As financial advisors face mounting scrutiny from regulators over their cybersecurity systems, the White House is calling for policies that will make it easier for businesses to share information on new and emerging threats.
On Friday, President Obama addressed the issue at a summit at Stanford University, where he signed an executive order encouraging greater information sharing across the private sector, and between government and business.
"This has to be a shared mission," Obama says. "So much of our computer networks and critical infrastructure are in the private sector, which means government cannot do this alone. But the fact is the private sector can't do it alone, either, because it's government that often has the latest information on new threats. There's only one way to defend America from these cyberthreats, and that is through government and industry working together, sharing appropriate information, as true partners."
SHARING THREAT DATA
With Friday's executive order, the White House is urging the private sector to establish voluntary but formal mechanisms for sharing information about cyberthreats, along the lines of the Financial Services Information Sharing and Analysis Center, a global forum that compiles data about threats facing companies in that sector.
Earlier this week, the administration announced plans to set up a new intelligence bureau for overseeing threat data within the government. The Cyber Threat Intelligence Integration Center, which would be organized under the Director of National Intelligence, would be charged with coordinating and disseminating the various threat assessments that individual agencies produce, modeled after the National Counterterrorism Center.
Obama spoke at a day-long cybersecurity summit that follows closely on high-profile data breaches at Sony Pictures and, more recently, Anthem, one of the nation's largest health insurance providers.
That event also comes on the heels of fresh warnings from the SEC and FINRA, which recently announced the first round of findings from an ongoing series of sweep exams the regulators had been conducting to evaluate the security policies and procedures in place at RIA and broker-dealer firms.
The push for greater information sharing from the highest levels of government addresses at least in part what some observers had seen as a conspicuous absence in the SEC's published findings.
"We'd like to see some sort of information sharing facilitated so that advisors can share information on threats and be better prepared," Laura Grossman, assistant general counsel at the Investment Adviser Association, told Financial Planning when the SEC announced the results of its cybersecurity sweep.
BEYOND NATIONAL SECURITY
Along with the executive order, Obama and senior members of the administration renewed their calls on Congress to enact legislation that would address various aspects of the cyber challenge, including a nationwide protocol for notifying consumers in the event of a breach, and provisions that would protect companies that do share security information from legal liability.
"This is not and should not be a partisan issue," says Lisa Monaco, assistant to the president for homeland security and counterterrorism.
The administration takes pains to frame cybersecurity issues as a broad concern that goes beyond the obvious national security implications. In addition to worries over threats from terrorists, so-called "hacktivists" and state-sponsored agents, sophisticated criminal gangs routinely raid commercial systems in search of consumers' financial data or other information they might be able to use in identity theft schemes.
"In addition to being a major national security issue, cybersecurity is just as important to the future and health of our economy," says Jeffrey Zients, director of the U.S. National Economic Council. "When we don't get it right, cybersecurity can be a drag on our economy. It raises the cost of doing business."
Zients notes that those costs come in a variety of forms, including the challenges associated with responding to a data breach, lost intellectual property, or the less tangible but all-too-real loss of potential business associated with the reputational hit a firm can suffer when it gets hacked.
SMALL FIRMS AT RISK
Security experts stress that even as big-name firms like Sony Pictures, Target and Home Depot have commanded the headlines with recent high-profile breaches, hackers are going after smaller operations, as well.
"It's the same threats that are hitting large companies and small companies," says Mark McLaughlin, president and CEO of the security firm Palo Alto Networks.
"If a small company believes that it's not under attack just because it's not large like these other companies, that's a mistaken presumption. They really need to do things to protect themselves with technology, people and process, and that's becoming evident," he adds. "Now this is where something like information sharing is very, very powerful for smaller companies because they'll be able to bring to bear the resources some of the larger companies can. But when we all work together -- large companies, small companies, public, private, all the information sharing we're talking about -- a lot of that benefit's going to go down to the small companies."
That may be particularly true in the advisory industry, where small shops often can't field a dedicated IT staff, let alone one that's primarily focused on security. Compliance experts suggest that small firms outsource some of their security operations to dedicated professionals who may be in a better position to stay on top of an ever-changing set of threats.
"This is a tough nut for every financial services firm out there. These cybercriminals are constantly coming up with new ways to steal money," Paul Tolley, chief compliance officer at Commonwealth, said in a recent interview.
"We are constantly trying to stay one step ahead of these cybercriminals," Tolley adds. "It's tough -- it just takes one substantial breach to cause serious damage."
- SEC, FINRA Warn on Cybersecurity
- 6 Steps to Defend Against Cyberattacks
- SEC Warning: Small Firms Won't Get a 'Pass' on Cybersecurity