Banks face brunt of cyber threat

Reinforcing oft-voiced warnings, Treasury Deputy Secretary Sarah Bloom Raskin issued a strong warning about the dangers of cybercrime in the interconnected world, particularly as it affects financial institutions.

Speaking before The Clearing House’s annual conference, Raskin said: “Malicious cyberactivity has been thrust—loudly and destructively—onto the fabric of finance, our economy, our country, and the world.”

She added that banks—“as the entry points and connecting nodes for the financial system as well as the holders of a treasure trove of high value customer data—are natural targets for bad actors.”

Both wholesale and retail payment systems also attract crooks’ attention, she said, because they are the rails on which modern money travels.

“The more interconnected financial institutions are—through payment systems or third-party vendors processing transactions, providing cloud-computing services, or operating mobile banking solutions—the more the financial sector as a whole runs the risk of contagion,” Raskin said.

Going beyond technology

Raskin emphasized that cybersecurity is more than a technological issue. Solving the challenge requires the resolve and actions of governments as well as private entities. She noted that Congress is reaching the final stages of cybersecurity legislation covering consumer protections, modernizing law enforcement tools, and promoting increased sharing of timely, actionable cyber threats.

She also noted that, internationally, members of the G-20 leaders meeting in Turkey committed to a set of norms, such as affirming that they will not engage in cyber-enabled theft of intellectual property, trade secrets, or confidential business information.

“The point here,” Raskin said, “is that this is not just a technological challenge. It is a challenge of changing human behavior, and it’s a challenge of changing governance and business and operational processes.”

Three challenges to bankers

To that end, she challenged the executives in attendance at the conference to do three things:

1. Build in your response. Ensure that cyberrisk is part of the bank’s risk management framework and cybersecurity is embedded into governance, control, and risk management systems.

Embedding cybersecurity into business processes and activities, control structures, and cultures can measurably increase the cybersecurity posture of banks. When this occurs, cybersecurity will become part of the firm’s genetic code.

2. Engage in basic cyber hygiene. Raskin said these are the essential practices that bolster the security and resilience of computer networks and systems. Experts estimate that these are essential practices that can prevent up to 80% of all known incidents.

3. Be prepared like a Boy Scout. Each bank should prepare a response and recovery playbook for significant cyber incidents. This playbook should be well-thought out and routinely tested; tested internally all the way up to the board and externally through exercises with the financial sector and the government. At a minimum, the playbook should describe who does what, when, and reports to whom when a cyber incident happens.

The playbook should also cover topics such as when to call law enforcement, when to get executive management and the board involved, and when to notify customers, clients, and business partners. Update the playbook regularly to reflect the changing nature of cyber threats to the bank.

[Editor’s note: FS-ISAC recently issued an advisory to banks to consult when fortifying their cybersecurity playbooks.]

In summary, Raskin said: “I liken cybersecurity and resiliency to a journey into a new frontier. I am convinced that there are neither shortcuts, nor easy ways out as we move toward the new frontier. And it seems that we are at the beginning, not the end of our journey. There are challenges and obstacles ahead even though we have already accomplished quite a bit.

“It’s when the risk and tasks posed by cybersecurity seem the greatest, that I’m reminded of the surpassing necessity of a well-functioning financial sector and a resilient financial infrastructure that works for all Americans and for the common good. This is work well worth the significant investment.”