In comparison to other sectors, the financial sector has a relatively robust system for handling cyber risk. Awareness of cyber risks and sector-wide cooperation in tackling risks is well established in the financial sector, in part because of the 2008 financial collapse. The 2008 financial collapse forced financial institutions to assess not only their individual vulnerabilities, but also systemic risks.
The fifth Cyber Risk Wednesday, a monthly series organized by the Cyber Statecraft Initiative, discussed the NIST framework’s impacts on the financial sector, the general risk environment, strengths and challenges, and mitigation methods currently in place. The discussion featured a well-balanced panel of speakers with experts from large financial institutions, small and community banking institutions, and government.
Neal Pollard, senior fellow at the Cyber Statecraft Initiative and director at PricewaterhouseCoopers, opened the discussion by outlining the cyber risk environment facing senior managers and C-level executives. John Carlson, executive vice president of the technology risk at Financial Services Roundtable, highlighted that for large firms the cyber risk environment has evolved from an early focus on fraud to broader issues linked to the actions of nation-states. He noted that banks are victimized by DDoS attacks and hacktivist campaigns that are oftentimes responses to wider geopolitical tensions and not issues directly related to the banks themselves. Moreover, even though large banks may be able to absorb monetary losses stemming from cyber incidents, their biggest concern is the reputational cost resulting from major data breaches.
Whereas larger institutions are able to readily absorb financial losses, Lilly Thomas, vice president and regulatory counsel of the Independent Community Bankers of America countered that the financial burden is not negligible; smaller community banks recently reimbursed over $40 million dollars in debit card fraud.
One of the many responsibilities of the US Department of the Treasury is to help steward the financial sector away from crises, such as the emerging threat of cyber risks. Brian Peretti, acting director of the Office of Critical Infrastructure Protection and Compliance Policy stressed the fine balance the US Treasury must strike between customer experience, privacy, and security, affirming that information sharing is the most effective way to establish best practices and build trust.
In terms of cascading risks, one advantage of the financial sector being one of the most heavily regulated sectors is that there are pre-established protocols for management of upstream entities such as third-party vendors and data security providers.
The maneuverability of small community banks in comparison to larger banks was again underscored using the example of assessing potential vendors using the NIST framework: whereas larger firms can demand their vendors to comply, smaller institutions do not have the leverage to ask vendors to bear the costs of compliance. Nonetheless, all agreed that NIST at the very least provided a signal to vendors and innovators about the types of security measures they should be building into new products and services.
Overall, the panelists concluded that cyber is a non-competitive enterprise, and that actors are learning that “squirreling away” information on attacks only weakens the whole system. This is why the FS-ISAC provides a critical platform for government agencies, financial institutions, and other interested critical industry sectors as it protects the identity of the breached party by rendering data about incidents shareable.
Going forward, the panelists suggested that increased collaboration between parties would arise from better legal protections for information sharing, including standards for threat notification. The standardization of breach notification laws at the federal level would remove much of the ambiguity caused by the current patchwork of state laws. With regard to new technologies introducing new vulnerabilities, more attention should be paid to new payment methods such as mobile payment technologies to improve regulations protecting the customers.
From the top of the industry down to the customer level, the financial industry is built on a foundation of trust. The financial sector is well-equipped to tackle the challenges of cyber risk in the financial sector as long as the current trajectory of high-level dialogue continues to face the broader issues of creating real deterrents to cyber attacks.