Close Close
ThinkAdvisor

Regulation and Compliance > Cybersecurity

Bad Guys ‘Winning’ in Cyberattacks

X
Your article was successfully shared with the contacts you provided.

Top cybersecurity experts warned financial services execs Wednesday that cyber criminals are winning in the war on cyberattacks and offered ways financial services firms can shore up their businesses to prevent such infiltrations.

“We are now playing catch-up; the bad guys are winning at this time,” said Stephen Russell, practice leader of Cyber & Technology Risk Management at PricewaterhouseCoopers LLP. Indeed, Leo Taddeo, special agent in charge of the Special Operations/Cyber Division of the FBI, agreed that “the numbers show that we’re losing ground” to cyberattacks.

Both Russell and Taddeo were speaking at a cybersecurity conference held jointly in New York by the Financial Industry Regulatory Authority and the Securities Industry and Financial Markets Association.

Ken Bentsen, SIFMA’s CEO, told attendees at the event that preventing cyberattacks must be a collaborative effort between the industry, regulators and policymakers, as “cyberattacks are increasingly a major threat to national security and the U.S. financial system.”

Steve Randich, FINRA’s executive vice president and chief information officer, told attendees that firms must recognize “that breaches will happen,” and that they should focus “not just on prevention but the response” to those attacks.

Ninety percent of cyberattacks involve “phishing” email scams, the FBI’s Taddeo said, with most cyber intrusions not being detected for seven months. When breaches are detected, he said, it’s usually by a third party.

Last year “started with the Target attack and ended with the Sony hack,” Taddeo said. “We’ll see a continuing sophistication of the adversary,” adding that most of the cyber problems are in software, not hardware.

Russell of PwC said firms must “shift” how they view a cyberattack from an information technology issue to assessing a cyber event’s business management risk. “Leading organizations are addressing the business risks of cybersecurity” and the risks such attacks present to critical assets, he said.

The average cost of a cyber incident in 2014 was $22 million, Russell said. “This cost will continue to soar.”

A big theme at the event was addressing the “business” impact of an attack, not just its IT impact. 

A firm’s “cyber resiliency” depends on how well the firm “can keep pace with cyber threats” and “gain more insight” into what the company’s potential threats are, Russell continued. He added that the executive management team must “own and manage” cyber risks, and not just leave those duties to be conducted solely by the chief information officer and chief information security officer.

Acknowledging that preventing cyberattacks “is a challenge for every organization” regardless of its size, Russell advised smaller firms to “continue to view IT practices as good health and hygiene,” and noted that “standardized” cybersecurity regulations remain “a work in progress,” which eventually will result in “a much more streamlined approach in this area.”

Bentsen noted that SIFMA is promoting use of the Cybersecurity Framework issued by the National Institute of Standards and Technology, or NIST, and is working with its members to develop standards “tailored” to broker-dealers and asset managers. SIFMA, Bentsen said, is also working with “critical infrastructure and other market participants to design processes that will allow firms and their vendors to measure and attest to their use” of the NIST Cybersecurity Framework.

Bentsen added that congressional action is needed “to strengthen our nation’s cyber defenses by codifying liability protections that promote enhanced information sharing between the industry and government, while balancing the need for important privacy protections for individuals.”

SIFMA, Bentsen continued, “strongly encourages Congress to make cybersecurity a priority and pass legislation that facilitates improved information sharing and enables the industry and government agencies to work together in the most effective way possible.”

Indeed, Paul Smocer, president of the Financial Services Roundtable’s cybersecurity and technology think tank, BITS, testified before the Senate Committee on Commerce, Science and Transportation on Wednesday that while the NIST framework “has been a helpful tool to the industry, it is not a silver bullet to ending cyber threats, and requires additional action from Congress.”

Said Smocer: “Organizations across the economy are already using the framework to assess and improve cybersecurity. But more work still needs to be done.”

Congress, he said, “must enact legislation that incentivizes the sharing and receiving of cyber threat indicators amongst companies within sectors, between sectors and with the government.”

— Related on ThinkAdvisor: