Press Releases

Remarks of Deputy Secretary Raskin at the City Week International Financial Services Forum

(Archived Content)

 
 

As prepared for delivery

LONDON - Good morning. Thank you Mr. Jermey, and thank you to the Board of Patrons of City Week for inviting me to speak here today.  City Week provides an important forum for policy, thought, and business leaders to come together and discuss the most pressing issues facing the financial sector.  I am glad to play a part in this year’s event.   
 

The great value of this program comes in its breadth.  Topics covered yesterday ranged from digitalization of financial services to political risk in a rapidly changing geo-political environment.  Today you’ll tackle where we are with global regulatory reform as well as competition and collaboration between global financial centers to create economic growth.  I would like to add to this agenda by discussing an issue underlying all of these matters; an area that certainly affects global economic recovery and that poses a significant challenge for governments, every organization in the financial sector, consumers, and beyond; and that is cyber resilience.

Now, when we talk about enhancing cyber resilience in the financial sector, it often seems as if we may as well be talking about The Impossible, about Going To Mars And Back In a Single Day. The enormity of the challenge seems astronomical.
 

What does this mean about the pervasiveness and the vastness of the cyber threat? We know that cyberattacks are growing in frequency, severity, and sophistication.  Over the past year in the United States we have had a series of high profile attacks against U.S. firms and government agencies.  But the United States is not alone.  Last fall the accounting and consulting firm PricewaterhouseCoopers released the results of its annual global information security survey of business executives.  That survey, which included more than 9,700 participants from 154 countries, reported almost 43 million detected cybersecurity incidents in the prior year, a 48 percent increase over 2013 [1].  The survey also reported the average loss attributed to cybersecurity incidents at $2.7 million—a 34 percent increase from 2013—and noted a 92 percent increase in entities reporting losses of $20 million or more [2].  According to the survey, Europe experienced a more than 40 percent increase in reports of cybercrime, compared to an 11 percent increase in North America [3].  

Estimates vary dramatically, as measurement and quantification of harm are in a relatively early stage of methodological precision [4].  But what we can be sure of is that the financial costs stem not only from the disruption of business, erosion of customers, and the associated loss of revenue, but also from expenses incurred when organizations need to remediate the intrusion, notify customers and shareholders, pay regulatory fines and penalties, and defend themselves in civil actions.  Though at times immeasurable, the non-financial costs may be even greater.  This damage includes: reputational harm and loss of confidence; losses from the theft of intellectual property; injury that comes from the disclosure of sensitive or confidential business information; and the related damage to public trust and confidence. 
 
 

II. The Motives Behind the Cyber Threat:  Economic, Geo-Political, and Physical

Now, by design, the Internet provides unprecedented connection.  This is its greatest virtue; bridging cultures and modes of commerce is the genius of the Internet, and the fuel behind its stature in modern society.  But this access and interconnectedness comes with risk that has features that have not all been mitigated. 
 

In some ways it’s helpful to compare malicious cyber activity to our traditional understanding of crime, to understand how this threat affronts and conforms to risks to which we are more accustomed.  But unlike our notion of most traditional crime, sovereign borders are no limit for virtual activity.  Malicious cyber actors are unhindered by traditional deterrence, and can easily transcend borders using communication and information technology systems.  Once embedded in these systems, these attackers assess the critical assets and vulnerabilities of target organizations and individuals.  The attackers can stay for days, weeks, months or even years; they need not dash out as soon as the sun comes up or when they hear homeowners pull into their garage.  And, unlike a burglar, a cybercriminal faces very little immediate risk of arrest and can reach the same result from the comfort of his home with his laptop and by pressing a couple of keys.  

The cyber threat can be largely tied to economic crimes and acts of vandalism by hackers and “hacktivists.”  But virtual threats also exist beyond economic or attention-seeking motives.  The destructive attack on Sony Entertainment Pictures destroyed systems and wiped out massive amounts of data; unreleased movies were posted to the Internet, greatly devaluing intellectual property; and highly sensitive, private information and communications were made public.  And here, an insidious geo-political purpose was afoot: to damage, shame, and ultimately attempt to coerce a U.S. company and its personnel from exercising their right to free expression.
 
Cyber threats know no international boundaries.  At the same time the Sony attack was gripping the United States, Germany’s federal office for information security released a report describing a cyberattack against a German steel mill that resulted in catastrophic physical damage to equipment [5].  The attack began with spear phishing; hackers sent targeted emails from seemingly trusted sources to trick plant personnel into opening malicious attachments or visiting malicious websites from which tainted software, called malware, was downloaded.  That malware allowed hackers to steal login credentials for the mill’s office network from plant personnel.  Working their way from the office into the production computer networks, the hackers ultimately gained access to systems controlling the mill’s manufacturing equipment [6].  Once in the mill’s production and related control systems, the hackers caused systemic failures, and the plant was unable to control the shut-down of a blast furnace.  Massive physical damage to the furnace ensued—and it all began with an email [7]. 
 

These attacks, against Sony and the steel mill, underscore that along with its immense benefits, cyberspace provides unprecedented access to engage in damaging mischief and criminal activity.  Sitting thousands of miles away, attackers can steal, cause physical destruction, and attempt to intimidate and undermine fundamental values and beliefs. 

 
III. Developing and Embedding a Culture of Cyber Resilience
 

We are certainly developing a shared understanding of the threat; we now need to develop a consensus around ways to responsibly address this threat.  In the current global environment of interconnectivity, we have seen a growing consensus around the need to ensure that international legal principles pertaining to state sovereignty, human rights, and state responsibility apply equally to conduct online as well as offline.  As part of a broader effort to improve cybersecurity around the world, we are working with the international community to develop common understandings of responsible state behavior in cyberspace. 

The U.S. government has taken its role in this effort seriously, and President Obama has made cybersecurity a top priority.  Our government has worked with international partners through technical and diplomatic channels to respond to the sustained attacks launched against our financial sector in recent years, and we have strengthened our ability to combat the problems of cybercrime and trade secrets theft for commercial gain through law enforcement cooperation and diplomatic means.  Additionally, in the financial services sector, national authorities are collaborating at the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) to survey existing legal frameworks and current cyber guidance for critical financial market infrastructures around the world.  Of course, governments have also taken significant initiative in the consumer protection arena; the European community is paving the way in establishing common standards for data breach notifications.  
 

This is significant work, but it is complex and time-intensive, and any solutions will be sub-optimal if governments act alone.  The financial sector, as the provider of intermediation and market-making, and the holder of consumer information, is one critical infrastructure in our global economic landscape. As we all know, the international financial services sector—and this group as leaders of that sector—is making substantial investments to protect the sector, the critical infrastructure supporting the sector, and each other.  Much the same way that vaults and guards serve as the first lines of defense against bank robberies—with the police providing powerful second-line deterrence—financial services companies are making investments to protect themselves, their valuable assets, and the assets and information of clients and consumers against cyberattacks.

But that said, given the persistent, increasingly sophisticated, and morphing nature of cyberattacks, no silver-bullet exists.  In the meantime, is there anything to be done?  Can cyber resistance be improved?  Absolutely. 
 

Rather than thinking of cyber risk as a newfangled technology and security risk, each of us—financial institutions and public institutions—must recognize this risk as perhaps the most pressing operational risk of our time.   Of course it is more than just an operational concern.  Given the ease of contagion within and across the financial sector and other critical infrastructure, and given the amount of consumer data held within the financial sector, it is also a systemic concern and a reputational concern.

This means that instead of building greater cyber resiliency separate from, or siloed within, the financial institution, leaders like yourselves should enhance your current initiatives by demanding that your organizations embed particular resiliency features into existing control structures, business processes, and cultures.  Instead of grafting cybersecurity controls on top of existing controls with a hope that they’ll stick, cybersecurity must become considered and intertwined in the development of fundamental components of processes so that cyber measures cannot be circumvented, removed, or defeated.  Such an approach creates multiple levels of defense and enhances a cyber resiliency that is at the essence of an organization and its functions.
 
 

IV.   Three Specific Activities that Can Make a Difference Now

While we work toward coordinated inter-governmental efforts and enforcement internationally, and while institutions enhance their cyber resilience by embedding controls and defenses into their cultural orientations—with long-term aspirational goals and investments to be sure—it strikes me that there are also three immediate, shorter-term fixes that can make a difference in strengthening the financial sector’s resilience. These are to share information; to focus on third-party vendors’ security; and to create, what I call, Playbooks for Preparedness.  

 1. Engage in Information-Sharing
  

First, information-sharing should be a priority for the financial sector all over the world [8].  Increasingly, bad actors do not attack a single organization; they instead target multiple institutions using the same or similar methods.  That was the case last year with the attack on JP Morgan Chase’s systems; other financial institutions were targeted using the same tactics and techniques.

Participating in information-sharing fora is a part of a financial institution’s risk management processes because it enhances the firm’s ability to identify, respond to, and mitigate cybersecurity threats and incidents [9].  Sharing knowledge of vulnerabilities, threats, and incidents allows firms to benefit from each other’s experience. 
 

To facilitate and centralize information-sharing, financial services firms in the financial sector have established a non-profit entity, known as the Financial Services Information Sharing and Analysis Center.  That center disseminates threat alerts that it constantly receives, from its approximately 5,500 members and from commercial sources, law enforcement, and U.S. government agencies.  This center is not solely focused on the United States though; it has members around the world and just last week had a members’ meeting here in London. 

The U.S. Treasury has also set up an internal group—called the Financial Service Cyber Intelligence Group—that combs through law enforcement and intelligence reports to find relevant threat and vulnerability information.  That group then works to appropriately declassify and share information directly with firms and through the center. 
 

In short, if you haven’t already, think about joining an information-sharing forum like the Financial Services Information Sharing and Analysis Center.

2. Control the Use of Third-Party Vendors

Second, most banks, insurance companies, broker-dealers, exchanges, and other financial institutions rely on third-party vendors for a range of services, some of which are core to the organizations’ activities. In other words, the linkages transcend your bricks and mortar. You operate with many third parties and given these connections, we are only as strong as our weakest link.  This means that third-party vendors—and any other third parties with access to an institution’s networks, systems, and data—can present a significant cybersecurity hazard. 
 

Therefore, as I’ve said in the past, in both the private and public sectors, you want to understand the security safeguards in place at any entities with access to your networks, systems, and data.  At the very least, this means: (1) knowing all vendors and third parties with access to your institution’s systems and data; (2) confirming that those vendors and third parties have appropriate protections to safeguard your systems and data; (3) conducting monitoring to ensure these firms are adhering to the particular protections you understand them to have; and (4) documenting protections and related obligations in your contracts so that you can enforce them [10].    

3. Engage in Proactive Preparedness Efforts
 
The final activity that can help enhance cyber resilience is to think about how your firm responds and recovers if its critical functions are hacked.  Thinking about response and recovery can take a number of forms. Actions that are particularly worthwhile include purchasing cyber insurance, developing carefully tailored crisis management plans and engaging in exercises.
 

Given the sheer number and transforming nature of cyber incidents, we know avoiding every cyberattack is currently a pipe dream. Instead we have to increasingly focus our efforts on making response and recovery more efficient, effective, and predictable.

One key way to proactively prepare for a potential incident is by obtaining cyber insurance.  Cyber insurance provides an important risk mitigation tool by allowing policyholders to transfer some of the financial exposure associated with cyber events.  But cyber insurance can play another important role.  Qualifying for cyber insurance can provide useful information for assessing institutions’ risk level and identifying cybersecurity tools and practices that are missing or that could be enhanced.  And for institutions with cyber insurance already in place, they may have a leg up on response and recovery when cyber events occur.  This is because insurance companies can help their policyholders navigate the complex processes around cyber response and recovery, and can refer those policyholders to proven experts. The cyber insurance market is relatively new, but it is growing in the United States and also starting to develop in Europe. 

Another way for institutions to know that they will be able to respond and recover from a debilitating attack is to develop a cyber-incident playbook—a so-called “Playbook for Preparedness.”  These playbooks can be a stand-alone document or part of larger business continuity and disaster recovery plans.  Regardless of the specific form, the playbook should have a detailed, documented plan so that the firm can react quickly to minimize internal and external damage, reduce recovery time and costs, and instill confidence in outside stakeholders and the public. 

The playbook for preparedness should specify the respective roles of the CEO and the board if a significant cyber incident occurs. If you have one, you will know who to call, and who will call whom, when. To practice those roles, firms can periodically participate in cyber exercises that simulate a cyber intrusion.  These exercises allow CEOs, directors, and others to figure out how they will navigate the pressures and problems that come from the intrusion. 
 

In the United States, the Treasury Department—working with private institutions in the financial sector as well as other departments and agencies throughout government—has participated in joint private-public exercises that simulate broad-reaching cyberattacks.   These exercises—designed to be progressively more complex—are designed to help identify gaps in our current cyber incident response framework, and to better inform and drive efforts to improve collective response preparedness.  Like fire fighters participating in complex fire drills, these exercises serve as training ground to practice and refine communication and coordination protocols between and among public and private organizations during cyber incidents.  At the end of the year we anticipate holding a transatlantic exercise between the United States and the United Kingdom.  To the extent possible, I encourage your institutions to look for opportunities to participate in similar domestic and international exercises. 

 

V.  Conclusion

Reaching a state of absolute cybersecurity is an unattainable goal.  Cyber threats will continue to evolve, and challenges will change form, always requiring defenses and safeguards that are equally nimble and effective.  But what is attainable is a more cyber-resilient financial system; aspiring toward a system where a threat is assumed to have permeated already, but keeping that threat from causing damage needs to be front and center in the consciousness and systems of financial firms. We haven’t exhausted the more simple steps yet—the so-called low hanging fruit—that can bring us closer to strength and resilience.
 
With each passing day, and with each intrusion, executives and officials at the senior-most levels of government and our financial institutions are grappling with how to improve resiliency from cyber attacks. The new reality is demanding that we collectively—regulators, governments, leaders of our critical financial infrastructure—embrace a shift in our thinking and approaches. From one perspective, we will never eliminate intrusions. But that is not necessary. It is only necessary to mitigate intrusions, recover our systems, and protect consumers’ data. When we focus this way, we will surely find that advancing cyber resilience will promote a stronger system of essential intermediation, which will advance prosperity in all of our countries.
 

Thank you. 

###
 
 NOTES:
  

1.      PwC, Managing Cyber Risk in an Interconnected World: Key Finding from The Global State of Information Security Survey 2015, at 7 (Sept. 30, 2014) (the geographical makeup of survey participants was: 35 percent from North America, 34 percent from Europe, 14 percent from Asia Pacific, 13 percent from South America, and 4 percent from Africa and the Middle East).  This increase may also be a result of enhanced detection efforts overall.

2.      See id. at 10.

3.      See id. at 9.

4.      Center for Strategic and International Studies, Net Losses: Estimating the Global Cost of Cybercrime (June 2014) (study estimated annual cost of cybercrime to the global economy as likely to exceed $400 billion, and could range from $375 billion to $575 billion).

5.      See, e.g. Die Lage der IT-Sicherheit in Deutschland 2014, Bundesamt für Sicherheit in der Informationstechnik (BSI), Nov. 2014; Robert Lee, Michael J. Assante, & Tim Conway, German Steel Mill Cyber Attack, SANS Industry Control Systems, Dec. 30, 2014, https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf (including assessment of attack and translation of relevant text from BSI report);  Hack Attack Causes 'massive damage' at Steel Works, BBC News, Dec. 22, 2014, available at http://www.bbc.com/news/technology-30575104; Kim Zetter, A Cyberattack has Caused Confirmed Physical Damage for the Second Time Ever, WIRED, Jan. 8, 2015, available at http://www.wired.com/2015/01/german-steel-mill-hack-destruction/.

6.      Id.

7.      Id.

8.      Federal Financial Institutions Examination Council, Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement, at 1 (Nov. 4, 2014) (recommended that regulated financial institutions should participate in cyber risk information-sharing), https://www.ffiec.gov/cybersecurity.htm.

9.      Federal Financial Institutions Examination Council, FFIEC Cybersecurity Assessment: General Observations, (Nov. 2014), http://www.ffiec.gov/press/PDF/FFIEC_Cybersecurity_Assessment_

Observations.pdf.

10.  Id. 

 
 
 
 
 
 
 

 
 
 
 
 
 
 

 

 
 
 
 
Use featured image
Off