Financial institutions need to focus on resilience and sharing information about cybersecurity, which should be treated seriously as a matter of national defense in the US, said experts and regulators at the Securities Industry and Financial Markets Association’s Annual Meeting in Washington, D.C., on Tuesday.
“We need national defense priority on cybersecurity,” just as with nuclear defense, because no company has the budget to battle sovereign nations launching cyberattacks, said Ronald Kruszewski, chairman and CEO of Stifel Financial.
Jim Rosenthal, chief operating officer of Morgan Stanley, suggested the Reserve Officers’ Training Corps, or ROTC, could train students toward careers in cybersecurity to help make up for the US’ talent gap in that area.
Treasury Secretary Jack Lew and Securities and Exchange Commission Chair Mary Jo White reiterated the need for companies to share breach-related information among one another and with the government. Doing so will help other firms detect wider patterns and defend against the kinds of breaches that have occurred to other organizations, Lew said.
Companies face “the challenge of employing best practices, of sharing information so we can have our safeguards be at the maximum level, and staying ahead. … Every day, the threat evolves and changes,” he said.
In the coming year, organizations are likely to see the further emergence of ransomware and destructive malware, requiring them to go beyond guarding the “perimeter” to consider cyberhygiene and data-recovery measures, said Matthew Chung, managing director and chief information officer of technology and information risk at Morgan Stanley.
Attackers in many cases have taken advantage of “embarrassingly trivial” security flaws resulting from shortcomings in basic hygiene, said Melody Hildebrandt, director of cybersecurity at Palantir Technologies.
Meanwhile, the target of data breaches is shifting from account information to names, addresses and other personally identifiable information, or PII — a “far more pernicious threat,” she said.
Shawn Henry, president and chief security officer at CrowdStrike Services, said an even bigger concern than reputational risk from a cyberattack is the operational risk in cases where data is eliminated and a company is left unable to handle an essential function such as payroll.
“I think it’s critically important for organizations to understand that the government is not in the position” to stop such attacks, he said.
Heightened media attention of cyberattacks, however, means regulators are more interested in the issue, and companies must make sure that if they form a partnership with the government that it is effective, said Gregory Rattray, director of global cyber partnerships and government strategy at JPMorgan Chase.
Experts at the event also discussed resources such as the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool; touted the Financial Services Information Sharing and Analysis Center, or FS-ISAC; and explored the positive aspects and limitations of cyberinsurance.
Chung said the strategy behind the FFIEC’s tool is worthy of support, but its implementation has been flawed, partly because the tool does too little to account for residual risk and requires responses that are too binary in nature.
With regard to cyberinsurance, experts said more clarity is needed in how the risk is underwritten and how different types of incidents and acts are defined.
Chung described himself as a “big fan” of cyberinsurance, but said its limitations include the fact that policies cover just the amount of money involved with managing a cyberattack itself, not such additional costs as legal fees and forensics.
Meanwhile, underwriting tends to involve checklists on “how effectively you build the castle wall,” but an organization’s ability to respond, while crucial, remains difficult to determine, Rattray said.