In a presentation on Wednesday at the SIFMA/AICPA Financial Management Society Annual Conference, Arthur Lindo of the Federal Reserve talked knowingly of the Fed’s priorities on topics like bank capital requirements, Dodd Frank Section 608, commodities regulation and incentive compensation for financial services companies.
Important topics all, especially when it comes to being proactive in preventing another financial crisis like 2008-2009.
But Lindo, the senior associate director for policy in the Fed’s banking supervision division, saved some of his most pointed advice for the topic of cyber security, which he said is “right at the top” of the Fed’s priorities. He said that personally and overall at the Fed, “for the last two years there’s been an awakening.” Lindo said “I can reasonably predict liquidity” issues at banks, but “cybersecurity is just the opposite; you can’t plan a policy response or risk mitigation” using know metrics. Moreover, the “actors can be nation states” or insiders, they can be “malicious or hacktivist types; it can come from any source.”
It turns out that the major RIA custodians are already cooperating with each other to prepare for, prevent and mitigate such attacks.
Lindo said “we didn’t have that much experience pre-crisis” on cybersecurity threats. But he told the attendees that “you have to get to the point where you start thinking when an event will occur, not if. You have to be vigilant.”
Noting in passing that cybersecurity is a threat to individuals—“my identity has been compromised more than once, and I survived”—he said “you need a plan not just for yourself but for your organization.” He also warned against complacency and counseled “continued vigilance; you can’t buy a monitoring device and put it in the corner.” He said that at the Fed, “we call”s that proactive approach to cybersecurity protection “hygiene. You need to take care of it every day, like your personal hygiene.”
So is there a specific strategy that works best? “As Tim Geithner used to say,” Lindo recalled, “’Any plan beats no plan every time.’” Financial services firms, like SiFMA and AICPA members, must have “resilient” cybersecurity protection plans “across your organization” and make sure it encompasses “the clients you serve and other stakeholders.”
At the Fed, Lindo said “we meet regularly with law enforcement and the intelligence community” to build its plans, but he also urged attendees to execute those plans: “Have a drill, like a fire drill.”