SEC Holds Roundtable on Cybersecurity
The Securities and Exchange Commission (SEC) hosted a roundtable discussion regarding cybersecurity and the issues and challenges it raises for market participants and public companies, and how they are addressing those concerns.
Panel 1: Cybersecurity Landscape
The first panel covered the Cybersecurity Landscape and the panelists included: Cyrus Amir-Mokri, Assistant Secretary for Financial Institutions, Department of the Treasury; Mary E. Galligan, Director, Cyber Risk Services, Deloitte & Touche LLP; Javier Ortiz, Vice President, Strategy and Global Head of Government Affairs, TaaSera, Inc.; Andy Roth, Partner and Co-Chair, Global Privacy and Security Group, Dentons US LLP; Ari Schwartz, Acting Senior Director for Cybersecurity Programs, National Security Council, The White House; Adam Sedgewick, Senior Information Technology Policy Advisor, National Institute of Standards and Technology; and Larry Zelvin, Director, National Cybersecurity and Communications Integration Center, U.S. Department of Homeland Security.
Opening Statements
Mary Galligan said that cyber threats need to be broken into three aspects: 1) the matrix of actors and methods; 2) information sharing; and 3) the ability to be resilient. The actors in cyber threats to the financial service industry are much more varied than other sectors, Gilligan said, they include organized criminals, nation states, terrorists, and hacktivists.
Cyrus Amir-Mokri stated that the Treasury looks at cybersecurity in three aspects: 1) resilience – what firms do themselves for protection; 2) incident management – how firms and others respond to a threat; and 3) recovery – how the private and public sectors deal with the threat after it has happened. “We view it as a whole government effort,” Amir-Mokri said. The bottom line, he said, is that the effort requires coordination from everyone.
Most Common Threats
Ari Schwartz reiterated the fact that the threats are coming from a multitude of actors and that Nation states, criminals, and hacktivists each have different motivations and different tools. Larry Zelvin highlighted the possibility of an inside threat, like an Edward Snowden or Private Manning. The finance sector, Zelvin said, is the major target because it’s “where the money is, and because it represents our country.” He added that the financial services sector is ahead of the rest of the country in terms of security, but encouraged the industry to increase information sharing with the government and other industries. Mary Galligan added that cyber threats force companies to look at three things: 1) what data really needs to be protected in the company; 2) how a company manages access to its systems, including third party access, and 3) how a company monitors itself for possible inside threats.
Managing Cybersecurity Risks and Executive Roles
Andy Roth said that security methods have moved to a continuously monitoring, multi-layered approach. “Vulnerabilities stem from business processes,” Roth said, an example being when data is sent to a third party vendor. Roth went on to endorse the multi-stakeholder approach like the National Institute of Standards and Technology (NIST) Framework sets out. Galligan added that executives have to know what questions to ask first, such as “how do I know what data is leaving my company, and how?” This includes inside threats and sending out packets of data to third parties. Secondly, executives must ask if their company has a cyber incident response plan, is it up to date, and do they practice it as a company. Gilland also said executives have to create a culture where cybersecurity “starts at the keyboard” and “starts with every employee.” Adam Sedgewick added that a major problem for executives, is communicating to them accurately what is going on and what needs to be done.
Preparedness
Amir-Mokri the Treasury helps in preparedness by facilitating information sharing and coordinating between companies and government agencies, such as the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Amir-Mokri also said, in terms of readiness, the financial services sector is one of the most advanced in its thinking on cybersecurity, but warned that there can never be perfect preparedness, because of a possible “zero day exploit,” which is an attack that occurs between the time a vulnerability in a system’s security is found and a patch is created to fix it. Zelvin likened preparedness to car safety, saying even though we now have air bags, seat belts, and other safety improvements, people still can die in a car crash. Cybersecurity, he said is still in its “pre-airbag days.”
NIST Framework
Sedgewick gave a brief rundown of the Framework, describing it in three pieces: 1) the core which presents the standards and creates the structure of cybersecurity that allows for innovation; 2) the profile, which helps organizations grow their cybersecurity programs over time; and 3) the implementation tiers which help organizations asses where their programs are now and how to get where they need to be. Zelvin added with regard to information sharing, the Financial Services – Information Sharing and Analysis Center (FSISAC) and the government have one of the best information sharing partnerships he has seen. Ortiz stated that the Framework has helped especially in internal discussions.
Information Sharing
Schwartz stated that they are trying to identify all barriers to the various pathways of information sharing: private sector to private sector; private sector to government; and government to government. Schwartz also stated that because legislative action on the issue seems very unlikely, the President’s administration is looking at what barriers can be taken down using Executive actions. Roth said that one of the biggest challenges he sees is information asymmetry, where one side has more information than the other, and right now “the bad guys are much better at sharing information.”
Panel 2: Public Company Disclosure
The second panel focused on public company disclosure and was moderated by Keith Higgins, Director Division of Corporation Finance at the SEC. The panelists included: Roberta Karmel, Centennial Professor of Law and Co-Director of the Center for the Study of International Business Law at Brooklyn Law School; Douglas Meal, Partner with Ropes and Gray; Jonas Kron, Senior Vice President and Trillium’s Director of Shareholder Advocacy; David Burg, Partner with PwC; Leslie Thornton, Vice President and General Counsel with WGL Holdings Inc. and Washington Gas; Peter Beshar, Executive Vice President and General Counsel of Marsh & McLennan Companies.
Thornton opened the discussion by saying that the overall disclosure framework has evolved into a major issue today. She contended that the cybersecurity landscape has changed in the last three years as demonstrated by President Obama’s Executive Order, attempts by Congress to pass legislation, and inquiry letters by state attorneys general. The financial services industry is asking what’s important and cyber should be way higher on the industry’s priorities list than it has been so far, she added.
Beshar commented that clearly the government has been in front of private industries in efforts to identify risks. He added that boards of directors are far more in tuned with the risk now and the private sector is responding with speed in the form of taking up cyber insurance. Brooks stated that the government’s requirements have created a demand for the financial industry to carry cyber insurance. He noted that guidance and comment letters from the last year have suggested that private companies should disclose risks that are nonmaterial. According to Brooks, “The inherent flexibility of NIST framework is a good thing, including government, non-profits, and private companies, which need to coordinate to comply.” Higgins asked Beshar whether underwriting risk is helpful for measuring it. Beshar responded that underwriting risk does aid in the process of assessing risk in relation to the NIST standards.
Burg added that he has seen an upward trend in the level of involvement where board members are acutely aware of their exposure to a cybersecurity threat.
Meal said that cybersecurity issues catch a board’s attention when they are attacked. In his opinion, a tremendous disincentive exists for information to become public because of class action suits and consumer protection regulators.
Jonas argued that in this social networking society “there tends to be an over collection of information and having a level of disclosure around companies that take in personal information from consumers would be helpful.” He said that new media companies and retail companies that share a tremendous amount of information are innovative, but have risk associated with this collection of data.
Higgins inquired about what level of disclosure private companies should provide and what best practices might look like.
Karmel responded that the level of disclosure for private companies depends on the nature of the business. For example, Karmel said, “A very large international financial institution might want someone on the board with that expertise. On the other hand, there are a lot of issues that boards have to think about.” Ultimately, Karmel argued that the level of disclosure should be determined from company to company.
Similarly, Borg said that the level of disclosure depends on the company and said 86 percent of CEOs view technology as an enabler of innovation, while 70 percent of CEOs express concerns of cybersecurity. Bord said, “We cannot under estimate the sophistication of the attacks.”
Higgins asked what information companies are disclosing and whether or not lessons have been learned. Jonas stated, “there is a balance point that is reached.” Meal added that standards exist and many of the companies that suffered a breach have been fully compliant, which is a problem. Karmel explained that bank examiners monitor whether or not the banks are in compliance, but companies should take these cyber threats seriously. He noted that the government is helping these companies to overcome these challenges.
SEC Chair Mary Jo White asked if the panelists could elaborate on what the triggers are for material cyber threats. Douglas contended that state laws drive disclosures and that the breaches you hear about have a much lower level of disclosure.
SEC Commissioner Kara Stein asked if some type of minimum standards are needed for the financial services industry or how the government and private companies could be dynamic in developing them. Beshar stated that the SEC and staff have really struck the right balance and given private companies different data points. Karmel said that when the SEC receives legislative mandates it just adds to the length of disclosure documents without being helpful to investors. Karmel suggested, “The SEC shouldn’t go overboard in the other direction with guidance and said the 2011 guidance was good but seems to be boiler plate and could be refined.
Panel 3: Market Systems
The third panel, which focused on market systems, included panelists: Mark G. Clancy, Managing Director and Corporate Information Security Officer, The Depository Trust and Clearing Corporation (DTCC); Mark Graff, Chief Information Security Officer, NASDAQ OMX; Todd Furney, Vice President, Systems Security, Chicago Board Options Exchange; Katheryn Rosen, Deputy Assistant Secretary, Office of Financial Institutions Policy, Department of the Treasury; Thomas Sinnott, Managing Director, Global Information Security, CME Group; and Aaron Weissenfluh, Chief Information Security Officer, BATS Global Markets, Inc.
Common Threats
Kathryn Rosen said “one of the most important things we need to do to combat threats is share information.” This involves the various avenues of information sharing, she said, private firm to private firm, government to private firm, and government to government. She also suggested that to further increase information sharing, private sector employees are going to need security clearances. Mark Clancy stated the four groups of actors they see are criminals, hackitivists, war-like actors, and espionage actors from other nation states. Clancy also stated that they see much less activity coming from the criminal area than the other three groups.
Threat Modeling
All panelists gave updates on what their company is doing to prepare for and prevent a cyber attack. Aaron Weissenfluh said that BATS Global Markets is doing a large amount of threat modeling, using information from the government and putting together exercises to find vulnerabilities in their system. Mark Clancy and Thomas Sinnott both stated that the issue is such a big concern now that it involves a combination of internal resources and seeking assistance from outside companies.
Internal Threat Prevention
Weissenfluh commented on his company’s hiring practices which involve applicants meeting with employees at all levels, up to C-level executives. Mark Graff stated that it is no longer enough to simply vet one’s own employees. Graff warned that steps have to be taken to defend against third party vendors who access their network. Clancy expanded on the topic saying they have seen external threats trying to become like an insider threat, who knows how the company works, including its rules and systems.
Information Sharing
Clancy explained that the problem with sharing information with clients too quickly is that “the sooner you notify them, the less sure you are of the facts, as things change.” Rosen said communication between private sector firms and then back to the government is critical. “[Treasury] can act as a clearing house and we may see something going on outside the industry,” she added. Todd Furney commended the DHS and FBI for their work in sharing information with the industry, especially using in person briefs. Clancy described the success of FSISAC’s information sharing during a recent string of Distributed Denial of Service (DDoS) attacks.
Panel 4: Broker-Dealers, Investment Advisors, and Transfer Agents
The fourth panel discussion was moderated by David Grim, Deputy Director, Division of Investment management, James Burns, Deputy Director, Division of Trading and Markets, and Andrew Bowden, Director, Office of Compliance Inspections and Examinations.
The discussion focused on what firms are currently doing in the area of cybersecurity, particularly in the area of identity theft and data protection, as well as the current/common cybersecurity risks within their respective industries. The panel included: John Denning, Senior Vice President, Operational Policy Integration, Development & Strategy, Bank of America/Merrill Lynch; Jimmie H. Lenz, Senior Vice President, Chief Risk and Credit Officer, Wells Fargo Advisors, LLC; Mark R. Manley, Senior Vice President, Deputy General Counsel and Chief Compliance Officer, AllianceBernstein L.P.; Marcus Prendergast, Director and Corporate Information Security Officer, ITG; Karl Schimmeck, Managing Director, Financial Services Operations, SIFMA; Daniel M. Sibears, Executive Vice President, Regulatory Operations/Shared Services, FINRA; John Reed Stark, Stroz Friedberg; Craig Thomas, Chief Information Security Officer, Computershare; David G. Tittsworth, Executive Director and Executive Vice President, Investment Adviser Association.
Sibears facilitated an interactive discussion focusing on cybersecurity risks faced by broker-dealers, investment advisers, and transfer agents. According to Sibers, the three key areas that firms are reporting on include operational risk, insider risk by employees, and hackers penetrating their systems
From Tittsworth’s perspective, the risk categories vary across wealth management and traditional investment council type of activities. In his opinion, account takeover is the number one risk and said the worst kind of risk is a rogue employee.
Schimmeck said threat actors are: becoming more sophisticated; gaining strength; practicing information sharing to figure out what’s working well; and are much more advanced now. Schimmeck stated that financial institutions are actively working these issues by spending millions of dollars to improve their systems, and dedicating resources to manage this risk for the firm and their clients as threats continue to evolve. In Schimmeck’s view, fraud has previously been a big issue for the industry on the criminal side but said, “now we see a move from fraud and theft to disruption of the markets.” From a public standpoint, Schimmeck pointed to concerns about the trust and confidence needed for markets to operate. He argued, “The risk is the limited resources of time, money, or skill set. We need to focus on systemic risk and put protections in place.” He said proper cyber risk processes and practices are not something you can regulate, but that they have to be actively managed over time within the proper corporate culture.
Stark added that it takes time to do internal investigations where there are multiple constituencies in play, such as the FBI, attorneys general, company’s board, audit committee, customers, shareholders, and disclosure obligations.
Manley responded that cybersecurity is no longer an IT problem. For asset managers, Manley recommended that cybersecurity has to be a central business imperative and said that email is a consumer driven risk.
Denning stated that within the broad spectrum of threats in the industry, the greatest risk is “zero day malware” that is blended with more of the mundane threats. Denning finds challenges with robust information sharing mechanisms and expressed a need to speed up the time of threat identification to update counter measures in a time efficient way. Denning argued that the goal is early warning and that sharing best practices is one of the only ways to reduce risk.
Prendergast warned that the greatest risk in cybersecurity is simply keeping current or ahead of the adversaries.
Lenz said that his company is putting things in place right now with 18 and 24 month timeframes. He explained, “While we may not understand what we have been hit with, we can at least understand what is available.”
Bowden then asked about the risks across medium and small size systems.
Tittsworth responded that 88 percent of SEC registered investment advisors have 58 or fewer employees. He reminded the SEC and audience that typically those smaller firms do not have as many resources as larger firms. Tittsworth expressed that convening the roundtable is helpful and that awareness is the first step before firms do anything. He said, “there might be opportunities to work together to make sure that the smaller firms don’t fall behind, but threats are different.”
Denning said the financial services sector sees cybersecurity as a team issue or “one fight.” In his words, “an early warning can make the difference between having a minor problem and a critical problem.”
Schimmeck said the industry is not waiting for something to happen. He continued, “They are taking a look at what can be automated, what can be done machine to machine. Large firms are building a threat automation program and making it available free to smaller firms. This is a corporate issue and everyone’s responsibility through the firm. Information sharing needs be part of the culture and core competency of the firm.”
Denning said the industry should aim to collectively receive and defend information, adding that “the more agile you are as a team, the better off you are to actually defend.”
In conclusion, Bowden asked what lessons learned can be shared. Shark said if you share the particulars of a data breach you give a roadmap for how to do it in the future. He hoped the SEC will be judicious in enforcement. Prendergast simply stated, “Any rules that would be potentially taken would be out of date by the time they are implemented.” Schimmeck pointed to the NIST framework as a lesson to be shared because it “focuses on outcomes and has a partnership to provide information and context to point the mission in the right direction.”
For more information on this roundtable, please click here.
,Blog Tags:,Blog Categories:,Blog TrackBack:,Blog Pingback:No,Hearing Summaries Issues:Technology/High Frequency Trading,Hearing Summaries Agency:SEC,Publish Year:2014
The Securities and Exchange Commission (SEC) hosted a roundtable discussion regarding cybersecurity and the issues and challenges it raises for market participants and public companies, and how they are addressing those concerns.
Panel 1: Cybersecurity Landscape
The first panel covered the Cybersecurity Landscape and the panelists included: Cyrus Amir-Mokri, Assistant Secretary for Financial Institutions, Department of the Treasury; Mary E. Galligan, Director, Cyber Risk Services, Deloitte & Touche LLP; Javier Ortiz, Vice President, Strategy and Global Head of Government Affairs, TaaSera, Inc.; Andy Roth, Partner and Co-Chair, Global Privacy and Security Group, Dentons US LLP; Ari Schwartz, Acting Senior Director for Cybersecurity Programs, National Security Council, The White House; Adam Sedgewick, Senior Information Technology Policy Advisor, National Institute of Standards and Technology; and Larry Zelvin, Director, National Cybersecurity and Communications Integration Center, U.S. Department of Homeland Security.
Opening Statements
Mary Galligan said that cyber threats need to be broken into three aspects: 1) the matrix of actors and methods; 2) information sharing; and 3) the ability to be resilient. The actors in cyber threats to the financial service industry are much more varied than other sectors, Gilligan said, they include organized criminals, nation states, terrorists, and hacktivists.
Cyrus Amir-Mokri stated that the Treasury looks at cybersecurity in three aspects: 1) resilience – what firms do themselves for protection; 2) incident management – how firms and others respond to a threat; and 3) recovery – how the private and public sectors deal with the threat after it has happened. “We view it as a whole government effort,” Amir-Mokri said. The bottom line, he said, is that the effort requires coordination from everyone.
Most Common Threats
Ari Schwartz reiterated the fact that the threats are coming from a multitude of actors and that Nation states, criminals, and hacktivists each have different motivations and different tools. Larry Zelvin highlighted the possibility of an inside threat, like an Edward Snowden or Private Manning. The finance sector, Zelvin said, is the major target because it’s “where the money is, and because it represents our country.” He added that the financial services sector is ahead of the rest of the country in terms of security, but encouraged the industry to increase information sharing with the government and other industries. Mary Galligan added that cyber threats force companies to look at three things: 1) what data really needs to be protected in the company; 2) how a company manages access to its systems, including third party access, and 3) how a company monitors itself for possible inside threats.
Managing Cybersecurity Risks and Executive Roles
Andy Roth said that security methods have moved to a continuously monitoring, multi-layered approach. “Vulnerabilities stem from business processes,” Roth said, an example being when data is sent to a third party vendor. Roth went on to endorse the multi-stakeholder approach like the National Institute of Standards and Technology (NIST) Framework sets out. Galligan added that executives have to know what questions to ask first, such as “how do I know what data is leaving my company, and how?” This includes inside threats and sending out packets of data to third parties. Secondly, executives must ask if their company has a cyber incident response plan, is it up to date, and do they practice it as a company. Gilland also said executives have to create a culture where cybersecurity “starts at the keyboard” and “starts with every employee.” Adam Sedgewick added that a major problem for executives, is communicating to them accurately what is going on and what needs to be done.
Preparedness
Amir-Mokri the Treasury helps in preparedness by facilitating information sharing and coordinating between companies and government agencies, such as the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Amir-Mokri also said, in terms of readiness, the financial services sector is one of the most advanced in its thinking on cybersecurity, but warned that there can never be perfect preparedness, because of a possible “zero day exploit,” which is an attack that occurs between the time a vulnerability in a system’s security is found and a patch is created to fix it. Zelvin likened preparedness to car safety, saying even though we now have air bags, seat belts, and other safety improvements, people still can die in a car crash. Cybersecurity, he said is still in its “pre-airbag days.”
NIST Framework
Sedgewick gave a brief rundown of the Framework, describing it in three pieces: 1) the core which presents the standards and creates the structure of cybersecurity that allows for innovation; 2) the profile, which helps organizations grow their cybersecurity programs over time; and 3) the implementation tiers which help organizations asses where their programs are now and how to get where they need to be. Zelvin added with regard to information sharing, the Financial Services – Information Sharing and Analysis Center (FSISAC) and the government have one of the best information sharing partnerships he has seen. Ortiz stated that the Framework has helped especially in internal discussions.
Information Sharing
Schwartz stated that they are trying to identify all barriers to the various pathways of information sharing: private sector to private sector; private sector to government; and government to government. Schwartz also stated that because legislative action on the issue seems very unlikely, the President’s administration is looking at what barriers can be taken down using Executive actions. Roth said that one of the biggest challenges he sees is information asymmetry, where one side has more information than the other, and right now “the bad guys are much better at sharing information.”
Panel 2: Public Company Disclosure
The second panel focused on public company disclosure and was moderated by Keith Higgins, Director Division of Corporation Finance at the SEC. The panelists included: Roberta Karmel, Centennial Professor of Law and Co-Director of the Center for the Study of International Business Law at Brooklyn Law School; Douglas Meal, Partner with Ropes and Gray; Jonas Kron, Senior Vice President and Trillium’s Director of Shareholder Advocacy; David Burg, Partner with PwC; Leslie Thornton, Vice President and General Counsel with WGL Holdings Inc. and Washington Gas; Peter Beshar, Executive Vice President and General Counsel of Marsh & McLennan Companies.
Thornton opened the discussion by saying that the overall disclosure framework has evolved into a major issue today. She contended that the cybersecurity landscape has changed in the last three years as demonstrated by President Obama’s Executive Order, attempts by Congress to pass legislation, and inquiry letters by state attorneys general. The financial services industry is asking what’s important and cyber should be way higher on the industry’s priorities list than it has been so far, she added.
Beshar commented that clearly the government has been in front of private industries in efforts to identify risks. He added that boards of directors are far more in tuned with the risk now and the private sector is responding with speed in the form of taking up cyber insurance. Brooks stated that the government’s requirements have created a demand for the financial industry to carry cyber insurance. He noted that guidance and comment letters from the last year have suggested that private companies should disclose risks that are nonmaterial. According to Brooks, “The inherent flexibility of NIST framework is a good thing, including government, non-profits, and private companies, which need to coordinate to comply.” Higgins asked Beshar whether underwriting risk is helpful for measuring it. Beshar responded that underwriting risk does aid in the process of assessing risk in relation to the NIST standards.
Burg added that he has seen an upward trend in the level of involvement where board members are acutely aware of their exposure to a cybersecurity threat.
Meal said that cybersecurity issues catch a board’s attention when they are attacked. In his opinion, a tremendous disincentive exists for information to become public because of class action suits and consumer protection regulators.
Jonas argued that in this social networking society “there tends to be an over collection of information and having a level of disclosure around companies that take in personal information from consumers would be helpful.” He said that new media companies and retail companies that share a tremendous amount of information are innovative, but have risk associated with this collection of data.
Higgins inquired about what level of disclosure private companies should provide and what best practices might look like.
Karmel responded that the level of disclosure for private companies depends on the nature of the business. For example, Karmel said, “A very large international financial institution might want someone on the board with that expertise. On the other hand, there are a lot of issues that boards have to think about.” Ultimately, Karmel argued that the level of disclosure should be determined from company to company.
Similarly, Borg said that the level of disclosure depends on the company and said 86 percent of CEOs view technology as an enabler of innovation, while 70 percent of CEOs express concerns of cybersecurity. Bord said, “We cannot under estimate the sophistication of the attacks.”
Higgins asked what information companies are disclosing and whether or not lessons have been learned. Jonas stated, “there is a balance point that is reached.” Meal added that standards exist and many of the companies that suffered a breach have been fully compliant, which is a problem. Karmel explained that bank examiners monitor whether or not the banks are in compliance, but companies should take these cyber threats seriously. He noted that the government is helping these companies to overcome these challenges.
SEC Chair Mary Jo White asked if the panelists could elaborate on what the triggers are for material cyber threats. Douglas contended that state laws drive disclosures and that the breaches you hear about have a much lower level of disclosure.
SEC Commissioner Kara Stein asked if some type of minimum standards are needed for the financial services industry or how the government and private companies could be dynamic in developing them. Beshar stated that the SEC and staff have really struck the right balance and given private companies different data points. Karmel said that when the SEC receives legislative mandates it just adds to the length of disclosure documents without being helpful to investors. Karmel suggested, “The SEC shouldn’t go overboard in the other direction with guidance and said the 2011 guidance was good but seems to be boiler plate and could be refined.
Panel 3: Market Systems
The third panel, which focused on market systems, included panelists: Mark G. Clancy, Managing Director and Corporate Information Security Officer, The Depository Trust and Clearing Corporation (DTCC); Mark Graff, Chief Information Security Officer, NASDAQ OMX; Todd Furney, Vice President, Systems Security, Chicago Board Options Exchange; Katheryn Rosen, Deputy Assistant Secretary, Office of Financial Institutions Policy, Department of the Treasury; Thomas Sinnott, Managing Director, Global Information Security, CME Group; and Aaron Weissenfluh, Chief Information Security Officer, BATS Global Markets, Inc.
Common Threats
Kathryn Rosen said “one of the most important things we need to do to combat threats is share information.” This involves the various avenues of information sharing, she said, private firm to private firm, government to private firm, and government to government. She also suggested that to further increase information sharing, private sector employees are going to need security clearances. Mark Clancy stated the four groups of actors they see are criminals, hackitivists, war-like actors, and espionage actors from other nation states. Clancy also stated that they see much less activity coming from the criminal area than the other three groups.
Threat Modeling
All panelists gave updates on what their company is doing to prepare for and prevent a cyber attack. Aaron Weissenfluh said that BATS Global Markets is doing a large amount of threat modeling, using information from the government and putting together exercises to find vulnerabilities in their system. Mark Clancy and Thomas Sinnott both stated that the issue is such a big concern now that it involves a combination of internal resources and seeking assistance from outside companies.
Internal Threat Prevention
Weissenfluh commented on his company’s hiring practices which involve applicants meeting with employees at all levels, up to C-level executives. Mark Graff stated that it is no longer enough to simply vet one’s own employees. Graff warned that steps have to be taken to defend against third party vendors who access their network. Clancy expanded on the topic saying they have seen external threats trying to become like an insider threat, who knows how the company works, including its rules and systems.
Information Sharing
Clancy explained that the problem with sharing information with clients too quickly is that “the sooner you notify them, the less sure you are of the facts, as things change.” Rosen said communication between private sector firms and then back to the government is critical. “[Treasury] can act as a clearing house and we may see something going on outside the industry,” she added. Todd Furney commended the DHS and FBI for their work in sharing information with the industry, especially using in person briefs. Clancy described the success of FSISAC’s information sharing during a recent string of Distributed Denial of Service (DDoS) attacks.
Panel 4: Broker-Dealers, Investment Advisors, and Transfer Agents
The fourth panel discussion was moderated by David Grim, Deputy Director, Division of Investment management, James Burns, Deputy Director, Division of Trading and Markets, and Andrew Bowden, Director, Office of Compliance Inspections and Examinations.
The discussion focused on what firms are currently doing in the area of cybersecurity, particularly in the area of identity theft and data protection, as well as the current/common cybersecurity risks within their respective industries. The panel included: John Denning, Senior Vice President, Operational Policy Integration, Development & Strategy, Bank of America/Merrill Lynch; Jimmie H. Lenz, Senior Vice President, Chief Risk and Credit Officer, Wells Fargo Advisors, LLC; Mark R. Manley, Senior Vice President, Deputy General Counsel and Chief Compliance Officer, AllianceBernstein L.P.; Marcus Prendergast, Director and Corporate Information Security Officer, ITG; Karl Schimmeck, Managing Director, Financial Services Operations, SIFMA; Daniel M. Sibears, Executive Vice President, Regulatory Operations/Shared Services, FINRA; John Reed Stark, Stroz Friedberg; Craig Thomas, Chief Information Security Officer, Computershare; David G. Tittsworth, Executive Director and Executive Vice President, Investment Adviser Association.
Sibears facilitated an interactive discussion focusing on cybersecurity risks faced by broker-dealers, investment advisers, and transfer agents. According to Sibers, the three key areas that firms are reporting on include operational risk, insider risk by employees, and hackers penetrating their systems
From Tittsworth’s perspective, the risk categories vary across wealth management and traditional investment council type of activities. In his opinion, account takeover is the number one risk and said the worst kind of risk is a rogue employee.
Schimmeck said threat actors are: becoming more sophisticated; gaining strength; practicing information sharing to figure out what’s working well; and are much more advanced now. Schimmeck stated that financial institutions are actively working these issues by spending millions of dollars to improve their systems, and dedicating resources to manage this risk for the firm and their clients as threats continue to evolve. In Schimmeck’s view, fraud has previously been a big issue for the industry on the criminal side but said, “now we see a move from fraud and theft to disruption of the markets.” From a public standpoint, Schimmeck pointed to concerns about the trust and confidence needed for markets to operate. He argued, “The risk is the limited resources of time, money, or skill set. We need to focus on systemic risk and put protections in place.” He said proper cyber risk processes and practices are not something you can regulate, but that they have to be actively managed over time within the proper corporate culture.
Stark added that it takes time to do internal investigations where there are multiple constituencies in play, such as the FBI, attorneys general, company’s board, audit committee, customers, shareholders, and disclosure obligations.
Manley responded that cybersecurity is no longer an IT problem. For asset managers, Manley recommended that cybersecurity has to be a central business imperative and said that email is a consumer driven risk.
Denning stated that within the broad spectrum of threats in the industry, the greatest risk is “zero day malware” that is blended with more of the mundane threats. Denning finds challenges with robust information sharing mechanisms and expressed a need to speed up the time of threat identification to update counter measures in a time efficient way. Denning argued that the goal is early warning and that sharing best practices is one of the only ways to reduce risk.
Prendergast warned that the greatest risk in cybersecurity is simply keeping current or ahead of the adversaries.
Lenz said that his company is putting things in place right now with 18 and 24 month timeframes. He explained, “While we may not understand what we have been hit with, we can at least understand what is available.”
Bowden then asked about the risks across medium and small size systems.
Tittsworth responded that 88 percent of SEC registered investment advisors have 58 or fewer employees. He reminded the SEC and audience that typically those smaller firms do not have as many resources as larger firms. Tittsworth expressed that convening the roundtable is helpful and that awareness is the first step before firms do anything. He said, “there might be opportunities to work together to make sure that the smaller firms don’t fall behind, but threats are different.”
Denning said the financial services sector sees cybersecurity as a team issue or “one fight.” In his words, “an early warning can make the difference between having a minor problem and a critical problem.”
Schimmeck said the industry is not waiting for something to happen. He continued, “They are taking a look at what can be automated, what can be done machine to machine. Large firms are building a threat automation program and making it available free to smaller firms. This is a corporate issue and everyone’s responsibility through the firm. Information sharing needs be part of the culture and core competency of the firm.”
Denning said the industry should aim to collectively receive and defend information, adding that “the more agile you are as a team, the better off you are to actually defend.”
In conclusion, Bowden asked what lessons learned can be shared. Shark said if you share the particulars of a data breach you give a roadmap for how to do it in the future. He hoped the SEC will be judicious in enforcement. Prendergast simply stated, “Any rules that would be potentially taken would be out of date by the time they are implemented.” Schimmeck pointed to the NIST framework as a lesson to be shared because it “focuses on outcomes and has a partnership to provide information and context to point the mission in the right direction.”
For more information on this roundtable, please click here.