In a presentation on Wednesday at the SIFMA/AICPA Financial Management Society Annual Conference, Arthur Lindo of the Federal Reserve talked knowingly of the Fed’s priorities on topics like bank capital requirements, Dodd Frank Section 608, commodities regulation and incentive compensation for financial services companies.
Important topics all, especially when it comes to being proactive in preventing another financial crisis like 2008-2009.
But Lindo, the senior associate director for policy in the Fed’s banking supervision division, saved some of his most pointed advice for the topic of cyber security, which he said is “right at the top” of the Fed’s priorities. He said that personally and overall at the Fed, “for the last two years there’s been an awakening.” Lindo said “I can reasonably predict liquidity” issues at banks, but “cybersecurity is just the opposite; you can’t plan a policy response or risk mitigation” using know metrics. Moreover, the “actors can be nation states” or insiders, they can be “malicious or hacktivist types; it can come from any source.”
It turns out that the major RIA custodians are already cooperating with each other to prepare for, prevent and mitigate such attacks.
Lindo said “we didn’t have that much experience pre-crisis” on cybersecurity threats. But he told the attendees that “you have to get to the point where you start thinking when an event will occur, not if. You have to be vigilant.”
Noting in passing that cybersecurity is a threat to individuals—“my identity has been compromised more than once, and I survived”—he said “you need a plan not just for yourself but for your organization.” He also warned against complacency and counseled “continued vigilance; you can’t buy a monitoring device and put it in the corner.” He said that at the Fed, “we call”s that proactive approach to cybersecurity protection “hygiene. You need to take care of it every day, like your personal hygiene.”
So is there a specific strategy that works best? “As Tim Geithner used to say,” Lindo recalled, “’Any plan beats no plan every time.’” Financial services firms, like SiFMA and AICPA members, must have “resilient” cybersecurity protection plans “across your organization” and make sure it encompasses “the clients you serve and other stakeholders.”
At the Fed, Lindo said “we meet regularly with law enforcement and the intelligence community” to build its plans, but he also urged attendees to execute those plans: “Have a drill, like a fire drill.”
Lindo called for an industry-wide response to combatting cyberthreats, noting that the American energy and telecommunications sectors are doing just that. In their own cybersecurity plans, he urged the banking and brokerage sectors to include scenarios where firms lose power and telecom systems.
“Capital liquidity we have metrics for,” Lindo repeated. “We need the same for cybersecurity—an industry-wide response.”
In July 2013, SIFMA itself conducted just such a cybersecurity exercise, called ‘Quantum Dawn,’ which simulated a systemic cyber attack on the U.S. financial system. It continues to run those exercises periodically.
In releasing a report on the first exercise, conducted by a third party, Deloitte & Touche, SIFMA’s CEO at the time, Judd Gregg, said the exercise “demonstrated the industry’s resiliency when faced with serious cyber attacks that aimed to steal money, crash systems and disrupt equity market trading. Ed Powers of Deloitte said at the time that “it’s unrealistic to expect that defenses can prevent all cyber incidents,” and called on the industry to “continue developing capabilities for detecting incidents when they occur, minimizing the impact on business and critical infrastructure, and tying these capabilities together in a comprehensive framework. Quantum Dawn 2 is an important step in that direction.”
It’s not just the securities industry that’s cooperating in identifying and preventing cyberattacks; RIA custodians are doing the same. At a presentation last week at the Junxure Advisor Conference in Las Vegas, Chris Vallely of TD Ameritrade revealed that TD and the other major RIA custodians hold a monthly call in which they share with each other the cybersecurity trends they’re seeing.
– Related on ThinkAdvisor: As Cybersecurity Booms, So Do Investment Opportunities
(Check out ALM’s cybersecure forum for ways to protect your business from cyber attacks.)