JPMorgan Chase & Co. Chief Executive Jamie Dimon fired one of the first shots in the financial services industry’s war on computer hackers after a 2014 cyberattack on his bank compromised the accounts of 7 million small businesses and 76 million households.
In a letter to shareholders that year, Dimon spoke of the “absolute, critical and immediate” need to combat cybersecurity threats along with related fraud issues and privacy protection.
Notably, Dimon followed up those words with an acknowledgment that businesses will have to work hand in hand with regulators to restrict use of the bank’s data by third parties and ensure that customers’ money and identities remain safe.
“I do not believe that most people fully understand what no longer is private and how their information is being bought, sold and used,” Dimon wrote. “It is critical that government and business and regulators collaborate effectively and in real time. Cybersecurity is an area where government and business have been working well together, but there is much more to be done. And if it is not done in a concerted way, we all will pay a terrible price.”
To be sure, the price that JPMorgan is willing to pay to protect its accounts and data keeps growing by astronomical levels. In its 2014 annual report, the bank said it spent $250 million that year in its cyber-strengthening efforts.
Since then, JPMorgan has said it expects to double that amount in both 2015 and 2016, bringing its cybersecurity spending to $1 billion over the course of just two years.
Broker-dealers are engaged in a joint effort to advise each other when their computers have fallen victim to hacking attempts. Their primary source for reporting such threats takes place via the Financial Services Information Sharing and Analysis Center, or FS-ISAC, a worldwide network of regulated financial services firms and government agencies that allows members to collaborate and take action to avert security threats.
Andy Zolper, chief information technology officer for Raymond James, said the company is an active FS-ISAC member, which currently comprises 7,000 member firms.
“We share threat intelligence on a daily basis with other FS-ISAC members about attack attempts,” Zolper. “It’s anonymous. I don’t need to know whether it was Citibank or LPL Financial, but I know what the attack looked like on the day it happened. ‘Indicators of compromise’ is the trade term. We can then tune our defenses to stop that attack if it’s directed at Raymond James.”
As for Raymond James’ involvement with the regulatory issues around cybersecurity, Zolper said the company’s corporate structure requires oversight by a number of agencies, including the Federal Reserve, the Office of the Comptroller of the Currency, the Securities and Exchange Commission and the Financial Industry Regulatory Authority.
Zolper described a complex regulatory pathway that extends Raymond James’ cybersecurity supervision across the Fed, the OCC, the SEC, FINRA and the interagency Federal Financial Institutions Examination Council (FFIEC).
Even before the SEC and FINRA became involved in 2015, he said, Raymond James was operating under a cybersecurity framework launched in 2014 by the Obama administration and the Commerce Department’s National Institute of Standards and Technology (NIST).
While complicated, this regulatory pathway offers uniform cybersecurity standards and practices for broker-dealers, Zolper said.
“The SEC and FINRA have compared regulatory notes with other organizations. We have seen very good alignment between the SEC, NIST and FFIEC,” he said. “We haven’t seen anything in their emphasis that is materially different from what other regulators expect. We map points of focus to the existing framework on NIST to assure ourselves there are no gaps between what the SEC is expecting and what we already expect of ourselves based on our implementation of the NIST framework.”
The advisory industry, government and consumers all have the same goal of mitigating cyber threats, said Tom Price, managing director and head of technology and operations within the Securities Industry and Financial Markets Association, a trade group. SIFMA is an FS-ISAC supporter and has set a goal for 100% of its members to join FS-ISAC’s collaborative cybersecurity forum.
“Given the multitude of regulators that oversee the financial services industry, it is critical that cybersecurity rules be coordinated across agencies to avoid conflicting or divergent rules that would be counterproductive to our collective cyber defense efforts,” Price said in a statement.
Yet with FINRA and the SEC’s determined entry into the cybersecurity debate, it’s clear that these two heavyweight regulators are stepping up their game among broker-dealers.
Brian Edelman, chief executive of Financial Computer Services, a company with an expertise in cybersecurity for broker-dealers, points to certain recent communications as “the two most important documents to come out in the cybersecurity space ever.”