HFS Subcommittee Discusses How to Protect Capital Markets and Financial Institutions from Cyber Threats
AT THIS MORNING’S HOUSE FINANCIAL SERVICES SUBCOMMITTEE HEARING, members heard from industry experts on how to best protect the financial services sector from cyber attacks.
Financial services firms face tremendous challenges in protecting the integrity of the data they maintain. The increase in cyber intrusions and cyber crimes in the past decade is cause for great concern, particularly to those in the financial services sector. These attacks and thefts are committed by a wide range of cyber criminals including activists motivated by anti-capitalist ideologies, professional cyber thieves, hostile nations, and organized criminal units.
The costs of cybercrime borne by businesses and consumers are significant. The 2011 Norton Cybercrime Report estimates that $388 billion was lost last year to cybercrime among the 24 countries polled; the loss in the U.S. alone was $114 billion. Symantec, the largest maker of computer-security software, has reported that data breaches cost individual businesses more than $7 million on average per breach, and that these losses will continue to rise. According to a recent Javelin Strategy & Research study, identity theft cost Americans $37 billion in 2010.
In his opening remarks, Chairman Scott Garrett (R-N.J.) noted the rise of high-profile cyber intrusions” over the last few years, and called for enhanced cybersecurity protocols and infrastructure that maintain the privacy of personal data. He also highlighted the increase in corporate account takeovers, specifically noting their significantly adverse affect on small businesses. In closing, he said private industry and the government must remain vigilant when protecting personal and banking information.
In her brief opening statement, Rep. Carolyn Maloney (D-N.Y.) emphasized the importance of information sharing and the need to expand private sector access to cyber threat information.
In his opening statement, Errol Weiss, testifying on behalf of the Securities Industry and Financial Markets Association (SIFMA), highlighted the existing regulatory framework under which the financial services industry functions and the effectiveness of its cybersecurity infrastructure. Specifically, Weiss discussed the success of the Financial Services Information Sharing and Analysis Center (FS-ISAC), which collects and disseminates cyber threat information from financial services providers, commercial security firms, federal, state and local government agencies and law enforcement.
Additionally, Weiss urged members to keep the following principles in mind as they continue to debate legislative proposals to enhance the nation’s cyber defenses: 1) Legislators should leverage the existing ISACs and Department of Homeland Security (DHS) US-CERT to facilitate two-way and cross-sector public/private information sharing; 2) The Treasury Department, as the financial sector’s Sector Specific Agency, and the regulatory agencies through the Financial and Banking Information Infrastructure Committee, should determine what is considered critical infrastructure, not a “one-size-fits-all” regulatory solution; 3) U.S. universities must focus on developing the next crop of talented Information Security Professionals so that the financial services industry, and the nation, can adequately protect itself from cyber attack; 4) The U.S. should seek strong cooperation with foreign governments to improve cybersecurity and punish those that are responsible for cyber crimes; and 5) A single, uniform federal breach notification standard would reduce administrative oversight, establish clear notification guidelines, and, most importantly, reduce customer confusion.
In her opening statement, Michele Cantley, testifying on behalf of the FS-ISAC, provided a broad overview of the FS-ISAC’s coordination efforts and activities, highlighting the Center’s partnership with DHS on a number of initiatives, significantly enhancing information sharing between government agencies and the financial services sector. She said cyber criminals are “constantly” updating their methods to stay a step ahead of cybersecurity measures, but noted that over the past two years, actual losses experienced by financial institutions and their customers as a result of cyber-related crime has “declined even as the number of attacks has increased.” In closing, Cantley said more work is needed on the international legal and diplomatic levels to enforce penalties on cyber crime, and urged law enforcement agencies to “aggressively” pursue cyber criminals.
In his opening statement, Mark Clancy, Corporate Information Security Officer at the Depository Trust and Clearing Corporation (DTCC), highlighted the DTCC’s approach to managing the current cyber risk environment, including the issuance of enterprise-wide risk assessments, which involves a thorough analysis of business functions and the facilities, systems, applications, business processes and people that perform them. He said cyber criminals today pose a “significant” threat to the U.S. capital markets, engaging in activities that include the theft of confidential data, preventing critical infrastructure from performing key market functions and damaging the integrity of market data and information. Despite these threats, Clancy said information sharing with government agencies through the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC) and the FS-ISAC has helped the financial services sector to stay a step ahead of cyber criminals. He urged members to enhance and expand information sharing between the public and private sectors, specifically highlighting the need for more security clearances for the private sector.
In his opening statement, Mark Graff, Chief Information Security Officer of the NASDAQ OMX Group, provided an overview of NASDAQ’s efforts to protect itself from cyber attack, including the utilization of “many of the same methods used to defend the nation’s most highly classified networks.” Despite these efforts, Graff said NASDAQ has “serious concerns” about the worldwide attacks on critical infrastructure led by national governments, urging the government to respond to attacks of this nature the same way it would respond to an “attack from foreign missiles.” In closing, Graff expressed NASDAQ OMX’s support for H.R. 3523, the Cyber Intelligence Sharing and Protection Act (CISPA), noting the bill’s strong provisions to curtail the “numerous cybersecurity threats faced by business and government alike.”
In his opening statement, Paul Smocer, testifying on behalf of the Financial Services Roundtable (FSR), addressed current cybersecurity efforts at both the institutional and industry levels, collaborations within and beyond the financial services sector, and efforts underway to improve information sharing. He highlighted the work of the FS-ISAC and FSSCC, noting their collaboration with DHS to utilize available government agency data in an effort to enhance customer identity verification and stymie cyber crime. Smocer also emphasized the “key role” that consumers and businesses play in cybersecurity, highlighting financial institutions’ significant investments in education, and praising the passage of H.R. 2096, The Cybersecurity Enhancement Act of 2012.
In his opening statement, James Woodhill, a government and public relations advocate for YourMoneyIsNotSafeInTheBank.org, said corporate money is “not safe in the banks,” specifically criticizing the “official banking policy” of “shared responsibility,” which he says does not hold a bank liable for losses due to cyber crime. He advocated for greater financial sector accountability on cyber breaches and stolen funds, specifically calling on banks to fully disclose their online banking risks.
Question and Answer
Garrett asked Clancy how the financial services sector built up enough trust to facilitate effective information sharing. Clancy said the trust was built slowly, starting with anonymous reporting of cyber incidents through the FS-ISAC, and gained broader acceptance and effectiveness when a small group of FS-ISAC participants began actively sharing information about cyber threats to their respective firms. Clancy said that as the small group has grown and more trust was established between FS-ISAC participants, the FS-ISAC has become more effective.
Maloney and Rep. Robert Dold (R-Ill.) asked the witnesses how their financial institutions find out about cyber attacks and what they do to resolve them. Smocer said financial firms find out about cyber attacks through a variety of methods, including notifications from clients, internal cybersecurity teams and government agencies. He added that financial institutions constantly monitor for indicators of attack, invest millions in monitoring equipment and software, and share best practices. Graff said NASDAQ OMX proactively tries to identify bad actors so that it can better anticipate attacks and/or more easily identify an attacker once they have started to attack their system.
Maloney asked Weiss if financial firms are required to notify customers of a cyber attack. Weiss said if a cyber attack compromises personally identifiable information, there is regulation that requires the financial firm to notify its customers immediately.
Maloney also asked Weiss why SIFMA supports federal preemption of state laws related to breach notification. Weiss said it is difficult and time consuming to reconcile the more than 50 different state laws and local regulations on breach notification, adding that the differences between states and local jurisdictions also creates customer confusion. He said there needs to be a national breach notification standard that will eliminate administrative overhead and allow financial institutions to disseminate breach notifications faster.
Maloney asked all the witnesses to detail how Congress can better protect the U.S. from cyber attacks. Cantley said despite the amount of public/private information sharing that is currently taking place, more can be done to improve information sharing regimes, including faster delivery of cyber threat information. She added that exempting cybersecurity-related data from the Freedom of Information Act, better enforcement of cybersecurity laws by foreign governments and coordination with telecommunications companies to cut off bandwidth to cyber attackers before the attack breaches sensitive information, would significantly help the financial services sector to protect itself.
Vice Chairman David Schweikert (R-Ariz.) asked how quickly cyber attack information is disseminated. Weiss said it is disseminated “very rapidly” through the FS-ISAC, but noted that this type of information is shared “by people” not automatically. Weiss said the financial services sector is taking steps to build an automatic notification system, but it requires significant capital investment.
Schweikert and Rep. Stephen Lynch (D-Mass.) asked the witnesses if smaller institutions are at a significant disadvantage when it comes to protecting themselves from a cyber attack. Graff said larger institutions are typically less susceptible to sophisticated attacks than smaller institutions, largely due to the difference in staff. Cantley said the FS-ISAC is working to educate consumers and smaller institutions so that they are more aware of cyber risks and bad actors. She added, however, that she does not believe there needs to be additional regulation to solve this issue, noting that the guidance from FFIEC and current education efforts are working to correct this imbalance.
Dold asked Cantley what role the government should play in protecting the private sector from cyber attacks. Cantley said the financial services industry would like the government to facilitate information sharing on a timely basis. Dold followed up by asking how quickly cyber threat information should be transferred from a government agency to the financial services sector. Cantley responded, “as soon as they know about it.”
Dold and Garrett asked the witnesses to identify the greatest cyber threat to their institutions and what Congress can do to help them combat that threat. Weiss said Congress must put more pressure on foreign governments to track down and punish cyber criminals, suggesting that the U.S. require foreign nations seeking to enter the international marketplace to enact strong cybersecurity legislation and prove their ability to enforce it. He added that phishing scams, affecting desktop computers and mobile devices alike, are also becoming a significant threat.
Rep. Steve Stivers (R-Ohio) asked Cantley how much of the “cyber attack problem” can be mitigated by proper computer hygiene. Cantley said good computer hygiene is important, noting that a large segment of consumers and businesses do not patch their computers and “aren’t even running antivirus software, much less anti-malware software.” Following up, Stivers asked at what point will the financial services industry determine that they cannot allow consumers who don’t run antivirus software and anti-malware software to connect to their institutions. Cantley said some institutions may choose to do that, but focusing on better validation methods and behavior analysis is more effective.
Stivers asked if CISPA allows the government to share risk information efficiently enough. Clancy said the financial services sector appreciates all efforts to improve public/private information sharing regimes, but the legislation fails to address some of the legal hurdles to sharing information with the government. He added that the industry does not want a new information sharing clearinghouse because the FS-ISAC has proven to be very effective and more bureaucracy would dampen the amount and type of information shared.
Stivers also asked if extending Regulation E to businesses is a viable way to hold banks accountable for losses due to corporate account takeovers. Cantley said commercial and small businesses are covered, in every state, by Uniform Commercial Code (UCC) 4A, “which we feel has stood the test of time in addressing this issue.” Woodhill said his organization has “deep concerns” about making small bankers liable for the risks that they “cannot really understand and they cannot really manage.”
Rep. Randy Neugebauer (R-Texas) asked Clancy and Graff if the industry has any concerns about sharing data with the Office of Financial Research (OFR). Clancy said the industry is working on the best ways to share information with the OFR, but noted that the methods currently being used are “ad-hoc” due to how new the OFR is. Graff added that “the more intense concern” is protecting the data once it has been delivered to federal networks since the government is “a very strong target” for cyber attack.
For testimony and a webcast of the hearing, please click here.
,Blog Tags:,Blog Categories:,Blog TrackBack:,Blog Pingback:No,Hearing Summaries Issues:Technology/High Frequency Trading,Hearing Summaries Agency:House Financial Services Committee,Publish Year:2012
AT THIS MORNING’S HOUSE FINANCIAL SERVICES SUBCOMMITTEE HEARING, members heard from industry experts on how to best protect the financial services sector from cyber attacks.
Financial services firms face tremendous challenges in protecting the integrity of the data they maintain. The increase in cyber intrusions and cyber crimes in the past decade is cause for great concern, particularly to those in the financial services sector. These attacks and thefts are committed by a wide range of cyber criminals including activists motivated by anti-capitalist ideologies, professional cyber thieves, hostile nations, and organized criminal units.
The costs of cybercrime borne by businesses and consumers are significant. The 2011 Norton Cybercrime Report estimates that $388 billion was lost last year to cybercrime among the 24 countries polled; the loss in the U.S. alone was $114 billion. Symantec, the largest maker of computer-security software, has reported that data breaches cost individual businesses more than $7 million on average per breach, and that these losses will continue to rise. According to a recent Javelin Strategy & Research study, identity theft cost Americans $37 billion in 2010.
In his opening remarks, Chairman Scott Garrett (R-N.J.) noted the rise of high-profile cyber intrusions” over the last few years, and called for enhanced cybersecurity protocols and infrastructure that maintain the privacy of personal data. He also highlighted the increase in corporate account takeovers, specifically noting their significantly adverse affect on small businesses. In closing, he said private industry and the government must remain vigilant when protecting personal and banking information.
In her brief opening statement, Rep. Carolyn Maloney (D-N.Y.) emphasized the importance of information sharing and the need to expand private sector access to cyber threat information.
In his opening statement, Errol Weiss, testifying on behalf of the Securities Industry and Financial Markets Association (SIFMA), highlighted the existing regulatory framework under which the financial services industry functions and the effectiveness of its cybersecurity infrastructure. Specifically, Weiss discussed the success of the Financial Services Information Sharing and Analysis Center (FS-ISAC), which collects and disseminates cyber threat information from financial services providers, commercial security firms, federal, state and local government agencies and law enforcement.
Additionally, Weiss urged members to keep the following principles in mind as they continue to debate legislative proposals to enhance the nation’s cyber defenses: 1) Legislators should leverage the existing ISACs and Department of Homeland Security (DHS) US-CERT to facilitate two-way and cross-sector public/private information sharing; 2) The Treasury Department, as the financial sector’s Sector Specific Agency, and the regulatory agencies through the Financial and Banking Information Infrastructure Committee, should determine what is considered critical infrastructure, not a “one-size-fits-all” regulatory solution; 3) U.S. universities must focus on developing the next crop of talented Information Security Professionals so that the financial services industry, and the nation, can adequately protect itself from cyber attack; 4) The U.S. should seek strong cooperation with foreign governments to improve cybersecurity and punish those that are responsible for cyber crimes; and 5) A single, uniform federal breach notification standard would reduce administrative oversight, establish clear notification guidelines, and, most importantly, reduce customer confusion.
In her opening statement, Michele Cantley, testifying on behalf of the FS-ISAC, provided a broad overview of the FS-ISAC’s coordination efforts and activities, highlighting the Center’s partnership with DHS on a number of initiatives, significantly enhancing information sharing between government agencies and the financial services sector. She said cyber criminals are “constantly” updating their methods to stay a step ahead of cybersecurity measures, but noted that over the past two years, actual losses experienced by financial institutions and their customers as a result of cyber-related crime has “declined even as the number of attacks has increased.” In closing, Cantley said more work is needed on the international legal and diplomatic levels to enforce penalties on cyber crime, and urged law enforcement agencies to “aggressively” pursue cyber criminals.
In his opening statement, Mark Clancy, Corporate Information Security Officer at the Depository Trust and Clearing Corporation (DTCC), highlighted the DTCC’s approach to managing the current cyber risk environment, including the issuance of enterprise-wide risk assessments, which involves a thorough analysis of business functions and the facilities, systems, applications, business processes and people that perform them. He said cyber criminals today pose a “significant” threat to the U.S. capital markets, engaging in activities that include the theft of confidential data, preventing critical infrastructure from performing key market functions and damaging the integrity of market data and information. Despite these threats, Clancy said information sharing with government agencies through the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC) and the FS-ISAC has helped the financial services sector to stay a step ahead of cyber criminals. He urged members to enhance and expand information sharing between the public and private sectors, specifically highlighting the need for more security clearances for the private sector.
In his opening statement, Mark Graff, Chief Information Security Officer of the NASDAQ OMX Group, provided an overview of NASDAQ’s efforts to protect itself from cyber attack, including the utilization of “many of the same methods used to defend the nation’s most highly classified networks.” Despite these efforts, Graff said NASDAQ has “serious concerns” about the worldwide attacks on critical infrastructure led by national governments, urging the government to respond to attacks of this nature the same way it would respond to an “attack from foreign missiles.” In closing, Graff expressed NASDAQ OMX’s support for H.R. 3523, the Cyber Intelligence Sharing and Protection Act (CISPA), noting the bill’s strong provisions to curtail the “numerous cybersecurity threats faced by business and government alike.”
In his opening statement, Paul Smocer, testifying on behalf of the Financial Services Roundtable (FSR), addressed current cybersecurity efforts at both the institutional and industry levels, collaborations within and beyond the financial services sector, and efforts underway to improve information sharing. He highlighted the work of the FS-ISAC and FSSCC, noting their collaboration with DHS to utilize available government agency data in an effort to enhance customer identity verification and stymie cyber crime. Smocer also emphasized the “key role” that consumers and businesses play in cybersecurity, highlighting financial institutions’ significant investments in education, and praising the passage of H.R. 2096, The Cybersecurity Enhancement Act of 2012.
In his opening statement, James Woodhill, a government and public relations advocate for YourMoneyIsNotSafeInTheBank.org, said corporate money is “not safe in the banks,” specifically criticizing the “official banking policy” of “shared responsibility,” which he says does not hold a bank liable for losses due to cyber crime. He advocated for greater financial sector accountability on cyber breaches and stolen funds, specifically calling on banks to fully disclose their online banking risks.
Question and Answer
Garrett asked Clancy how the financial services sector built up enough trust to facilitate effective information sharing. Clancy said the trust was built slowly, starting with anonymous reporting of cyber incidents through the FS-ISAC, and gained broader acceptance and effectiveness when a small group of FS-ISAC participants began actively sharing information about cyber threats to their respective firms. Clancy said that as the small group has grown and more trust was established between FS-ISAC participants, the FS-ISAC has become more effective.
Maloney and Rep. Robert Dold (R-Ill.) asked the witnesses how their financial institutions find out about cyber attacks and what they do to resolve them. Smocer said financial firms find out about cyber attacks through a variety of methods, including notifications from clients, internal cybersecurity teams and government agencies. He added that financial institutions constantly monitor for indicators of attack, invest millions in monitoring equipment and software, and share best practices. Graff said NASDAQ OMX proactively tries to identify bad actors so that it can better anticipate attacks and/or more easily identify an attacker once they have started to attack their system.
Maloney asked Weiss if financial firms are required to notify customers of a cyber attack. Weiss said if a cyber attack compromises personally identifiable information, there is regulation that requires the financial firm to notify its customers immediately.
Maloney also asked Weiss why SIFMA supports federal preemption of state laws related to breach notification. Weiss said it is difficult and time consuming to reconcile the more than 50 different state laws and local regulations on breach notification, adding that the differences between states and local jurisdictions also creates customer confusion. He said there needs to be a national breach notification standard that will eliminate administrative overhead and allow financial institutions to disseminate breach notifications faster.
Maloney asked all the witnesses to detail how Congress can better protect the U.S. from cyber attacks. Cantley said despite the amount of public/private information sharing that is currently taking place, more can be done to improve information sharing regimes, including faster delivery of cyber threat information. She added that exempting cybersecurity-related data from the Freedom of Information Act, better enforcement of cybersecurity laws by foreign governments and coordination with telecommunications companies to cut off bandwidth to cyber attackers before the attack breaches sensitive information, would significantly help the financial services sector to protect itself.
Vice Chairman David Schweikert (R-Ariz.) asked how quickly cyber attack information is disseminated. Weiss said it is disseminated “very rapidly” through the FS-ISAC, but noted that this type of information is shared “by people” not automatically. Weiss said the financial services sector is taking steps to build an automatic notification system, but it requires significant capital investment.
Schweikert and Rep. Stephen Lynch (D-Mass.) asked the witnesses if smaller institutions are at a significant disadvantage when it comes to protecting themselves from a cyber attack. Graff said larger institutions are typically less susceptible to sophisticated attacks than smaller institutions, largely due to the difference in staff. Cantley said the FS-ISAC is working to educate consumers and smaller institutions so that they are more aware of cyber risks and bad actors. She added, however, that she does not believe there needs to be additional regulation to solve this issue, noting that the guidance from FFIEC and current education efforts are working to correct this imbalance.
Dold asked Cantley what role the government should play in protecting the private sector from cyber attacks. Cantley said the financial services industry would like the government to facilitate information sharing on a timely basis. Dold followed up by asking how quickly cyber threat information should be transferred from a government agency to the financial services sector. Cantley responded, “as soon as they know about it.”
Dold and Garrett asked the witnesses to identify the greatest cyber threat to their institutions and what Congress can do to help them combat that threat. Weiss said Congress must put more pressure on foreign governments to track down and punish cyber criminals, suggesting that the U.S. require foreign nations seeking to enter the international marketplace to enact strong cybersecurity legislation and prove their ability to enforce it. He added that phishing scams, affecting desktop computers and mobile devices alike, are also becoming a significant threat.
Rep. Steve Stivers (R-Ohio) asked Cantley how much of the “cyber attack problem” can be mitigated by proper computer hygiene. Cantley said good computer hygiene is important, noting that a large segment of consumers and businesses do not patch their computers and “aren’t even running antivirus software, much less anti-malware software.” Following up, Stivers asked at what point will the financial services industry determine that they cannot allow consumers who don’t run antivirus software and anti-malware software to connect to their institutions. Cantley said some institutions may choose to do that, but focusing on better validation methods and behavior analysis is more effective.
Stivers asked if CISPA allows the government to share risk information efficiently enough. Clancy said the financial services sector appreciates all efforts to improve public/private information sharing regimes, but the legislation fails to address some of the legal hurdles to sharing information with the government. He added that the industry does not want a new information sharing clearinghouse because the FS-ISAC has proven to be very effective and more bureaucracy would dampen the amount and type of information shared.
Stivers also asked if extending Regulation E to businesses is a viable way to hold banks accountable for losses due to corporate account takeovers. Cantley said commercial and small businesses are covered, in every state, by Uniform Commercial Code (UCC) 4A, “which we feel has stood the test of time in addressing this issue.” Woodhill said his organization has “deep concerns” about making small bankers liable for the risks that they “cannot really understand and they cannot really manage.”
Rep. Randy Neugebauer (R-Texas) asked Clancy and Graff if the industry has any concerns about sharing data with the Office of Financial Research (OFR). Clancy said the industry is working on the best ways to share information with the OFR, but noted that the methods currently being used are “ad-hoc” due to how new the OFR is. Graff added that “the more intense concern” is protecting the data once it has been delivered to federal networks since the government is “a very strong target” for cyber attack.
For testimony and a webcast of the hearing, please click here.