HFSC on the Financial Sector and Cyber Threats
House Financial Services Committee Subcommittee on Financial Institutions and Consumer Credit
“Protecting Critical Infrastructure: How the Financial Sector Addresses Cyber Threats”
Tuesday, May 19, 2015
Key Topics & Takeaways
- Information Sharing and Analysis Centers: SIFMA’s Bentsen said expanding membership in the ISACs is “critically important” and that SIFMA encourages regulators to promote regulated entities’ participation in the group and to develop information sharing standards across the sector.
- Government Coordination:
-
- Bentsen stated that there should be transparency and harmonization among regulators when it comes to guidance, regulation, and inspection with respect to cyber defenses in firms.
- Bentsen stated that both the Treasury and Department of Homeland Security have their place in the realm of cybersecurity, but that coordination should occur “at the top” within the executive office of the President.
- Personal Information: Rep. Luetkemeyer (R-Mo.) stressed the importance for privacy advocates to recognize that individuals’ personal information is not being shared in the interests of cybersecurity.
Speakers
- Kenneth E. Bentsen, Jr., President and Chief Executive Officer, SIFMA
- Greg Garcia, Executive Director, Financial Services Sector Coordinating Council
- Rob Nichols, President and Chief Executive Officer, Financial Services Forum
- Russell Fitzgibbons, Executive Vice President and Chief Risk Officer, The Clearing House
- Jason Healey, Senior Research Scholar, School of International and Policy Affairs, Columbia University
Opening Statements
In his opening statement, Chairman Randy Neugebauer (R-Texas) said the financial services sector is one of the most complex in the economy, and that given its position of critical importance it has become a top target of cyber attacks. He commended the sector for responding well to cyber threats, noting that it has been an active and constructive participant in efforts with government agencies. Neugebauer called cybersecurity a “shared responsibility” between the private and public sector, as well as between the U.S. and its global allies.
In his opening statement, Ranking Member William Lacy Clay (D-Mo.) stated that the financial services sector’s response to cyber concerns must reflect the dynamic nature of cyber threats. He commented that cybersecurity if one of “a few issues” where the Committee can work in a bipartisan fashion to ensure that regulators and their regulated entities have the resources they need.
Rep. Kyrsten Sinema (D-Ariz.) noted that thousands of data breaches occur every year that expose sensitive personal and financial information. She stated that the evolving nature of cyber threats calls for a “vigorous and dynamic response” and that securing the financial sector will require a strengthening of information sharing infrastructures.
Testimony
In his testimony, Kenneth E. Bentsen, Jr., President and Chief Executive Officer of the Securities Industry and Financial Markets Association (SIFMA), said it is important for the financial services sector to focus on future risks, and that “cyber is perhaps the greatest.” In order to ensure adequate defenses and recovery protocols, he said, it is critical that there be a robust public-private partnership, as the industry will not be fully effective without help from the government, and vice versa. Bentsen then explained a five-part effort undertaken by SIFMA that addresses cybersecurity threats and related risks to banks, broker-deals, asset managers and the financial services industry as a whole. He stated that the ultimate goal of the effort is to better identify threats to the sector and how firms might better defend themselves. He also described SIFMA’s published Principles for Effective Cybersecurity Regulatory Guidance and how they build upon the NIST Cybersecurity Framework.
Bentsen stated that SIFMA members have been able to build off of after-action reports and lessons learned from a cyber exercise, called Quantum Dawn 2, and from experiences during and after Superstorm Sandy. He explained that these helped SIFMA develop protocols and recommendations for responding to a systemic incident within the equity and fixed income markets.
Bentsen continued that SIFMA is developing an improved process for firms to request technical assistance in the midst of a cyber attack from the federal government. He provided three areas where the cybersecurity effort would benefit from government involvement: 1) greater clarity on which government authority is the lead regulator during a cyber attack; 2) higher quality and increased frequency of classified briefings to the financial services sector; and 3) the need for an information sharing bill to be signed into law.
Greg Garcia, Executive Director, Financial Services Sector Coordinating Council (FSSCC), said in his testimony that successful cyber attacks could have significant impacts on the economy and the nation as a whole. He warned that many incidents have the potential to disrupt critical systems, even inadvertently. Garcia highlighted FSSCC’s and the financial sector’s objectives of identifying threats, promoting protection and preparedness, coordinating incident response through joint exercises, and considering how the policy environment can help advance cyber resiliency. He also stressed that there is not sufficient coordination among regulators and urged more uniformity in regulators’ examination procedures and the range of questions they ask, so that institutions can “focus more on securing our infrastructure and less on answering multiple questionnaires in different ways.”
In his testimony Rob Nichols, President and Chief Executive Officer, Financial Services Forum, stated that large financial institutions are at the “cutting edge” of cyber protection and have developed and deployed some of the most sophisticated and effective defenses against cyber attacks in the world. He specifically pointed to investments in “ever-more robust and automated systems of threat analysis and sharing.” He stressed the importance of automated sharing in the swift dissemination of threat information across the financial system.
Nichols also discussed the importance of cooperation between the industry and government, calling for legislation that would enable real-time information sharing while providing liability protections, targeted protections against public disclosures, privacy protections, and an expedited issuance of clearances to approved industry executives. He expressed support for legislation approved by the House called on the Senate to follow suit.
Russell Fitzgibbons, Executive Vice President and Chief Risk Officer, The Clearing House, noted in his testimony that cyber threats to banking infrastructure have become more frequent and more sophisticated in recent years as criminal organizations and other groups have constantly innovated. He describes efforts to improve cyber resilience, such as the development of secure token exchanges, engagement in training and exercises through simulations, and participation in extensive information sharing through the Financial Services Information Sharing and Analysis Center (FS-ISAC).
Fitzgibbons said the financial services sector has made considerable strides in its sharing both within the sector and with government partners, but that there are still areas for improvement in the analysis and contextualization of threat information. He added that government agencies must increase their prioritization and allocation of resources for declassifying information that pertains to network defense.
In his testimony, Jason Healey, Senior Research Scholar, School of International and Policy Affairs, Columbia University downplayed concerns that an attack could “take down” the entire financial services sector, commenting that a target can be disrupted but “keeping it down” is far more difficult.
Healey said that while the federal government pushes the need to share information, too much government information remains classified. He suggested that the Committee could provide “some added push” on government agencies.
Question and Answer
Simulated Cyber Attacks
Neugebauer asked Bentsen what benefits came from SIFMA’s cyber attack simulations. Bentsen stated that the simulations allowed for growth of the capabilities to respond to attacks and identified gaps with information sharing and coordination, while making sure the right parties were involved. He continued that Quantum Dawn 2 showed the need for more engagement from exchange partners and better coordination between industry and regulators before an event and during recovery. Bentsen added that deliverables for the financial services industry and federal government will be forth-coming.
Clay asked if it is reasonable to expect that financial institutions will be successful at stopping cyber attacks. Fitzgibbons explained that membership in ISACs is important because threat indicators are shared with members. Bentsen added that expanding membership in the ISACs is “critically important” and that SIFMA encourages regulators to have their regulated entities participate and develop standards across the sector.
Neugebauer asked how the Soltra Edge database that holds cyber threat intelligence is updated and distributed. Fitzgibbons explained that members of the database who have threat indicators upload the information using appropriate standards, and that the information is then distributed to all members. He continued that member detection systems can be automatically updated using the information from the database.
Rep. Scott Tipton (R-Colo.) asked about the participation of small businesses in ISACs. Bentsen highlighted that SIFMA decided to underwrite the costs for its smaller firms to get them involved in the FS-ISAC. He noted the many interconnections exist between firms and stressed the associated importance of maximizing engagement in cybersecurity.
Information Sharing Legislation
Rep. Roger Williams (R-Texas) questioned the need for the federal government to mandate policies on sharing information. Bentsen responded that the industry is working within the law today, but that it would be more effective with liability protections. He called on the federal government to look at what the industry has done to date and to create guidance that applies across regulatory agencies.
Safety of Money and Data
Rep. Mick Mulvaney (R-S.C.) noted Healey’s concerns about the risks of international actors acting out against the financial system and asked if Americans’ money is safe in the financial system. Healey answered that the financial system as a whole is safe, though an individual institutions could be impacted by a sophisticated state actor.
Mulvaney followed up by asking if personal information is safe. Healey replied that he does not believe personal information is safe, but that of all the places where his information lives, he is most confident in the financial sector. Nichols agreed that the financial sector has the best protections available, and Bentsen commented that the industry has the “greatest interest” in keeping customer information safe.
Rep. Denny Heck (D-Wash.) asked if emerging new payment methods have increased exposure to cyber attacks. Fitzgibbons explained that cybersecurity innovation is driven by cyber threats and that the new technology has taken personal identifiable information “out of the mix.” He added that there is a “huge amount” of regulation with payment systems.
Rep. Blaine Luetkemeyer (R-Mo.) asked how much personal information is being shared by firms. Fitzgibbons answered that threat indicators such as IP addresses or bits of code are shared, but not personal information. Luetkemeyer commented that this is “the point I want to get to” and stressed the importance that privacy advocates recognize that individuals’ information is not being shared in the interests of cybersecurity.
Rep. Stevan Pearce (R-N.M.) asked Bentsen about transparency among regulators. Bentsen stated that there should be transparency and harmonization among regulators when it comes to guidance, regulation, and inspection with respect to cyber defenses of financial firms.
Rep. Ed Royce (R-Calif.) asked what regulator or agency should take the lead in any coordination within the government. Bentsen answered that both the Treasury and Department of Homeland Security have their place in the realm of cybersecurity, but that coordination should occur “at the top” within the executive office of the President.
For more information on this hearing, please click here.
,Blog Tags:,Blog Categories:,Blog TrackBack:,Blog Pingback:No,Hearing Summaries Issues:Technology/High Frequency Trading,Hearing Summaries Agency:House Financial Services Committee,Publish Year:2015
House Financial Services Committee Subcommittee on Financial Institutions and Consumer Credit
“Protecting Critical Infrastructure: How the Financial Sector Addresses Cyber Threats”
Tuesday, May 19, 2015
Key Topics & Takeaways
- Information Sharing and Analysis Centers: SIFMA’s Bentsen said expanding membership in the ISACs is “critically important” and that SIFMA encourages regulators to promote regulated entities’ participation in the group and to develop information sharing standards across the sector.
- Government Coordination:
-
- Bentsen stated that there should be transparency and harmonization among regulators when it comes to guidance, regulation, and inspection with respect to cyber defenses in firms.
- Bentsen stated that both the Treasury and Department of Homeland Security have their place in the realm of cybersecurity, but that coordination should occur “at the top” within the executive office of the President.
- Personal Information: Rep. Luetkemeyer (R-Mo.) stressed the importance for privacy advocates to recognize that individuals’ personal information is not being shared in the interests of cybersecurity.
Speakers
- Kenneth E. Bentsen, Jr., President and Chief Executive Officer, SIFMA
- Greg Garcia, Executive Director, Financial Services Sector Coordinating Council
- Rob Nichols, President and Chief Executive Officer, Financial Services Forum
- Russell Fitzgibbons, Executive Vice President and Chief Risk Officer, The Clearing House
- Jason Healey, Senior Research Scholar, School of International and Policy Affairs, Columbia University
Opening Statements
In his opening statement, Chairman Randy Neugebauer (R-Texas) said the financial services sector is one of the most complex in the economy, and that given its position of critical importance it has become a top target of cyber attacks. He commended the sector for responding well to cyber threats, noting that it has been an active and constructive participant in efforts with government agencies. Neugebauer called cybersecurity a “shared responsibility” between the private and public sector, as well as between the U.S. and its global allies.
In his opening statement, Ranking Member William Lacy Clay (D-Mo.) stated that the financial services sector’s response to cyber concerns must reflect the dynamic nature of cyber threats. He commented that cybersecurity if one of “a few issues” where the Committee can work in a bipartisan fashion to ensure that regulators and their regulated entities have the resources they need.
Rep. Kyrsten Sinema (D-Ariz.) noted that thousands of data breaches occur every year that expose sensitive personal and financial information. She stated that the evolving nature of cyber threats calls for a “vigorous and dynamic response” and that securing the financial sector will require a strengthening of information sharing infrastructures.
Testimony
In his testimony, Kenneth E. Bentsen, Jr., President and Chief Executive Officer of the Securities Industry and Financial Markets Association (SIFMA), said it is important for the financial services sector to focus on future risks, and that “cyber is perhaps the greatest.” In order to ensure adequate defenses and recovery protocols, he said, it is critical that there be a robust public-private partnership, as the industry will not be fully effective without help from the government, and vice versa. Bentsen then explained a five-part effort undertaken by SIFMA that addresses cybersecurity threats and related risks to banks, broker-deals, asset managers and the financial services industry as a whole. He stated that the ultimate goal of the effort is to better identify threats to the sector and how firms might better defend themselves. He also described SIFMA’s published Principles for Effective Cybersecurity Regulatory Guidance and how they build upon the NIST Cybersecurity Framework.
Bentsen stated that SIFMA members have been able to build off of after-action reports and lessons learned from a cyber exercise, called Quantum Dawn 2, and from experiences during and after Superstorm Sandy. He explained that these helped SIFMA develop protocols and recommendations for responding to a systemic incident within the equity and fixed income markets.
Bentsen continued that SIFMA is developing an improved process for firms to request technical assistance in the midst of a cyber attack from the federal government. He provided three areas where the cybersecurity effort would benefit from government involvement: 1) greater clarity on which government authority is the lead regulator during a cyber attack; 2) higher quality and increased frequency of classified briefings to the financial services sector; and 3) the need for an information sharing bill to be signed into law.
Greg Garcia, Executive Director, Financial Services Sector Coordinating Council (FSSCC), said in his testimony that successful cyber attacks could have significant impacts on the economy and the nation as a whole. He warned that many incidents have the potential to disrupt critical systems, even inadvertently. Garcia highlighted FSSCC’s and the financial sector’s objectives of identifying threats, promoting protection and preparedness, coordinating incident response through joint exercises, and considering how the policy environment can help advance cyber resiliency. He also stressed that there is not sufficient coordination among regulators and urged more uniformity in regulators’ examination procedures and the range of questions they ask, so that institutions can “focus more on securing our infrastructure and less on answering multiple questionnaires in different ways.”
In his testimony Rob Nichols, President and Chief Executive Officer, Financial Services Forum, stated that large financial institutions are at the “cutting edge” of cyber protection and have developed and deployed some of the most sophisticated and effective defenses against cyber attacks in the world. He specifically pointed to investments in “ever-more robust and automated systems of threat analysis and sharing.” He stressed the importance of automated sharing in the swift dissemination of threat information across the financial system.
Nichols also discussed the importance of cooperation between the industry and government, calling for legislation that would enable real-time information sharing while providing liability protections, targeted protections against public disclosures, privacy protections, and an expedited issuance of clearances to approved industry executives. He expressed support for legislation approved by the House called on the Senate to follow suit.
Russell Fitzgibbons, Executive Vice President and Chief Risk Officer, The Clearing House, noted in his testimony that cyber threats to banking infrastructure have become more frequent and more sophisticated in recent years as criminal organizations and other groups have constantly innovated. He describes efforts to improve cyber resilience, such as the development of secure token exchanges, engagement in training and exercises through simulations, and participation in extensive information sharing through the Financial Services Information Sharing and Analysis Center (FS-ISAC).
Fitzgibbons said the financial services sector has made considerable strides in its sharing both within the sector and with government partners, but that there are still areas for improvement in the analysis and contextualization of threat information. He added that government agencies must increase their prioritization and allocation of resources for declassifying information that pertains to network defense.
In his testimony, Jason Healey, Senior Research Scholar, School of International and Policy Affairs, Columbia University downplayed concerns that an attack could “take down” the entire financial services sector, commenting that a target can be disrupted but “keeping it down” is far more difficult.
Healey said that while the federal government pushes the need to share information, too much government information remains classified. He suggested that the Committee could provide “some added push” on government agencies.
Question and Answer
Simulated Cyber Attacks
Neugebauer asked Bentsen what benefits came from SIFMA’s cyber attack simulations. Bentsen stated that the simulations allowed for growth of the capabilities to respond to attacks and identified gaps with information sharing and coordination, while making sure the right parties were involved. He continued that Quantum Dawn 2 showed the need for more engagement from exchange partners and better coordination between industry and regulators before an event and during recovery. Bentsen added that deliverables for the financial services industry and federal government will be forth-coming.
Clay asked if it is reasonable to expect that financial institutions will be successful at stopping cyber attacks. Fitzgibbons explained that membership in ISACs is important because threat indicators are shared with members. Bentsen added that expanding membership in the ISACs is “critically important” and that SIFMA encourages regulators to have their regulated entities participate and develop standards across the sector.
Neugebauer asked how the Soltra Edge database that holds cyber threat intelligence is updated and distributed. Fitzgibbons explained that members of the database who have threat indicators upload the information using appropriate standards, and that the information is then distributed to all members. He continued that member detection systems can be automatically updated using the information from the database.
Rep. Scott Tipton (R-Colo.) asked about the participation of small businesses in ISACs. Bentsen highlighted that SIFMA decided to underwrite the costs for its smaller firms to get them involved in the FS-ISAC. He noted the many interconnections exist between firms and stressed the associated importance of maximizing engagement in cybersecurity.
Information Sharing Legislation
Rep. Roger Williams (R-Texas) questioned the need for the federal government to mandate policies on sharing information. Bentsen responded that the industry is working within the law today, but that it would be more effective with liability protections. He called on the federal government to look at what the industry has done to date and to create guidance that applies across regulatory agencies.
Safety of Money and Data
Rep. Mick Mulvaney (R-S.C.) noted Healey’s concerns about the risks of international actors acting out against the financial system and asked if Americans’ money is safe in the financial system. Healey answered that the financial system as a whole is safe, though an individual institutions could be impacted by a sophisticated state actor.
Mulvaney followed up by asking if personal information is safe. Healey replied that he does not believe personal information is safe, but that of all the places where his information lives, he is most confident in the financial sector. Nichols agreed that the financial sector has the best protections available, and Bentsen commented that the industry has the “greatest interest” in keeping customer information safe.
Rep. Denny Heck (D-Wash.) asked if emerging new payment methods have increased exposure to cyber attacks. Fitzgibbons explained that cybersecurity innovation is driven by cyber threats and that the new technology has taken personal identifiable information “out of the mix.” He added that there is a “huge amount” of regulation with payment systems.
Rep. Blaine Luetkemeyer (R-Mo.) asked how much personal information is being shared by firms. Fitzgibbons answered that threat indicators such as IP addresses or bits of code are shared, but not personal information. Luetkemeyer commented that this is “the point I want to get to” and stressed the importance that privacy advocates recognize that individuals’ information is not being shared in the interests of cybersecurity.
Rep. Stevan Pearce (R-N.M.) asked Bentsen about transparency among regulators. Bentsen stated that there should be transparency and harmonization among regulators when it comes to guidance, regulation, and inspection with respect to cyber defenses of financial firms.
Rep. Ed Royce (R-Calif.) asked what regulator or agency should take the lead in any coordination within the government. Bentsen answered that both the Treasury and Department of Homeland Security have their place in the realm of cybersecurity, but that coordination should occur “at the top” within the executive office of the President.
For more information on this hearing, please click here.