Collaboration between the financial services industry and government entities has increased in response to rapidly evolving cybersecurity threats, but both sides agree there is room for improvement. Experts at the SmartBrief Cybersecurity Forum in New York City on Tuesday identified increased information sharing and the enactment of legislation already making the rounds on Capitol Hill as two ways to enhance the security of today’s financial markets.
Karl Schimmeck, managing director of financial services operations for the Securities Industry and Financial Markets Association, said cybersecurity initiatives undertaken by the Obama Administration earlier this year have spurred greater engagement from a host of government agencies. Schimmeck also cited the NIST Framework unveiled in 2014 as example of the government helping industry devise best practices that can be put to use by all firms – large and small.
Chris Feeney, president of the Financial Services Roundtable’s BITS technology policy division, said government could help by harmonizing state laws within the U.S. and enacting federal laws that address privacy and liability concerns that have left some firms apprehensive about sharing data.
Mark Clancy, the CEO of Soltra, said information sharing between the industry and the government used to be a “one-way street.” But Clancy said that has changed and the government now plays an active role in sharing intelligence that helps firms stay informed about the latest threats. For example, Clancy cited a list released recently by the FBI detailing the Top 10 cyber threats companies face. Such guidance helps firms prioritize their cybersecurity efforts, Clancy explained.
Thomas Ferlazzo, vice president of operational risk at the Federal Reserve Bank of New York, said government agencies are prepared to help firms test their cyber defenses, but such resources often go untapped because firms either aren’t aware of the programs or are hesitant to ask for such assistance. Ferlazzo urged firms to be proactive in the interaction with government agencies, adding that if firms wait to until after they suffer an attack to contact law enforcement, it is already too late.
Clancy, who is also the chief information security officer for DTCC, said firms also can work through their general counsel and primary regulator to have a Request for Technical Assistance in place. Advance planning is crucial for this measure and firms must decide before they are attacked which governmental entities they will contact and who in the company has the authority to reach out for such assistance, Clancy said.
The challenge of measuring success
Clancy queried the panel about how they define success, noting that cybersecurity is unique in that it demands perfection. One successful attack can undermine years of pristine protection. Ferlazzo concurred with Clancy but stressed that the government remains ready to assist firms and that it does not expect perfection from financial services firms.
“Perfection? Wow. If you get there, please tell me and I will follow you and genuflect,” Ferlazzo said. “The challenge is: What are you doing to defend yourself? That’s what we ask first. How are you doing it is what we ask second. It’s really the who, what, where, how and why?”
Contributing writer: Sean McMahon