Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Internal and External Forces Shaping Cybersecurity in Financial Services

Financial services already being one of America’s most highly regulated industries, recent news that Wall Street’s top trade group was calling for creation of a new inter-agency working group comprised of data security regulators at first seems like an added layer of oversight and perhaps an odd step.

Financial services already being one of America’s most highly regulated industries, recent news that Wall Street’s top trade group was calling for creation of a new inter-agency working group comprised of data security regulators at first seems like an added layer of oversight and perhaps an odd step.

Was the plan set out by the Securities Industry and Financial Markets Association (SIFMA) a reaction to the recent acceleration of nationwide data breaches?

The increasing size of data security breaches was demonstrated by the recent JP Morgan data breach. With some 84 million customer records affected, the severity of the attack was a major wakeup call for the industry, particularly as JP Morgan’s cyberdefenses are considered to be among the finest in the industry.

Financial Services CybersecurityCitigroup heard a wakeup call of its own. Charles Blauner, a senior Citigroup executive recently characterized the U.S. financial services sector as being “at war” when it comes to cybersecurity. Threats, he explained, emanate not only from the frequent attacks from cybercriminals. Foreign governments and overseas corporations pursue competitive information on client data, capital markets deals and pending acquisitions, seeking competitive advantage.

In addition, with financial services’ globally connected computer networks essential to its operation, the risks of bank disruptions leading to failures and possible systemic industry-wide breakdown raise the risks from cyber attacks to another level.

But are there other forces at work here driving SIFMA’s proposal?

For perspective I turned to financial services industry authority Sean Mahoney, partner in the Boston office of global legal firm K&L Gates, who offered that both internal and external forces were driving the motivation for the industry’s action.

“As an industry organization, SIFMA is representing its member firms’ concerns that, when there is a data breach, the firm is too often viewed by the regulators as a guilty party when in actuality the firm is a victim of malicious action,” Mahoney sad. The regulators’ attitude can all too often be, ‘You had a breach, therefore you weren’t complying with regulatory standards.”

“It is becoming increasingly clear, not just in financial services but in all major business sectors nationwide that data breaches from cyber malware are a near certainty,” he adds.

Advertisement. Scroll to continue reading.

“The clarity needed here is several fold. First is for the regulators to share the recognition what we are living in an era where security events are a way of life. Until cyber defense capabilities become more effective, breaches will continue to occur.”

“The second area of clarity is regulators’ acknowledgement that increased emphasis should be given to the financial services organization’s response strategy, i.e., if there is a breach, how quickly and effectively can the organization respond, limiting losses, exterminating the cause of the breach, and properly communicating with customers, partners and regulatory agencies?”

Blauner of Citigroup agrees. “You are going to get hacked. The bad guy will get you. Whether you are viewed as a success by your board of directors is going to depend on your response.”

Mahoney points out that achieving such clarity is more complicated than may be thought, since different regulators have different standards of data security regulatory compliance. “As SIFMA’s proposal states, there is a crying need for greater ‘harmonization’ between regulatory agencies so that the industry’s firms have a consistent set of compliance rules to adhere to.

Thus the interest in a working group of regulators? “Absolutely. SIFMA feels the best way out of the inconsistencies of the multi-regulatory conundrum is collaboration between all parties, regulatory and industry.”

“The industry wants to be compliant and can best do so with a consistent set of rules. It is saying ‘give us a set of standards, steps that will actually work. Then let us implement them and be held accountable.’ The ‘Ten Principles for Effective Cybersecurity Regulatory Guidance’ proposed by the association are meant to provide a framework for this discussion.”

Is expecting to get the many parties involved in financial services data security regulation together behind a united approach for the industry too big a stretch? I ask.

“The stakes for the industry – for the economy – are too high for this not to happen,” Mahoney answers. “Everyone knows effecting these changes will require cooperation. This will be a process, not an event.”

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...