SBC Hearing on Cybersecurity

• Cybersecurity: This open session focused on cybersecurity in the financial sector. The witnesses were from a wide range of organizations and provided insight on the threats faced by and the preparedness of the financial sector when it comes to cyber. Most of the recommendations focused on improved communication between the private and public sector, efforts to enlarge the cybersecurity workforce, the challenges with third-party risk management, and incentivizing good cyber hygiene.

• Bill Nelson, President and CEO, FS-ISAC
• Michael Daniel, President and CEO, Cyber Threat Alliance
• Phil Venables, Managing Director and Head Of Operational Risk Management And Analysis, Goldman Sachs
• Carl A. Kessler III, Senior Vice President and Chief Information Officer, First Mutual Holding Company
• Bob Sydow, Principal, Americas Cyber Leader, Ernst & Young LLP

Chairman Mike Crapo (R-Idaho), Senate Banking Committee
Crapo began his opening statement by recalling a similar hearing in 2014 that discussed data breaches. He then transitioned to a discussion of the Equifax breach to illustrate the concern regarding the growth of cyber threats with the rise of technology. He also expressed his concern about the collection of personally identifiable information (PII), and how that data is secured and protected. Crapo stated that he hoped to learn more about the cyberattacks and cyber threats to the financial services industry; the work being done in the financial services industry to increase cyber readiness, combat cyberattacks, and increase resiliency; and what more needs to be done by the private sector and government to help protect companies’ and consumer’s information.

Bill Nelson, President and CEO, FS-ISAC
In his testimony, Nelson shared his experience as the head of the Financial Services Information Sharing and Analysis Center (FS-ISAC) and why information sharing is vital to fighting cybercrime. He noted that sharing is crucial in several pillars, including public-private partnerships (P3s), cross-sector sharing and institution-to-institution sharing. Nelson also provided an overview of the evolving tactics used by adversaries to target financial firms, including spear-phishing, malware attacks, ransomware attacks and distributed-denial-of-services (DDoS) attacks. Nelson demonstrated that the means to combat these evolving attacks is through information sharing, creating playbooks for incident response and regularly having exercises to test incident response. In concluding his testimony, Nelson made several recommendations: 1) encouraging regulators to harmonize cyber-regulatory requirements; 2) leveraging the Cybersecurity Information Sharing Act (CISA) and Patriot Act to promote more effective information sharing; 3) establishing cyber-deterrence and response capabilities and encouraging adoption of global cybernorms; and 4) supporting efforts to develop a technology-capable workforce.

Michael Daniel, President and CEO, Cyber Threat Alliance
In his testimony, Daniel discussed the current cyber threat landscape. He expressed the broader point that as the country’s digital dependence increases, cyber threats evolve as well. Daniel continued through a discussion of how cybersecurity is not just a technical problem – it also has become an economic, operational, human psychology and national security issue. To that point, he expressed concern that there has not been enough time to develop the body of law, policy and practice to operate within the cybersecurity space. Daniel concluded his testimony with recommendations for both the government and the industry at large. With respect to the government, Daniel recommended that the government focus on the comparative advantage of unique information it has, the ability to incentivize good cybersecurity behavior, reinforcing stability in cyberspace, increase resilience to cyber attacks and increase the operational collaboration between the public and private sectors. For the industry, Daniel recommended not treating cybersecurity as a purely technical problem, having senior executives prioritize cybersecurity readiness, implementing a holistic risk-management framework, having cyber incident response planning, and continued collaboration and information sharing with the public sector.

Phil Venables, Managing Director and Head of Operational Risk Management and Analysis, Goldman Sachs
Venables opened his testimony by discussing a number of factors that are contributing to increased inherent risk in the financial sector, which include the increased digitalization of financial services and the globally interconnected nature of the financial system. In discussing threats that come from both organized criminal groups and national states, Venables noted the critical need of having shared defenses across the financial sector to develop best practices and information sharing. In discussing his recommendations, Venables stated the importance of viewing threats not just in terms of cybersecurity, but also having the perspective of technology risk generally – because risk is posed not just from technology systems, but from software errors, misconfiguration, outages and other resiliency issues. In his detailed recommendations, Venables suggested the following approaches: 1) integrating cybersecurity into the fabric of organizations; 2) improving capabilities amongst people, process and technology; and 3) designing technology and information processing environments to be more inherently defendable and resilient in the face of attacks, including the examination of global supply chains for security issues and excess concentration risk on specific services or geographies.

Carl A Kessler III, Senior Vice President and Chief Information Officer, First Mutual Holding Company
In his testimony, Kessler shared his perspective of community banks and how they navigate cybersecurity regulation, information sharing, community bank collaboration and customer transparency. Kessler opened his testimony through the discussion of how two key regulations improved how community banks manage cybersecurity risk: the Dodd Frank Act reforms and the related Office of Thrift Supervision (OTS) yielded improvements to the cybersecurity readiness of community banks. Additionally, the Federal Financial Institutions Examination Council (FFIEC) established the Cybersecurity Assessment Tool (CAT) which created uniformity for evaluating cybersecurity risks. Kessler ultimately recommended to ensure the consistent availability of highly-trained information technology (IT) examiners whose skills are in high demand in both the public and private sectors. In discussing his recommendation to ensure cybersecurity rigor exists amongst non-bank financial services companies, Kessler also discussed the risk held by core processors. Since core processors are active acquirers of technology companies and roll out new products, each new venture adds its own risk into the environment. As a result, Kessler expressed his desire for more transparency in how service providers, like core processors, protect customer information.

Bob Sydow, Principal, Americas Cyber Leader, Ernst & Young LLP
In his testimony, Sydow noted his over 30 years of experience in the cybersecurity field and how it has informed his perspective about the state of cybersecurity in financial services, including the risks, threats and efforts to increase cyber readiness across the sector. Sydow presented his testimony through three client challenges: 1) how emerging interconnected technologies have created a complex third-party ecosystem; 2) the volume, velocity and precision of attacks; and 3) the shortage of cybersecurity resources and personnel. In discussing these challenges, Sydow also presented several areas of risk mitigation, which included: 1) how corporate governance and risks management can foster a cyber minded culture; 2) use of the American Institute of CPAs’ (AICPAs’) Cybersecurity Risk Management Reporting Framework; and 3) the development of collaborative, flexible and harmonized policy solutions that help organizations better respond to the dynamic nature of the cybersecurity challenge. Sydow concluded his testimony by recommending that the government should develop solutions to increase the cybersecurity workforce.

Ranking Member Sherrod Brown (D-Ohio) asked Kessler if the baseline of consumer information needs improvement. Kessler responded that there is an opportunity to share more information with consumers. There was a follow-up question on whether it is important for an institution to notify consumers of a breach quickly. Kessler noted that it is important to notify as soon as practical after a law enforcement investigation.

Brown then asked Sydow to talk about economies of scale when it comes to cybersecurity where large community banks use large service providers. Sydow acknowledged that large banks can afford to staff and retain talent and buy technologies, whereas small banks would have to use these providers that they cannot do with in-house employees.

Brown concluded his questions with Daniel, asking him if President Trump’s elimination of the White House Cybersecurity Coordinator would be harmful. Daniel responded by saying the purpose of the position was to drive more coordination across federal government, but that having strong leadership at the White House is important.

Sen. Mike Rounds (R-S.D.) opened his questions to Daniel by asking if financial institutions have a model in place where firms can be protected on a coordinated level. Daniel responded that risk can be managed through cooperation between the government and private sector. Rounds then concluded by asking Daniel if the American public thinks that federal government has a role to play in protecting data assets. Daniel noted that there is shared responsibility across all government organizations that touch cybersecurity and that it is not possible for the federal government to be the first line of defense like it is for physical attacks; this will always involve a P3.

Sen. Jack Reed (D-R.I.) asked Daniel if he agreed with Securities Exchange Commission (SEC) Chairman Jay Clayton’s sentiment that there are not enough cybersecurity disclosures from companies. Daniel noted that there is an information asymmetry which makes markets tougher to operate, but that companies are still learning how to address the issue.

Reed then turned to Sydow and asked him if it made sense to have a disclosure provision for companies. Sydow acknowledged that there is a challenge in translation between the technical world and the business world, which can partially be attributed to the lack of personnel that can translate.

Sen. Heidi Heitkamp (D-N.D.) opened her questioning to Venables by asking how resiliency can be built better as a whole. Venables advocated for more focus on cyber hygiene so that the easy attacks are easily thwarted and attention can be shifted to more challenging attacks. He suggested that employees and customers be educated on what best practices can be adopted. Daniel answered the same question by expressing the need to make cyber hygiene as simple as possible for consumers to use. Kessler elaborated upon this by suggesting a Cyber Education Month.

Sen. Catherine Cortez Masto (D-Nev.) asked Kessler to elaborate on the need to pass legislation that encourages information sharing. He noted that the solution would be to share threat indicators throughout the industry, but that updates do not come in real-time due to legal concerns. Nelson added that FS-ISAC’s information is shared without identifying information and that the organization should be used to anonymously report threats.

Sen. Doug Jones (D-Ala.) asked openly about what can be done to grow the cybersecurity workforce. Venables responded by stating the need to encourage education to feed the workforce. He also suggested the need to think across all sectors to encourage every part of vocational training have an element of thinking about cybersecurity, privacy and technology risk. Sydow noted that women only make up nine percent of the cybersecurity workforce and that more needs to be done to encourage more women to engage in this work.

Sen. Mark Warner (D-Va.) concluded the question and answer session by asking Venables about legacy IT systems and how upgrades are ensured. Venables noted that cybersecurity is important, but there are multiple technology risks, including how legacy systems are maintained and updated. He continued that most firms have standards for change management, software quality assurance and avoid major IT migration risk. He suggested a focus on change management, software acquisition and development, testing assurance and major project risk management. Venables ended his response by noting the need to invest in preventative maintenance.

For more information on this hearing, please click here.