Implementing change, though, will be hard.
The financial industry faces myriad challenges to achieve sustained profitability and system stability. Currently, financial industry experts and government regulators are particularly focused on the critical importance of cybersecurity. Cyber threats are analogous to terrorist threats to infrastructure systems critical to society, such as public utilities, transportation systems and communications networks. These threats are real, ongoing and potentially devastating. Cyber attacks on the financial system are becoming more frequent and more sophisticated, better financed and, consequently, more damaging. Moreover, while globalization of the financial system offers new markets, it also exposes communications infrastructures to threats from all over the world.
While large banks certainly continue to be at risk, they are hardly alone. The Office of the Comptroller of the Currency has confirmed that smaller regional and community banks are increasingly being targeted. That concern prompted President Obama to issue an executive oder this year, directing the National Institute of Standards and Technology to reduce cyber threats to the financial system by strengthening critical national infrastructure. His order also established a policy on sharing of cybersecurity information and sought to establish a framework to identify areas of infrastructure most at risk, and come up with a voluntary cybersecurity program.
That order was issued because of the continuing inability of industry experts and government to agree on the specifics of cybersecurity legislation that could balance the need for information and the interests of national security against privacy rights and liability for security breaches. Industry, governmental and consumer constituencies still have not been able to agree on legislation to address the complicated issues involved.
Further complicating this process has been the furor caused over the National Security Agency’s PRISM program, a clandestine mass electronic surveillance data-mining operation. Under PRISM, private-sector entities have been sending massive amounts of private customer information to governmental agencies, as required by the Foreign Intelligence Surveillance Act. Recent disclosure of PRISM has caused debate to rage not only in Congress, but throughout the world as to whether the “cure” for cyber threats could be more dangerous than the threats themselves. While the correct solution may remain unknown, doing nothing is certainly not an option for the financial-services industry.
The U.S. Federal Financial Institutions Examination Council (which includes, among others, the FDIC, OCC, Federal Reserve, NCUA and the CFPB), recognizing the need to be proactive, proposed guidelines and regulations for regulated entities operating in the financial-services industry. In June, the council established a “working group” to promote coordination across the federal and state banking agencies on issues related to critical infrastructures. It highlighted risks associated with customer and bank privacy breaches and various cyber fraud risks, such as data manipulation, financial theft, and confidential data theft—all of which can have devastating consequences.
The council recognized along with the financial and reputational harm from service shutdowns, reduced revenue, liability consequences and customer loss, there were potentially staggering financial expenses and legal consequences from regulatory actions and lawsuits by shareholders and customers.
In July, the Securities Industry and Financial Markets Association, conducted an exercise called the “Quantum Dawn 2 Cybersecurity Exercise,” to simulate a large-scale assault on the financial industry’s informational and online sites. More than 500 individuals and 50 governmental agencies and financial services organizations participated. Their goal was to assess system security coordination efforts and decision-making by allowing participants to run through their crisis-response procedures, practice information sharing and refine protocols relating to a systemic cyber attack.
“Distributed denial of service” threats were considered, whereby numerous remote systems digitally flood, overwhelm and paralyze a single target’s system; breach its firewall and internal security protections by consuming its bandwidth, preventing use by authorized users. Also explored were espionage/sabotage threats whereby the hacker directly infiltrates and damages the target’s network using “malware” e-mail communication, directed to an actual employee of the target who unwittingly opens the e-mail and exposes the company’s entire network to a malicious attachment.
Valuable lessons were learned, but the challenges ahead are enormous. Unprecedented cooperation from both governments and the private sector will be required to find a well-reasoned, aggressive and comprehensive response.
Banking security has grown beyond brick-and-mortar buildings, steel vaults and guards in the lobby. Today’s technology-driven financial system requires immediate design and use of new protections against the growing threat of cyber terrorism to protect operations, preserve capital and maintain the trust of customers in this digital age.