With Cyber Threats to Financial Services, Questions Loom About Role of Regulation
By Maria Lokshin
Financial institutions are facing unrelenting threats from cyber criminals, industry participants told BNA in early August, but whether there is room for regulatory intervention is up for debate.
While financial regulators have taken notice of the looming dangers, some in the industry question whether rules would help insulate firms from cyber threats or simply impose additional regulatory burdens.
Cybersecurity poses an increasing threat for all global companies and industries–so much so that a recent Depository & Trust Clearing Corp. report called it potentially the “top systemic threat” to both financial services and other industries.
“The sector as a whole is actively under attack,” Karl Schimmeck, vice president of financial services operations at the Securities Industry and Financial Markets Association, said in a telephone interview.
According to Alan Tilles, chairman of the telecommunications department at Shulman Rogers Gandal Pordy & Ecker PA, Potomac, Md., the problem is even more widespread. “I can tell you that there isn’t a company of significant size in this country that hasn’t been the subject, on some level at least, of some kind of [cyber] attack,” he said in a telephone interview.
Prudential regulators are expected to “continue to be very aggressive” with respect to cybersecurity, PwC official Dave Burg said.
Financial regulators are homing in on the growing threat. According to Dave Burg, advisory principal at PricewaterhouseCoopers, prudential regulators in particular are “very well aware” of the issues surrounding cyber threats and are expected to “continue to be very aggressive” with respect to cybersecurity. Earlier this year, the Financial Stability Oversight Council–an omnibus body of financial regulators–cited in its annual report to Congress the mounting risk from cyber threats.
The Securities and Exchange Commission, too, has delved into the cybersecurity space. In 2011, agency staff issued guidance that said companies should disclose cybersecurity compromises because such problems can have a bearing on their financial health (200 SLD, 10/17/11).
SEC Chairman Mary Jo White recently said staff are reviewing companies’ disclosures of cyber breaches to see whether additional guidance is needed (94 SLD, 5/15/13). A source familiar with the matter told BNA that SEC staff have seen improved company disclosures of cyber incidents after the guidance was issued–particularly in the disclosures of risk factors.
In addition, the Financial Industry Regulatory Authority placed cybersecurity on its list of regulatory and examination priorities for 2013 and said it was concerned about the frequency of attacks and breaches at member firms (11 SLD, 1/16/13). A FINRA official recently said the self-regulatory organization has seen a “proliferation” of complaints about cyber breaches at broker-dealer firms (117 SLD, 6/18/13).
Whether prescriptive regulation would bolster cybersecurity in financial services, however, is up for debate. With respect to SEC disclosures, Burg said in a telephone interview that gauging the impact of a cyber attack or threat is difficult.
According to Burg, many companies “will disclose that cybersecurity risks are a component part of operating in a highly interconnected, technology-enabled world.” However, such disclosures “may lack the level of specificity to reveal or to describe or quantify the risks that the institution may be exposed to.”
For example, in Burg’s experience conducting investigations for some PwC clients, clients may not be aware that a cyber attack has taken place for months or even years. That makes it hard to understand and calculate the damages from the compromise.
Schimmeck also said that regulation may not be optimal in the cybersecurity space with respect to the financial services industry. The concern is that regulation could turn into a “compliance exercise” and become a “bit of a burden.”
Congress, White House
In response to the growing threat, Congress has rolled out multiple bills to fortify cyber infrastructure. In July, for instance, the Senate Commerce Committee cleared Sen. John Rockefeller (D-W.Va.) and Sen. John Thune’s (R-S.D.) bill (S. 1353) to authorize the National Institute of Standards and Technology–a part of the Department of Commerce–to craft voluntary cybersecurity standards for the private sector.
Another Senate bill (S. 1193) would establish a single federal standard for when companies would be required to notify individuals of certain data breaches. In April, the House passed legislation (H.R. 624) to increase cyber threat information sharing between the government and private businesses. “It’s a space that we’re watching very closely,” Burg said of the legislative initiatives.
According to Tilles, communication between businesses and the government is critical to address cybersecurity. The House bill, he said, would set the parameters of what information is shared and when.
The White House also has taken note. Earlier this year, President Obama issued an executive order that called on NIST to spearhead a framework for voluntary cybersecurity standards for the nation’s critical infrastructure owners and operators.
“There is an increased awareness on the part of the executive branch [about cybersecurity threats], and there’s a campaign to the business community that cybersecurity risks are real, they are significant, and that the government believes it has a role to help our economic security remain, in fact, secure,” Burg said.
According to Schimmeck, the industry is working hand in hand with the government to promote information sharing with respect to cyber threats. “We all band together and are working [on] this issue as kind of one sector, in partnership with the government,” he said.
Where the Money Is
In the meantime, the financial services sector may be exceptionally vulnerable to cyber attacks.
“Financial services is the place literally where the money is,” Burg said. “We’re operating in a time where the threat actors that are existent, in fact, challenge essentially all dimensions of companies or participants in the financial services industry.”
Cyber attacks on financial services targets can take many forms and have various goals. While some cyber criminals seek direct access to other people’s money, others hack to mine valuable information or simply to cause a disruption. Of note are so-called denial-of-service attacks on banks in particular. Such an attack occurs when hackers block user access to a particular network.
According to Burg, there are also widespread attempts to steal highly sensitive, confidential information from firms, including proprietary trading algorithms that many entities spend “enormous” amounts of money to develop. In 2011, for example, a former Goldman Sachs (GS)programmer, Sergey Aleynikov, was sentenced to eight years in prison for allegedly stealing high-frequency trading code from the investment bank. The conviction, however, was overturned by the U.S. Court of Appeals for the Second Circuit, which concluded that stolen code was not a “good” or part of a product under the National Stolen Property Act and the Economic Espionage Act (34 SLD, 2/22/12).
‘Core’ Business Issue
For these and other reasons, cybersecurity is no longer an information technology problem but a critical business issue.
“We certainly see an increasing number of senior-most executives at financial institutions looking to very good cybersecurity capability as no longer simply an IT issue but in fact really a core strategic business issue,” Burg said. “And many view excellent cyber capability and maturity really as a potential strategic advantage going forward.”
According to Schimmeck, the financial services industry spends generously to shield itself from cyber threats. “As a sector, we probably spend more than anybody else, outside the defense industrial base, on protections,” he said. “The incentive is there from a business standpoint to make sure we’re protected.”
“Be proactive,” Potomac, Md., lawyer Alan Tilles advised.
However, Burg said the amount of money financial institutions spend on denial-of-service threats, for instance, may be prohibitive. “Some of the largest banks in the world are spending enormous sums of money that may not be sustainable in the long run to increase the bandwidth of their networks to be able to withstand” such attacks, he said.
For his part, Tilles said the financial services sector is “very much on the ball” on cybersecurity, especially at the national level. “We need to trickle down that same kind of urgency” to smaller firms, he said. Tilles’ advice: “Be proactive.” “I can’t say enough about being proactive,” he said.
According to Tilles, that means solidifying communication between professionals on the technical side and the legal side. The technology professional can identify areas of cyber vulnerability, but the lawyer can peg the liability for failing to fix the problem. “It has to be a joint effort,” he said.