Cybersecurity is a hot topic at every financial services firm. SmartBrief recently connected with two experts from the Financial Services Roundtable – Jason Kratovil, Vice President of Government Affairs for Payments and Chris Feeney, President of BITS – to discuss cybersecurity legislation currently under consideration on Capitol Hill and what the industry is already doing to combat cyber threats.
The Financial Services Roundtable recently helped conduct a survey of bank directors and senior management on the role they play in managing the security of digital assets. What did the survey results show?
Chris Feeney: The results showed a dramatic increase in the number of boards actively addressing cyber risk at Forbes Global 2000 companies, with the financial industry as a clear leader in cyber improvement and focus. Cybersecurity is now a boardroom-level issue for nearly two-thirds (63%) of the companies surveyed, a significant jump from 2012, when only 33% of boards were actively addressing computer and information security. The financial industry had a 35% increase in cybersecurity focus, and the percentage of financial sector boards considering cyber risks when reviewing supplier relationships shot up 64% from 38% in 2012. The sector is the only sector to have 100% Chief Risk Officers. CROs play a key role in the overall cyber outlook of financial institutions and businesses, so that’s an important figure.
What is the most critical element of the legislation currently under consideration on Capitol Hill (CISA)?
Jason Kratovil: One of the goals of CISA is to encourage firms across the economy, in all sectors as well as financial services, to participate in the sharing of cyber threat information. With the growing severity and scale of cyber attacks, and the interdependence of all sectors of our economy, fostering and environment that maximizes the willingness of firms to share is the best way for everyone to guard against cyber attacks. CISA helps make this possible.
Is there anything that the legislation is lacking that would be helpful to the financial services industry?
Kratovil: No legislation is ever perfect. What’s important is getting CISA to the President’s desk in a way that preserves the core principles – liability and legal clarity – that will foster a robust cyber info sharing process in the US, while protecting the privacy of individuals. CISA does this, but some in the Senate want to strip away these essential elements.
What role does information sharing play in the current financial services cybersecurity landscape?
Feeney: Information sharing is critical to operating an effective security program. The ability to work with similar institutions to learn what they have done to improve their cybersecurity programs; deploying key technologies, sharing best practices for response and recovery, sharing threat information quickly (via avenues such as the FS-ISAC) so firms can dynamically focus resources as the threat landscape changes is all predicated on good, open and timely information sharing. The financial services industry has been at the forefront of information sharing and the industry as a whole has benefited from the open and confidential collaboration and improved coordination that comes from sharing critical information and practices. This ‘team sport’ approach is the best way to combat the existing and evolving threats that are evident today.
How has the collaboration between industry and government evolved in the last year?
Feeney: Collaboration has been expanding in the past year with the government and private sector firms spending considerably more time coordinating efforts, discussing key infrastructure capabilities and meeting on a regular basis to share initiatives. The Financial Sector works actively with our lead agency, The Treasury Department on key initiatives but also with the White House, Law Enforcement (including the upcoming information sharing open houses across the nation next week) and other agencies such as the Department of Homeland Security
What challenges does the financial services industry face in recruiting and developing cybersecurity talent?
Feeney: As in any accelerating part of the technology space, the ability to continuously recruit and train resources requires consistent focus. The emergence of degreed programs at many universities is helping funnel good candidates into the space but the demand is at an all time high, and there is competition for talent. Recruiting the right talent has become more difficult as firms are building out their security footprint. Beyond reaching into their local communities and increasing their partnerships with universities, firms are expanding their net to reach qualified candidates outside their region and investing in internal training programs, rotational programs for currently employed and qualified engineers and expanding the program/governance management teams to keep pace.