A note on Cybersecurity Awareness Month

A large-scale cyber attack is one of the most serious threats facing the financial system and the broader U.S. economy. While the probability of such an attack may be low, the impact would be quite large and is not to be ignored. October is Cybersecurity Awareness Month and a good time to take stock of what’s being done and could be done to enhance the financial services industry’s ability to prepare for, respond to and recover from a systemic attack that could impact consumers across the country. 

From criminals seeking financial gain, to nation states committing corporate espionage, to cyber terrorists seeking to dislocate markets and destroy confidence, cyber threat actors are becoming more sophisticated, making cybersecurity an area of risk that must be actively managed by firms similar to all other areas of risk. An active partnership between the industry and government grounded in robust information sharing is widely recognized as the most effective way to help mitigate these threats.  

{mosads}One of the most immediate ways to enhance the collective cyber defense effort is for Congress to take action on bipartisan information sharing legislation that is pending in the Senate. The Cybersecurity Information Sharing Act, or CISA, has the potential to remove roadblocks to information sharing and enable the industry to better protect our systems and data as well as the privacy of our customers. As the Senate considers the plethora of amendments that have been suggested in recent months, it’s important that the underpinning goals of the legislation not be undermined. 

Of course, legislation is not a panacea for addressing cyber threats. For our part, the industry is dedicating tremendous resources to protect the integrity of the markets and its millions of consumers, and this job is never done. It’s important that everyone understand cyber preparedness is more than just defense.  Firms, the industry broadly and our government partners are developing and testing protocols for recovery and response as we can never be certain, nor should we assume, that all attacks can be detected and stopped.  SIFMA is working our members on a variety of initiatives aimed at enhancing readiness, response and recovery.  

One important example is the work we are doing to better assess the cybersecurity controls that are in place at third-party solution providers to ensure risks are addressed and mitigated. Firms have a regulatory obligation to rigorously vet their partners’ cybersecurity capabilities, and we think this work can be enhanced and streamlined by the use of an industry-wide standard centered on the AICPA SOC2 and the NIST Cybersecurity Framework. The voluntary standards proposed for all businesses by the National Institute of Standards and Technology provide an excellent foundation for communicating and mitigating cybersecurity risks.

SIFMA is also regularly holding exercises and tests to help our membership continuously refine member and sector playbooks for addressing systemic cyber threats. Just last month, we held the Quantum Dawn 3 cybersecurity exercise, which enabled financial institutions to practice how they would coordinate with key industry and government partners to maintain equity market operations in the event of a systemic attack, in this case one that interrupted the overnight clearing and settlement process within the equity markets. Over 650 individuals participated from firms of different sizes and key government partners including the U.S. Department of the Treasury, Department of Homeland Security, Federal Bureau of Investigation, federal regulators and the Financial Services Information Sharing and Analysis Center (FS-ISAC). The key takeaway: information sharing is critical and allows firms to more quickly respond to and mitigate an attack. We are working with Deloitte on a report that will further distill key takeaways and best practices for addressing cyber threats moving forward. 

This is just a small sample of the work the industry is doing through SIFMA and other industry organizations to help protect firms and clients. Other initiatives we have focused on include the development of best practices for managing insider threats, guidance for smaller firms with fewer resources, protocols for coordination regarding market closing and opening in the event of a major crisis, and principles for effective regulatory guidance.

Indeed, another key piece of the puzzle is the important role that regulators play in cybersecurity. Coordinated regulatory guidance can promote effective business practices and help protect consumers. As various regulators consider cybersecurity guidance – and essentially work to address the same issue – coordination will be key to avoid duplicative or contradictory guidance or rules that could disrupt market operations. SIFMA has developed a set of principles for coordinated regulatory guidance that we believe will strengthen the collective cyber defense and recovery effort.

And that’s just it: this is a collective effort. The industry, policymakers, regulators and consumers all share the same goals and incentives to mitigate cyber threats and protect the integrity of our nation – during October and every other month of the year.

Bentsen is president and CEO of SIFMA.