By Mark S. Nelson, J.D.
The House Financial Services Committee’s Subcommittee on Financial Institutions and Consumer Credit heard from representatives of the financial services industry today regarding cybersecurity preparedness. Subcommittee Chairman Randy Neugebauer (R-Tex) observed in his opening remarks that a few recent studies rank cybersecurity as a bigger threat to financial firms than overregulation or geopolitics, but he closed the hearing by noting the “good” intra-industry response to cyber threats. Ranking Member William "Lacy" Clay, Jr. (D-Mo) focused his remarks and questions on the escalating severity of recent cyberattacks.
Threat sharing gets faster. The hearing focused on threats, information sharing, and contingency planning. The house earlier this year passed two bills that would broadly re-configure the federal government’s cybersecurity response and extends some liability protections to private entities with corresponding privacy and civil liberties limits. The Senate has yet to act on similar legislation.
Chairman Neugebauer opened the question and answer session by asking about the benefits of new software called Soltra Edge. Gregory T. Garcia, testifying for the Financial Services Sector Coordinating Council, had explained in his prepared remarks that this software is a joint venture between the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Depository Trust and Clearing Corporation that allows for automated threat sharing within the financial services industry. In his live testimony, Garcia further explained that Soltra Edge employs two open specifications funded by the Department of Homeland Security to provide machine-to-machine sharing.
Worries linger on defensive abilities. Ranking Member Clay put the question directly: Can the financial services industry stop cyberattacks? According to Jason Healey, Senior Research Scholar, School of International and Policy Affairs at Columbia University, the ability to fend-off cyberattacks depends more on the target’s mindset. Healey said many financial firms work from a presumption of breach, which then enables them to focus on locating hackers within their systems. He said this presumption is a helpful starting point because a determined hacker can usually get into a target’s system.
Kenneth E. Bentsen, Jr., President and CEO of the Securities Industry and Financial Markets Association (SIFMA), likewise noted that there is “no impregnable defense” to cyberattacks, but it is important for financial firms to have the ability to recover afterwards. Bentsen also said SIFMA is trying to increase membership in the FS-ISAC, what he termed the industry’s “go-to resource.”
In response to a question by Rep. Robert Pittenger (R-N.C.) regarding the U.S. electric grid, Bentsen said a financial firm can function if Fedwire is down, but a power outage would be more challenging. Bentsen acknowledged that different economic sectors need to work towards the same goal of detecting and preventing cyberattacks.
Representative Stephen F. Lynch (D-Mass) asked in later questioning about the risk management side of cybersecurity. Healey replied that cybersecurity is different from the familiar risk modeling methods used in the financial services industry. In the case of cyber risk, Healey said it is hard to know where the risk is at the end of the day, unlike with value at risk calculations, which yield a single number representing potential loss.
Where the threats come from. Ranking Member Clay also asked panelists about the sources of cyberattacks, especially those from China, Russia, and North Korea. Healey said point-of-sale attacks are common, while insider abuse and espionage are less common. Russ Fitzgibbons, Executive Vice President and Chief Risk Officer at The Clearing House Payments Company, agreed that phishing is the most common form of cyberattack, and that defense is the key.
But Healey sounded a cautionary note about this time in history. He sees the confluence of Russia’s economic woes and the potential for the failure of nuclear arms talks with Iran as making this the “most dangerous moment” yet for cyber conflict. He explained that both countries have significant cyber capabilities and either one, if events were to turn against them, could deploy those capabilities. Healey urged the financial sector to take these potential risks seriously.