From: Bloomberg Law
By Maria Lokshin
Financial institutions are facing unrelenting threats from cyber criminals, industry participants told BNA in early August, but whether there is room for regulatory intervention is up for debate.
While financial regulators have taken notice of the looming dangers, some in the industry question whether rules would help insulate firms from cyber threats or simply impose additional regulatory burdens.
Under Attack
Cybersecurity poses an increasing threat for all global companies and industries–so much so that a recent Depository & Trust Clearing Corp. report called it potentially the “top systemic threat” to both financial services and other industries.
“The sector as a whole is actively under attack,” Karl Schimmeck, vice president of financial services operations at the Securities Industry and Financial Markets Association, said in a telephone interview.
According to Alan Tilles, chairman of the telecommunications department at Shulman Rogers Gandal Pordy & Ecker PA, Potomac, Md., the problem is even more widespread. “I can tell you that there isn’t a company of significant size in this country that hasn’t been the subject, on some level at least, of some kind of [cyber] attack,” he said in a telephone interview.
Prudential regulators are expected to “continue to be very aggressive” with respect to cybersecurity, PwC official Dave Burg said.
Financial regulators are homing in on the growing threat. According to Dave Burg, advisory principal at PricewaterhouseCoopers, prudential regulators in particular are “very well aware” of the issues surrounding cyber threats and are expected to “continue to be very aggressive” with respect to cybersecurity. Earlier this year, the Financial Stability Oversight Council–an omnibus body of financial regulators–cited in its annual report to Congress the mounting risk from cyber threats.
The Securities and Exchange Commission, too, has delved into the cybersecurity space. In 2011, agency staff issued guidance that said companies should disclose cybersecurity compromises because such problems can have a bearing on their financial health (200 SLD, 10/17/11).
SEC Chairman Mary Jo White recently said staff are reviewing companies’ disclosures of cyber breaches to see whether additional guidance is needed (94 SLD, 5/15/13). A source familiar with the matter told BNA that SEC staff have seen improved company disclosures of cyber incidents after the guidance was issued–particularly in the disclosures of risk factors.
In addition, the Financial Industry Regulatory Authority placed cybersecurity on its list of regulatory and examination priorities for 2013 and said it was concerned about the frequency of attacks and breaches at member firms (11 SLD, 1/16/13). A FINRA official recently said the self-regulatory organization has seen a “proliferation” of complaints about cyber breaches at broker-dealer firms (117 SLD, 6/18/13).
Disclosure Issue
Whether prescriptive regulation would bolster cybersecurity in financial services, however, is up for debate. With respect to SEC disclosures, Burg said in a telephone interview that gauging the impact of a cyber attack or threat is difficult.
According to Burg, many companies “will disclose that cybersecurity risks are a component part of operating in a highly interconnected, technology-enabled world.” However, such disclosures “may lack the level of specificity to reveal or to describe or quantify the risks that the institution may be exposed to.”
For example, in Burg’s experience conducting investigations for some PwC clients, clients may not be aware that a cyber attack has taken place for months or even years. That makes it hard to understand and calculate the damages from the compromise.
Schimmeck also said that regulation may not be optimal in the cybersecurity space with respect to the financial services industry. The concern is that regulation could turn into a “compliance exercise” and become a “bit of a burden.”
Congress, White House
In response to the growing threat, Congress has rolled out multiple bills to fortify cyber infrastructure. In July, for instance, the Senate Commerce Committee cleared Sen. John Rockefeller (D-W.Va.) and Sen. John Thune’s (R-S.D.) bill (S. 1353) to authorize the National Institute of Standards and Technology–a part of the Department of Commerce–to craft voluntary cybersecurity standards for the private sector.
Another Senate bill (S. 1193) would establish a single federal standard for when companies would be required to notify individuals of certain data breaches. In April, the House passed legislation (H.R. 624) to increase cyber threat information sharing between the government and private businesses. “It’s a space that we’re watching very closely,” Burg said of the legislative initiatives.
According to Tilles, communication between businesses and the government is critical to address cybersecurity. The House bill, he said, would set the parameters of what information is shared and when.
The White House also has taken note. Earlier this year, President Obama issued an executive order that called on NIST to spearhead a framework for voluntary cybersecurity standards for the nation’s critical infrastructure owners and operators.
“There is an increased awareness on the part of the executive branch [about cybersecurity threats], and there’s a campaign to the business community that cybersecurity risks are real, they are significant, and that the government believes it has a role to help our economic security remain, in fact, secure,” Burg said.
According to Schimmeck, the industry is working hand in hand with the government to promote information sharing with respect to cyber threats. “We all band together and are working [on] this issue as kind of one sector, in partnership with the government,” he said.
Where the Money Is
In the meantime, the financial services sector may be exceptionally vulnerable to cyber attacks.
Leave a Reply