The mounting danger of data breaches and online crime threatens firms with financial disaster unless they become more cyber-resilient, says one cyber security and technology risk expert.
Becoming cyber-resilient can be the difference between successfully containing a threat and financial disaster, PricewaterhouseCoopers's technology risk practice leader Stephen Russell told attendees at a cybersecurity conference in New York held by FINRA and SIFMA.
At the conference, Russell and other speakers pointed out that there are two types of firms: those that have been hacked and have dealt with the situation, and companies that are hacked but don't even know it yet.
"There is now wide recognition that financial services organizations will continue to be a prime target for cyberattacks," he said. "Given this reality, we must act now before it is too late."
The average cost of a cyberincident in 2014 was $22 million, including containment, cleanup and remediation, Russell said. And according to newly released report from the SEC, 88% of broker-dealers and 74% of RIAs say they have been targeted by cybercriminals. Worse, the damage can extend beyond the financial into reputational losses.
"Public confidence in the financial services industry is in jeopardy as cyberattacks increase," Russell said.
Russell suggested six key steps to become more resilient against cyberattacks.
First, firms should establish cyber-risk governance and oversight so that executive management and technology officers and experts are involved at each level.
"Ultimately the goal is to make sure that cyber risks are managed like other business risk management issues," he said.
Second, firms need to understand their electronic defense perimeter.
"I cannot stress enough to understand the need to understand the cyber organization boundary," Russell said, referring to the massive data breach that hit Target in 2013. "In [that] case, the entry point of attack was a vendor. So it's critical to understand your perimeter. Any weakness in your perimeter is a vulnerability."
Russell suggests firms examine where critical data resides, and with whom it is being shared with. Data is increasingly moving across devices and among more parties, he said, including customers, third parties and fourth parties.
"With the onset of cloud computing and mobile devise usage, financial services organizations find themselves defending a perimeter that is no longer visible and no longer exclusively under their control," he said.
Russell's third and fourth points are related: identifying critical business processes and related assets and understanding how to assess and manage business risks. "It is essential to understand which business assets, if compromised, would cause significant harm," he said.
This includes recognizing facilities that house critical systems and data. It is necessary to provide adequate protection to these assets, he said, and to also ensure mitigation efforts are aligned to a specific set of business risks.
Russell also emphasized the importance of improving data collection and analysis and the reporting of cyberthreats. Financial firms have complex structures which complicate this process, Russell said. But cyber-risk operations teams should regularly analyze data and provide management with the information needed to make informed risk-based decisions.
Finally, firms need to have playbooks on hand for responding to data breaches. Devising threat scenarios, developing response plans and putting resources in place prior to an attack can be the difference between a successful response and disaster. And above all, rehearse your response plan, Russell said, so that everyone will be familiar with their role in the event of a breach.
"If it is revealed that you were poorly informed, then it can be very damaging to your reputation and shareholder value," he said. "The last thing any organization needs is to be seen scrambling in response to a cyberattack in the eyes of the media and customers."
CALL THE FBI
Another keynote speaker at the event was FBI Special Agent Leo Taddeo, who oversees the bureau's cyber and special operations division. His message to attendees: financial services firms need to work more closely with law enforcement.
"Most businesses don't call law enforcement unless they have to," Taddeo said, noting that some refrained from seeking assistance because of privacy concerns.
Taddeo asked attendees to imagine living in a neighborhood in which burglary was rampant, yet few victims reported crimes. "How fast do you think law enforcement will be able to resolve the problem?"
The challenges increase as cyberattacks become more widespread and sophisticated, he said. Reporting incidents helps law enforcement to better understand the motives of perpetrators and their methods of attack.
"What do you get when you call us?" he asked. "We have dedicated response teams composed of computer scientists, lawyers, analysts and FBI agents."
Lawyers especially can bring value to financial services firms, helping to work around legal issues such as privacy concerns, Taddeo said. He also said that financial services firms should not be worried that an FBI investigation into a data breach would put them out of business. "I want to dispel a myth that if you call the FBI you'll soon have agents putting crime scene tape around your offices," he said.
Taddeo added that the bureau will explain what its agents need and ask for it, noting that it is rare for FBI computer scientists to operate on a firm's network. He noted that the bureau does use subpoenas sometimes, but not in most cases.
There is still room for improvement in terms of how prepared firms are for a cybersecurity incident, he said.
"Many network operators don't have an accurate idea what their network looks like, what's connected to what, and what software is on their system," he said.
Too often key members of a firm aren't aware of their responsibilities, or that of relevant third parties, such as vendors or outside legal counsel. Taddeo said that it's necessary to work out responsibilities and roles before an attack occurs.
"You don't want to meet your team on game day," he said.