Cybersecurity Readiness

SIFMA Efforts Lead the Industry

In this episode of The SIFMA Podcast, SIFMA President & CEO Kenneth E. Bentsen, Jr. sits down with Tom Price, Managing Director, Operations Technology & BCP, and Tom Wagner, Managing Director, Financial Services Operations, for a discussion on the financial services industry’s cybersecurity efforts.

Cyberattacks didn’t stop during the pandemic. Rather, they increased. From WannaCry to SolarWinds, attacks have gotten bolder and their threat has grown higher. Here, we discuss how industry-wide efforts over the last decade have also evolved and grown to build effective cyber defenses.

Transcript

Edited for clarity

Ken Bentsen: Thank you for joining us for this episode in The SIFMA Podcast series. I’m Ken Bentsen, SIFMA’s president and CEO. And I’m pleased to be joined by two of my colleagues. Tom Price is Managing Director, Technology, Operations and Business Continuity. And Tom Wagner is Managing Director, Financial Service Operations.

They’re going to join me for a discussion on the financial services industry’s cybersecurity efforts. Tom Price, do you want to kick it off?

Tom Price: Yeah. Thanks, Ken. Throughout the financial services sector, cybersecurity is a top priority. SIFMA and our members are constantly working to improve our defenses and resiliency from cyber threats and to coordinate with all of the stakeholders to ensure industry-wide and public-sector collaboration.

Before Tom Wagner and I jump into some of the work we’re doing on that front, let’s talk briefly about why this is so important. I’ll turn it back to you, Ken. At the highest level, what are some of the things you hear from our members about cybersecurity preparedness in the industry?

Ken: Well, thanks for that, Tom. And again, thanks, both of you all, for being here. You know, cybersecurity is a top priority for the financial services industry. And everyone recognizes there are very serious consequences to not having strong cybersecurity protections in place.

This is really a C-suite priority. It’s certainly a SIFMA-board priority and has been for many, many years. Effective cyber defenses are essential to protecting customers’ information and assets and to ensure an efficient, reliable executive settlement and payment of transactions and are a foundational requirement for maintaining public trust and confidence in the resilience of our financial markets.

As I noted, SIFMA-member firms are deeply committed to improving our sector’s cybersecurity resiliency and working with our government partners to protect the broader economy.

In today’s interconnected and digital world, the securities industry is focused on protecting our clients, their data, networks, operations from diverse cyber threats including theft, disruption and destruction. SIFMA and our members continue our really decades-long work on a robust cyber-resiliency training exercise and planning protocol.

Cyberattacks, you know, didn’t stop for COVID and, in fact, increased from WannaCry to SolarWinds. And to these increasingly bold ransomware attacks, the threat remains very, very high. And the industry’s work over the last decade has also evolved and grown.

And I believe that’s served the industry well, but the threat remains. And this is just very, very important work. So you know, Tom Price, you know, let me ask you, you know, clearly the consequences of being unprepared for a cyberattack could be detrimental to our industry which is why we continue to improve our defenses and coordinations across sectors.

And as I mentioned, for more than a decade, SIFMA has been involved in this including, for more than a decade, we’ve put together a series of biannual exercises called Quantum Dawn. Tom, maybe you can walk us through the evolution of the Quantum Dawn exercises, and tell us about some of the lessons learned and new practices that may have emerged from them.

Tom Price: Thanks, Ken. So since 2011, SIFMA has conducted a series of biannual industry-wide resiliency exercises covering physical threats, cybersecurity, terrorism and natural-disaster risks.

One of the key objectives for these exercises is to ensure financial firms, SIFMA and the U.S. government crisis and incident management playbooks are synchronized to aid in the rapid response and recovery efforts of the impacted institutions, third parties as well as the financial markets and the entire financial services ecosystem.

Quantum Dawn V, which we held in November of 2019, was our fifth such exercise and the industry’s first truly global exercise. It covered over 150 different financial firms, central banks, governments, regulators, trade associations, information-sharing bodies and law-enforcement agencies across 19 different countries.

One of the key objectives of our Quantum Dawn V exercise was to ensure that the sector had the network of contacts in place to respond to and recover from a global cyber event that has cross-border implications.

One outcome of the exercise was the development of a global directory with over 250 crisis-management professional contact across the public and private sectors who would be called upon to manage a significant global cyber event.

As a continuation of this series, SIFMA will host our sixth Quantum Dawn exercise later this fall. As the threat landscape continues to change, for this exercise we’ll be testing industry preparedness during a global ransomware attack and ensuring financial firms have robust ransomware recovery plans in place.

Ken: That’s really important. These Quantum Dawn exercises, as you noted, have proven to be extremely helpful in bringing together different entities and fostering collaboration on solutions and communication in dealing with major threats. Tom Wagner, what are some of the other ways SIFMA and its members have coordinated on cybersecurity?

Tom Wagner: Thanks, Ken. So I would like to highlight the work we do on mitigating the [incident of] threat and our development of global-penetration-testing guidance. So since 2011 at SIFMA, we’ve hosted quarterly insider-threat forums and developed best-practice guides really to help financial firms develop effective insider-threat programs.

And what we do in those forums is really, you know, identify, share best practices among peers in industry as well as with the U.S. government’s National Insider Threat Task Force. The guide also acts as a reference for regulators to better understand insider-threat capabilities and controls at financial institutions and, lastly, really helps financial firms benchmark and measure their insider-threat programs’ effectiveness.

SIFMA’s insider-threat best-practices guide — we first published it in 2014 and then updated again in 2020 really to reflect the changing insider-threat landscape. That includes advancements in use of behavioral analytics, data exfiltration techniques, the evolving privacy issues including restrictions on employee surveillance, use of automated decision making and profiling tools and also covers a lot of the legal and practical barriers to performing employee background checks and, most recently, the use of economic espionage used by state actors to recruit insiders.

Switching gears a little bit, as you know, penetration testing — it’s a simulated cyberattack against a firm’s cyber defenses. They check for exploitable vulnerabilities. Since 2017, SIFMA — we’ve been leading a global effort to work with financial firms, regulators around the world to really agree on a set of principles and a more collaborative approach to penetration testing.

This involved a heavy degree of global coordination and advocacy, which at the end of the day resulted in greater global harmonization and really helped shape the threat-led public-and-private-sector-penetration testing programs that exist today. And this was really a big win for the industry.

Ken: Yeah. Both Toms, as you note, you know — and we’ve heard this from our members often — cyber risk knows no borders. It really is a global risk.

You know, Tom Price, as you noted, coordination within the industry and among other entities, whether it be regulators, law enforcement or third parties, is critical. What steps does SIFMA take to help the industry collaborate on cybersecurity/cyber resiliency?

Tom Price: Thanks, Ken. SIFMA continues to work with member firms and industry partners to help identify and share cybersecurity best practices and threat intelligence with industry participants. We look to enhance our cyber defenses and conduct exercises and promote industry resiliency initiatives and respond to any and all regulatory mandates.

We are constantly working to improve cyber defenses, resiliency and recovery through massive monetary investments in technology and personnel, regular testing, best-practice development and industry tests including our annual business continuity and REG SCI testing and, of course, as we previously mentioned, the Quantum Dawn series.

All of this preparedness and exercise work continues to underscore the fact that, while the industry as a whole and individual firms have robust cyber defenses and resiliency plans, no single actor — not the government or any individual firm — has the resources to protect the market from cyber threats on their own.

There is no competitive advantage to not sharing information on cyber issues. We are all in this together. Cyber incidents do not restrict themselves to one geographic region. And as Ken had mentioned, cyber threats and bad actors don’t recognize borders.

That’s why the communication aspect is essential. And we continually stress the need for information sharing to successfully combat cybercriminal activity.

So I wanted to perhaps pose a question to you, Ken. The financial services industry is already highly regulated. Ken, do you think there is a greater role for the U.S. regulators to play in cybersecurity?

Ken: That’s a great question. You’re absolutely right. The securities industry, the financial services industry broadly is among the most highly regulated industries in the United States. And furthermore, as you’ve noted, financial services is deemed a critical sector in terms of cyber resiliency by the government.

So as a result of that and all that’s already been discussed on this podcast, there’s a tremendous amount of work that has gone into developing cyber defenses and cyber resiliency within the industry in partnership often with our regulators.

And obviously, as you just pointed out, there’s no competitive advantage here. It’s a necessary investment that firms must make for their own benefit and, most importantly, for their clients’ benefit. So I think, as regulators think about whether or not they want to enhance regulation in cybersecurity, they should, first of all, take into consideration what this industry has already done as a critical sector.

And effective regulation should be risk-based, threat-informed and flexible to account for different business models and available resources because all the firms are different in different stages of — they have different business models, different businesses that they’re in, different levels of technology-based upon those business models.

Here in the United States and around the world, we’ve seen increased government interest in privacy protections, which are not without cause. There have been, we note, very many significant cyber breaches over the past several months such as SolarWinds, WannaCry and the Microsoft Exchange breaches.

And this only heightened the attention to these issues. We encourage U.S. regulators to continue to collaborate with the industry to understand the myriad of cybersecurity risks and what approaches have been working to mitigate those risks.

We also want to ensure that there is timely disclosure of any material breaches so that our members firms can take the appropriate steps to immediately mitigate any risk breaches may cause and properly safeguard their institutions, customers and investors.

And I would add, Tom and Tom, as we’ve often discussed, this includes the government themselves. And we know, to the extent we’re able to know, that they obviously are very focused on their own cyber resiliency.

But given the fact that our members are required to submit a tremendous amount of data to our regulators as part of their supervisory and examination mandates, which is appropriate, at the same time it’s incumbent upon our regulators to make sure, just like we have to make sure, that they are maintaining their resiliency on an evergreen basis and also making sure that they are telling the industry when their data — the data the industry has submitted to them — could be at risk because that ultimately would spill over to our members’ clients.

As we get to the end here, I want to ask both of you one last question. As long as our industry is in operation, there will always be threats. So where do we go from here? Where do you see our biggest future threats?

What do you think that we, as an industry, can do better to stay one step ahead of those who wish to cause harm? Maybe Tom Wagner, you want to start?

Tom Wagner: Sure, Ken. You know, it’s essential, obviously, that we continue our work across the industry on cybersecurity. Attacks become more advanced all the time. And you know, we really need to continue to coordinate, share best practices and really work together to keep our industry and, by extension, our clients safe.

Tom Price: Tom, let me add to that because you’re exactly right. This threat is continuing to evolve. And we need to be good 100 percent of the time whereas cybercriminals need to be good only one time. So I would like to add that we need to continually test our systems and our backups to ensure we have resiliency.

But we need to be sure that we have the critical components and effective cybersecurity strategy in place across the industry and, ideally, across the globe.

Ken: Yeah. Those are really important points. I mean, this is not a one-and-done, put together a playbook, put it on the shelf and pull it down when you need it.

To your point, as we discussed with the Quantum Dawn exercises and the annual exercises and the tabletops, etcetera, this is a constant work, an evergreen process, one, ensuring that you’re finding out where the next threat is and, further, maintaining that muscle memory, if you will, to enhance your resiliency.

I want to thank you both for taking time to talk with me today and for our audience’s information and, again, reiterate this is a top priority for SIFMA and our members and for good reason.

SIFMA is actively engaged with the financial sector in industry-wide cybersecurity initiatives that protect our members’ clients and critical business infrastructure, improve data sharing between public and private entities and safeguard customer information.

We have and we will continue to have a relentless focus on making sure our clients are protected. So thank you for listening today for this discussion on SIFMA’s cybersecurity efforts. And to learn more about SIFMA and our work to promote effective and resilient capital markets, please visit us at www.SIFMA.org. And thank you.

Tom Price is Managing Director, Operations Technology & BCP for SIFMA. Mr. Price manages the group’s day-to-day operations and oversees the services it provides to member institutions. 

Tom Wagner is Managing Director, Financial Services Operations for SIFMA. He is a recognized expert and innovative thought leader in the Cyber and Business Continuity Management space with over 25 years of experience as a management consultant and technology executive.

Chantelle CoubaKenneth E. Bentsen, Jr. is President and CEO of SIFMA. Mr. Bentsen is also the CEO of the Global Financial Markets Association (GFMA), SIFMA’s global affiliate.