber security threats, there is often not just reputational risk, but also a financial one as well.
Information Sharing
The key for everything, Peretti said, is information sharing. Firms see attackers pinging their systems all the time; and the Treasury is trying to foster an environment where financial institutions share that information across the board. Treasury is listening to the industry about what key pieces of information will be most helpful to them, Peretti said. He went on to say that they have seen firms showing a large willingness to share information with each other. Financial institutions are trading partners with each other and “it’s not a competitive advantage for one institution to work and the other to not,” he said.
Thomas commented that for smaller banks information sharing is critical and that even though smaller institutions are not targeted as often as larger firms, the risk does trickle down.
Carlson said the “financial service industry is very regulated, probably the heaviest regulated of all industries.” In light of that regulation, Carlson wanted to underscore that over the last year and a half the FSR, Financial Services Information Sharing and Analysis Center (FSISAC), and others have come together to focus on five major initiatives: 1) improving information sharing; 2) improving analytics to understand the information; 3) enhancing crisis management response and resiliency, including running simulations; 4) improving components of the ecosystem, through R&D, such as the work to secure .bank and .insurance domain names from the Internet Corporation of Assigned Names and Numbers (ICANN); and 5) improving executive communication and advocacy on the issue of cybersecurity.
NIST Framework
The National Institute of Standards and Technology (NIST) cybersecurity framework released last month was discussed. Thomas said that she doesn’t see it changing much for smaller institutions which already have a lot of the standards in place.
Peretti explained that the framework was created to be used across sectors to aid in cyber security. Most financial institutions are already very sophisticated in their cyber defenses, he said. So while it may not be useful for the firm’s own cyber defense programs, it could be beneficial for them to use when looking at vendors and service providers whom they contract out to, he added.
Carlson said, from the FSR’s perspective there are 4 attributes that are most successful: 1) trust in the system and counterparts; 2) protections around how information can be used, such as legal and non-disclosure agreements among firms; 3) context on what the information is and how relevant is it to the specific system of a firm; and 4) timeliness in responses.
Looking Ahead
Carlson commented that the idea of cyber security needs to be looked at as “continual improvement.” One legislative suggestion he recommended was to pass a bill similar to the Cyber Intelligence Sharing and Protection Act (CISPA) which passed the House last year but not the Senate. The other area to look to is improving coordination between the financial services industry and the telecommunications industry, he said, specifically looking to improve the payment ecosystem.
Thomas said that a national breach notification law is important. “Right now there is just a patchwork of state laws,” she said. And in the case of a security breach, she added, “we would like to see the costs borne by the entity that is breached.”
Peretti said the Treasury is focused on and will continue to focus on improving information sharing, saying as the technology evolves so do the attacks.
For more information and to watch a webcast of the panel, please click here.
,Blog Tags:,Blog Categories:,Blog TrackBack:,Blog Pingback:No,Hearing Summaries Issues:Technology/High Frequency Trading,Hearing Summaries Agency:Special Event,Publish Year:2014
ON MARCH 19TH, THE ATLANTIC COUNCIL held its monthly Cyber Risk Panel. Speakers included John Carlson, Executive Vice president for Technology Risk, Financial Services Roundtable (FSR); Brian Peretti, Acting Director, Office of Critical Infrastructure Protection and Compliance Policy, U.S. Dept of the Treasury; and Lilly Thomas, Vice President, Independent Community Bankers of America (ICBA).
The Cyber Environment
Carlson said he has seen a migration in the cyber environment going from fraud to disruptive attacks, including hacktivists, nation state backed attacks, Distributed Denial of Service (DDOS) attacks, and even the recent data breaches at major retailers. “The problem,” Carlson explained “is reputational risk, not significant losses.” Down the road Carlson is concerned about attacks that can change information or question the integrity of data, which can disrupt the market.
Peretti stated that from the government’s perspective, they must figure out how to develop tools to service large and smaller institutions. Larger institutions, he said, have the resources to defend themselves, where as smaller institutions do not.
Thomas, speaking for smaller financial institutions, said that with cyber security threats, there is often not just reputational risk, but also a financial one as well.
Information Sharing
The key for everything, Peretti said, is information sharing. Firms see attackers pinging their systems all the time; and the Treasury is trying to foster an environment where financial institutions share that information across the board. Treasury is listening to the industry about what key pieces of information will be most helpful to them, Peretti said. He went on to say that they have seen firms showing a large willingness to share information with each other. Financial institutions are trading partners with each other and “it’s not a competitive advantage for one institution to work and the other to not,” he said.
Thomas commented that for smaller banks information sharing is critical and that even though smaller institutions are not targeted as often as larger firms, the risk does trickle down.
Carlson said the “financial service industry is very regulated, probably the heaviest regulated of all industries.” In light of that regulation, Carlson wanted to underscore that over the last year and a half the FSR, Financial Services Information Sharing and Analysis Center (FSISAC), and others have come together to focus on five major initiatives: 1) improving information sharing; 2) improving analytics to understand the information; 3) enhancing crisis management response and resiliency, including running simulations; 4) improving components of the ecosystem, through R&D, such as the work to secure .bank and .insurance domain names from the Internet Corporation of Assigned Names and Numbers (ICANN); and 5) improving executive communication and advocacy on the issue of cybersecurity.
NIST Framework
The National Institute of Standards and Technology (NIST) cybersecurity framework released last month was discussed. Thomas said that she doesn’t see it changing much for smaller institutions which already have a lot of the standards in place.
Peretti explained that the framework was created to be used across sectors to aid in cyber security. Most financial institutions are already very sophisticated in their cyber defenses, he said. So while it may not be useful for the firm’s own cyber defense programs, it could be beneficial for them to use when looking at vendors and service providers whom they contract out to, he added.
Carlson said, from the FSR’s perspective there are 4 attributes that are most successful: 1) trust in the system and counterparts; 2) protections around how information can be used, such as legal and non-disclosure agreements among firms; 3) context on what the information is and how relevant is it to the specific system of a firm; and 4) timeliness in responses.
Looking Ahead
Carlson commented that the idea of cyber security needs to be looked at as “continual improvement.” One legislative suggestion he recommended was to pass a bill similar to the Cyber Intelligence Sharing and Protection Act (CISPA) which passed the House last year but not the Senate. The other area to look to is improving coordination between the financial services industry and the telecommunications industry, he said, specifically looking to improve the payment ecosystem.
Thomas said that a national breach notification law is important. “Right now there is just a patchwork of state laws,” she said. And in the case of a security breach, she added, “we would like to see the costs borne by the entity that is breached.”
Peretti said the Treasury is focused on and will continue to focus on improving information sharing, saying as the technology evolves so do the attacks.
For more information and to watch a webcast of the panel, please click here.