It’s no secret that the internet has changed the way we do business in nearly every industry. On the other hand, the dangers of limited cyber regulations are quickly becoming a focus for the government due to the frequency and impact of data breaches. It’s becoming apparent that convenience comes at the price of security—the federal government is taking notice.
Secretary Lew of the US Department of the Treasury addressed this issue specifically at the 2014 Delivering Alpha Conference, hinting at federal government concern and potential involvement in cybersecurity of financial service organizations. “Far too many hedge funds, asset managers, insurance providers, exchanges, financial market utilities, and banks should and could be doing more,” he said of the financial service industry. Secretary Lew didn’t name names, but cited that the reason for a lack of cooperation with the federal government is becoming a serious problem. “Disclosing security breaches is often perceived as something that could harm a firm’s reputation. This has made many businesses reluctant to reveal information about cyber incidents.”
That way of thinking, however, could destroy the financial service industry altogether, he said. Cybersecurity breaches do more than compromise individuals’ sensitive information such as credit card data or account information, which alone could highly disturb consumer confidence. In addition, breaches could damage the US economy in a major way:
“When trade secrets are robbed, it undercuts America’s businesses and undermines US competitiveness. And successful attacks on our financial system would compromise market confidence, jeopardize the integrity of data, and pose a threat to financial stability.”
In the best case, reluctance of financial service providers to report breaches boosts the number of successful (and avoidable) breaches. In the worst case, however, consumer and market confidence decrease to dangerously low levels, damaging the US economy. The financial services industry could take a bigger hit than would have been dealt from a breach disclosure. The integrity of the business, the data and the US market are vulnerable. In the long run, essentially, reluctance will only exacerbate the problem.
“It is imperative that firms collaborate with government agencies and with other firms,” said Secretary Lew. Digital defense is quickly becoming a matter of national security. Several government agencies have already become involved in the development of cybersecurity and, according to Lew, the Obama Administration is planning to collaborate with the private sector to “improve information sharing.” The private companies have the primary responsibility in protecting themselves, however, in the way that they see fit. It is also their responsibility to prosecute cyber criminals, hold state-sponsored attackers accountable, and to report incidents. This is a call to improve practices before there is a major breach, damaging the industry.
To help guide financial services firms, specifically advisors, brokers and asset managers the SEC had developed the Cyber Security Initiative. They have outlined areas in which an organization should adopt security controls to combat cyber risk. These organizations should use this as a baseline for their security programs. They should also partner with an independent third party that can review, test and recommend changes to their security program.
On that note, on July 10th, about the same time as Lew’s speech, saw the introduction of the “Cybersecurity Information Sharing Act of 2014” (CISA). CISA (not to be confused with a “Certified Information Security Auditor”) expressly allows the sharing of information between private organizations and the Federal Government under a proposed new system that would allow for real-time, spontaneous sharing with all involved organizations within the Federal Government. Private organizations’ peers and the government, therefore, would be able to collect, investigate, and mitigate cybersecurity threats in a more collaborative manner. If passed, the act would make the sharing of information regarding cybersecurity easier, confidential, and legal as long as it is allowed in CISA. It would universally raise the bar in terms of security and it would likely nip several breaches in the bud. Instead of waiting like sitting ducks, several organizations will benefit if the bill passes. Instead of hiding cybersecurity breaches, then, companies would have to worry less about them happening in the first place—they would have the right to seek and track threats within their own information systems and then share their findings.
CISA is definitely a step in the direction of a more complete cybersecurity. And, more importantly, it insinuates more government involvement in cybersecurity overall.
Read the proposed act (or learn more) here: https://beta.congress.gov/bill/113th-congress/senate-bill/2588/text
Read the other excerpts from secretary Lew’s speech here: http://www.treasury.gov/press-center/press-releases/Pages/jl2569.aspx