Top cybersecurity experts warned financial services execs Wednesday that cyber criminals are winning in the war on cyberattacks and offered ways financial services firms can shore up their businesses to prevent such infiltrations.
“We are now playing catch-up; the bad guys are winning at this time,” said Stephen Russell, practice leader of Cyber & Technology Risk Management at PricewaterhouseCoopers LLP. Indeed, Leo Taddeo, special agent in charge of the Special Operations/Cyber Division of the FBI, agreed that “the numbers show that we’re losing ground” to cyberattacks.
Both Russell and Taddeo were speaking at a cybersecurity conference held jointly in New York by the Financial Industry Regulatory Authority and the Securities Industry and Financial Markets Association.
Ken Bentsen, SIFMA’s CEO, told attendees at the event that preventing cyberattacks must be a collaborative effort between the industry, regulators and policymakers, as “cyberattacks are increasingly a major threat to national security and the U.S. financial system.”
Steve Randich, FINRA’s executive vice president and chief information officer, told attendees that firms must recognize “that breaches will happen,” and that they should focus “not just on prevention but the response” to those attacks.
Ninety percent of cyberattacks involve “phishing” email scams, the FBI’s Taddeo said, with most cyber intrusions not being detected for seven months. When breaches are detected, he said, it’s usually by a third party.
Last year “started with the Target attack and ended with the Sony hack,” Taddeo said. “We’ll see a continuing sophistication of the adversary,” adding that most of the cyber problems are in software, not hardware.
Russell of PwC said firms must “shift” how they view a cyberattack from an information technology issue to assessing a cyber event’s business management risk. “Leading organizations are addressing the business risks of cybersecurity” and the risks such attacks present to critical assets, he said.
The average cost of a cyber incident in 2014 was $22 million, Russell said. “This cost will continue to soar.”
A big theme at the event was addressing the “business” impact of an attack, not just its IT impact.