US Treasury Secretary Jacob Lew has called on the financial sector to step up the endeavors to protect its critical infrastructure and consumer privacy from the risk of cyber-attacks.
The Internet has revolutionized the way the banking sector does business – from receiving bank deposits and opening new accounts to accepting bill payments and trading stock. However, this transformation, while spawning incredible ways of industry growth – is also giving rise to new threats.
The challenge for banks and other financial institutions is to fortify their defense against these cyber threats. It will be a central test for the industry going forward.
Lew used his keynote speech at the Delivering Alpha Conference hosted by CNBC and Institutional Investor to issue strongly-worded remarks on cyber-incursions, in particular the sophistication, intensity, and frequency of malicious attacks devised by non-state and state adversaries.
He said that the cyber threats to the financial system compromise the integrity of data, jeopardize market confidence, and pose a serious threat to financial stability.
“The consequences of cyber incidents are serious,” Lew informed the audience. “When credit card data is stolen, it disturbs lives and damages consumer confidence. When trade secrets are robbed, it undercuts America’s businesses and undermines US competitiveness.”
He also mentioned regulators, including FINRA and SEC (Securities and Exchange Commission), in warning the financial sector of the cyber threats pertaining to contractors, suppliers, and vendors. Lew noted that financial companies depend on several other industries to function, such as telecom, energy, and transportation, which are vulnerable to cyber risks themselves.
He gave the example of 250 DDoS attacks against US credit unions and banks since 2011. These attacks overwhelmed banking systems and forced websites to go offline. The US government assesses that DDoS are a sophisticated threat intended to disrupt the financial system of the country.
The impact of those attacks on US banks penetrate core operational functions, and represent a real threat to national and economic security. Hackers also took aim at the sector in September 2012 when several banking institutions were hit by DDoS attacks. Keith Alexander, then-National Security Agency General, warned that a foreign nation could use a cyber attack to cripple the US financial system.
“Cyberattacks on our financial system represent a real threat to our economic and national security, but a malicious cyber actor can cause catastrophic damage to our financial system without directly attacking a bank,” Lew said.
“Risks to the system can be found at the vendors, suppliers and contractors who keep our financial system running,” he added, referencing the billion information hack at Target last year. Attackers breached Target’s system through an air conditioning and heating contractor.
“Far too many hedge funds, asset managers, insurance providers, exchanges, financial market utilities, and banks should and could be doing more. Disclosing security breaches is often perceived as something that could harm a firm’s reputation. This has made many businesses reluctant to reveal information about cyber incidents,” Lew said.
At the moment, most of the technology to repel cyber attacks is modeled on the pattern recognition tools that are becoming outdated. That is a major innovation gap, and a better approach would be to combine data-gathering efforts and pattern recognition technologies for a strategic view of rogue endpoints.
Also, the financial sector could strengthen its defense against cyber hacks through external monitoring and detection capabilities: without cross-industry and service provider cooperation, cyber threat detection and prevention efforts are likely going nowhere.
Lew also advised financial services institutions and serving vendors to use the framework document (PDF) created by the Obama administration for financial sector cyber security strengthening and protecting the critical infrastructure. He said that the federal government is making efforts to make classified threat information available to companies, and noted the Department of the Treasury introduced a network called ‘Financial Sector Cyber Intelligence Group’ for the purpose of information analysis and sharing.
Cyber security is now more seriously delegated to IT departments; executive officers and board of directors have to be more active in their firm’s cyber-risk prevention strategies. Among the cyber security responsibilities, they need to understand incident response plans, cyber security defenses, and the threat environment and response plan of the organization.
Lew restated the chorus of administration officials asking Congress to pass a cyber security bill for bolstering public-private information sharing of cyber risks to protect organizations from liability of sharing this type of information.
“As it stands, our laws do not do enough to foster information sharing and defend the public from digital threats,” argued Lew.