Cyber Security – Avoid Prescriptions When Keeping Up With Threats
Banks are part of an interconnected ecosystem with law enforcement, vendors and other critical industries when it comes to cyber security. New cyber security regulations should help to facilitate cyber security efforts among these players instead of burden banks with a checklist of to-do’s.
The start of 2013 has included substantial focus on cyber security issues, from President Obama’s Executive Order for critical infrastructure standards from NIST to the continuation of DDoS attacks against a range of financial institutions. These issues have put a spotlight on the challenges financial institutions face in protecting their systems, data, and customers from criminals with financial, political, and activist motives. Now the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC) has responded to the NIST’s requests for comments from the industry on how to establish cyber security framework requirements, providing extremely well-reasoned and practical comments and highlighting a key fact: the financial services industry has already established itself as a leader at protecting their infrastructure, data, and customers. The industry is rightly concerned that new standards and regulations add to the burden of requirements from a wide variety of sources such as the FFIEC, GLBA, SOX, and a multitude of others. It also very rightly points out that the notion of “cyber security” covers a range of practice areas from data protection to intrusion detection to financial malware, each of which have very different risk mitigation approaches, skill sets, and technical solutions.
No prescriptive checklist can effectively address all of the multitude of risks within any industry, much less across industries. As the FSSCC points out, only a risk-based approach focused on outcomes, harmonized with various regulations will help institutions approach the challenge effectively. We have observed the criminal community adapt extremely quickly to defenses put in place by institutions; a checklist approach is akin to giving them the game plan so they know exactly what not to do and which weaknesses to exploit. Yet, this shifts the burden to institutions to ensure they have strong risk assessment techniques and adequate threat intelligence. This can be challenging for smaller institutions relying on service providers for many technology needs. Vendors have a responsibility to be responsive to these needs, assess their own risks, and act accordingly to protect the institutions that depend on them not only for solutions, but also risk and threat management expertise. This interconnectedness between financial institutions, vendors, law enforcement, and other providers of critical infrastructure means risks and severity of threats are asymmetric, and this is where regulatory requirements can bring the most value. When Party A’s enhancement of security has a greater benefit to Party B than itself, regulation can provide a path to improve the system as a whole. An excellent example is technology to enable signing emails. While not a panacea, it’s an existing technology that can help reduce threats from phishing and malware distribution. Yet ISPs have little economic incentive to broadly deploy the technology and, as such, financial institutions and businesses of all kinds continue to face these threats.
As seen from the previous example, interdependence both within and across industries and law enforcement requires critical review to ensure collective benefit, especially when that involves sharing sensitive information. Balancing privacy and civil liberties is of primary concern, but in many cases even non-personal information that would be valuable to share is not shared due to lack of clarity as to whether it is allowed. Many privacy laws and regulations make exceptions on sharing data for purposes such as fraud prevention, yet there are so many applicable laws and regulations that it is easier to err on the side of caution. Improving clarity on what can be shared, with whom, and when will dramatically improve the ability for industries and law enforcement to collaborate, identifying and responding to threats more quickly. When threats are understood more quickly, critical infrastructure industries and vendors can develop responses more rapidly.
The financial services industry is already leading in defending against a variety of cybercrimes, and more attention and cooperation will only improve the ability for institutions to defend themselves against threats. Care must be taken to ensure new guidelines and regulations provide appropriate incentives and do not lead to prescriptive measures that cannot keep up with the rapidly evolving threats. Coordination between the public and private sector should enable and encourage financial institutions to continue to respond to threats and improve their defenses.