Michael Cooper, CTO BT Radianz, Lisa Toth, Global Head of Regulation and Risk, Hatstand, a Synechron Company, Chris Bok, Consultant, Jordan & Jordan examine ongoing changes to the cyber security landscape, and how the industry can work together to combat the risk.
Michael: The Cybersecurity landscape remains complex and problematic. Barriers to entry for those wishing to disrupt, attack and exploit vulnerabilities are being almost constantly lowered. This is compounded through effective use of collaboration in the exchange of information and with rapid dissemination and innovation of exploits. Further, the volume of criminally incentivised, as opposed to disruptive/ opportunist-oriented attacks seems on the increase. So the challenge of sustaining security has become more difficult, more complicated but increasingly important.
Alongside this is an increased awareness and recognition of that risk, coupled with an expectation that firms must address this. One consequence is that obligations and responsibilities have become broader and more onerous to execute. Legislators and regulators are continuing to raise both expectations and mandates.
Lisa: In light of the high profile cyber events that have been in the news recently, all across the globe we are seeing central banks reminding their members that they must have robust cyber security, governance, policies and procedures in place. We are also seeing countries examining the regulations they already have in place and looking to set up further rules. The Hong Kong monetary authority announced earlier this month that this year it will be publishing a cyber security assessment framework, a similar step to the FFIEC. The regulators are definitely taking note and are looking at their member firms to ensure that cyber security is embedded within their culture, policies and procedures.
SEC and FINRA have put cyber security preparedness as a high priority for their 2016 exam review, and in the UK, the FCA announced that its member firms are not doing enough to protect themselves from cyber breaches. It is therefore likely that we will see many more fines being levied against firms with insufficient policies and procedures and as well as against those firms who have experienced cyber breaches and subsequently failed to remediate the issues.
There have been three cyber security-related fines imposed by the SEC recently. Last year, $75,000 was applied to a regional broker/dealer, in January 2016 there was a fine of $100,000 against a fin tech firm and more recently, a large investment bank was fined $1 million. The scale of the fines is increasing rapidly.
Michael: Clearly the regulatory position is evolving and becoming more stringent as regulators seek to incentivise markets and market participants to respond. Alongside of this, there is clearly more regulatory content to consume, and this is not entirely aligned globally. So while the intentions are right, there is additional complexity in different timescales, expectations and specification – additional complexity in an already complex area.
Lisa: In April, IOSCO released a report highlighting some of the key global regulatory initiatives that are underway and continually use NIST as an example of a robust framework. While IOSCO doesn’t actually come out and recommend that everybody base their cyber security framework on NIST, they are publishing them as examples.
Michael: There are also a number of forums being set up within different sectors and parts of the market which are regulatory-inspired. In addition, there are entities like IOSCO seeking to do something at the macro level and there are others trying work at a more micro level. So there is more activity overall, not just in terms of regulation, but in terms of the industry’s response to it.
Identifying solutions
Michael: I believe that most people will have a decent awareness of the issues and risk presented by cyber security – particularly following some of the recent bigger, more publicised events. The challenge for firms is to identify what they can do given the resources, knowledge and assets they have.
Lisa: To look further at this, it comes down to how sophisticated firms are in terms of their cyber practice. Some firms view cyber risks as purely a technical or IT solution, so they put in place firewalls and anti-malware and think that they are protected – but there is so much more to it than that. Firms do need to have IT solutions in place, but they also need clear governance, policies and procedures, and in addition they must have suitable response plans in place.
These should be embedded as part of their business continuity and disaster recovery planning. Firms should have a risk register, and be able to identify the types of cyber security risk that they face. Then they should create threat scenarios and test against them. Firms should be doing penetration testing, vulnerability assessments and then testing their response plans. If they go through these preparatory steps they will find that the amount of time it takes to identify and resolve a breach will significantly reduce. Investment up front will reduce potential exposure to a cyber breach at the back end.
Michael: The market has made considerable progress but obviously there is still a long way to go. Some of this is around security practice; how firms need to operate and the decisions they must consider and ultimately make. There is a big step up required before this practice becomes industrialised. Firms are doing it more than perhaps they were before, but there’s still much more to be done.