Congressional Hearings
CYBERSECURITY: RISKS TO THE FINANCIAL SERVICES INDUSTRY AND ITS PREPAREDNESS
Congressional Hearings
SuDoc ClassNumber: Y 4.B 22/3
Congress: Senate
CHRG-115shrg31197
| AUTHORITYID | CHAMBER | TYPE | COMMITTEENAME |
|---|---|---|---|
| ssbk00 | S | S | Committee on Banking, Housing, and Urban Affairs |
[Senate Hearing 115-307]
[From the U.S. Government Publishing Office]
S. Hrg. 115-307
CYBERSECURITY: RISKS TO THE FINANCIAL SERVICES INDUSTRY AND ITS
PREPAREDNESS
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON
BANKING,HOUSING,AND URBAN AFFAIRS
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
ON
EXAMINING CYBERSECURITY ISSUES IN THE FINANCIAL SERVICES
SECTOR, FOCUSING ON THE RISKS TO THE FINANCIAL SERVICES INDUSTRY FROM
CYBERATTACKS AND CYBER THREATS AND THE READINESS OF THE FINANCIAL
SERVICES INDUSTRY TO COMBAT THEM
__________
MAY 24, 2018
__________
Printed for the use of the Committee on Banking, Housing, and Urban
Affairs
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available at: http: //www.govinfo.gov /
U.S. GOVERNMENT PUBLISHING OFFICE
31-197 PDF WASHINGTON : 2019
--------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, po@custhelp.com.
COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS
MIKE CRAPO, Idaho, Chairman
RICHARD C. SHELBY, Alabama SHERROD BROWN, Ohio
BOB CORKER, Tennessee JACK REED, Rhode Island
PATRICK J. TOOMEY, Pennsylvania ROBERT MENENDEZ, New Jersey
DEAN HELLER, Nevada JON TESTER, Montana
TIM SCOTT, South Carolina MARK R. WARNER, Virginia
BEN SASSE, Nebraska ELIZABETH WARREN, Massachusetts
TOM COTTON, Arkansas HEIDI HEITKAMP, North Dakota
MIKE ROUNDS, South Dakota JOE DONNELLY, Indiana
DAVID PERDUE, Georgia BRIAN SCHATZ, Hawaii
THOM TILLIS, North Carolina CHRIS VAN HOLLEN, Maryland
JOHN KENNEDY, Louisiana CATHERINE CORTEZ MASTO, Nevada
JERRY MORAN, Kansas DOUG JONES, Alabama
Gregg Richard, Staff Director
Mark Powden, Democratic Staff Director
Elad Roisman, Chief Counsel
Travis Hill, Senior Counsel
Elisha Tuku, Democratic Chief Counsel
Laura Swanson, Democratic Deputy Staff Director
Corey Frayer, Democratic Professional Staff Member
Dawn Ratliff, Chief Clerk
Cameron Ricker, Deputy Clerk
James Guiliano, Hearing Clerk
Shelvin Simmons, IT Director
Jim Crowell, Editor
(ii)
C O N T E N T S
----------
THURSDAY, MAY 24, 2018
Page
Opening statement of Chairman Crapo.............................. 1
Prepared statement........................................... 26
Opening statements, comments, or prepared statements of:
Senator Brown................................................ 2
WITNESSES
Bill Nelson, President and CEO, the Financial Services
Information Sharing and Analysis Center (FS-ISAC).............. 5
Prepared statement........................................... 26
Responses to written questions of:
Senate Banking Committee................................. 85
Michael Daniel, President and CEO, Cyber Threat Alliance......... 7
Prepared statement........................................... 35
Responses to written questions of:
Senator Reed............................................. 90
Senator Warner........................................... 91
Senator Cortez Masto..................................... 91
Phil Venables, Chief Operational Risk Officer, Goldman Sachs..... 8
Prepared statement........................................... 46
Responses to written questions of:
Senator Warner........................................... 94
Senator Cortez Masto..................................... 95
Carl A. Kessler III, Senior Vice President and Chief Information
Officer, First Mutual Holding Company.......................... 10
Prepared statement........................................... 47
Bob Sydow, Principal and Americas Cybersecurity Leader, Ernst &
Young LLP...................................................... 12
Prepared statement...........................................
Responses to written questions of:
Senator Warner........................................... 101
Senator Cortez Masto..................................... 106
Additional Material Supplied for the Record
Letter submitted by the Credit Union National Association........ 114
(iii)
CYBERSECURITY: RISKS TO THE FINANCIAL SERVICES INDUSTRY AND ITS
PREPAREDNESS
----------
THURSDAY, MAY 24, 2018
U.S. Senate,
Committee on Banking, Housing, and Urban Affairs,
Washington, DC.
The Committee met at 9:28 a.m., in room SD-538, Dirksen
Senate Office Building, Hon. Mike Crapo, Chairman of the
Committee, presiding.
OPENING STATEMENT OF CHAIRMAN MIKE CRAPO
Chairman Crapo. The Committee will come to order.
Today we will hear about cybersecurity in the financial
sector. Today's witnesses come from a wide range of
organizations and can provide us with insight on the threats
faced by and the preparedness of the financial sector when it
comes to cyber.
Four years ago, this Committee held a similar hearing where
I noted that a recently aired ``60 Minutes'' segment called
2014 ``the year of the data breach.''
Given the various data breaches over the past few years,
most notably the Equifax data breach last year, I am not sure
that 2014 still holds that title.
As our society increases its reliance on technology and
becomes accustomed to immediate access to information and
services from companies, the risk of--and the potential damage
caused by--data breaches continually increases.
Americans are becoming more aware of the amount of
information, including personally identifiable information, or
PII, that is stored by companies, and there is a growing
realization that this information can be stolen or misused.
The collection of PII by both the Government and private
companies is something that has long troubled me. Many question
how both use the data collected and how such data is secured
and protected.
The collection and use of PII will be a major focus of the
Banking Committee moving forward, as there is broad-based
interest on this Committee in examining it.
Today we will hear from our witnesses regarding
cybersecurity and about the risks to the financial services
industry and its preparedness.
We have heard from many regulators before this Committee
about their focus on and oversight of cybersecurity and how it
is critical to the operations of companies and our markets.
This is especially true for companies in the financial services
space.
The financial sector itself is a main target for hackers
because, as many have said, ``that's where the money is.''
Banks are under constant attack every day. Because of this,
they and other firms in the financial services industry have
devoted substantial resources to protecting information
systems, and the industry is widely viewed as one of the most
advanced sectors in terms of prioritizing cybersecurity.
Today I hope to learn more about: the risks to the
financial services industry from cyber attacks and cyber
threats; the work being done in the financial services industry
to increase cyber readiness, combat cyber attacks, and increase
resiliency; and what more needs to be done by the private
sector and Government to help protect companies' and consumers'
information.
It is critical that personal data is protected, consumer
impact in the event of a data breach is minimized, customers'
ability to access credit and their assets is not harmed, and
the financial sector is resilient enough to continue to
function despite a cyber breach at a financial sector company.
I will welcome our witnesses again but welcome. And,
Senator Brown, you may proceed.
STATEMENT OF SENATOR SHERROD BROWN
Senator Brown. Thank you very much, Mr. Chairman. Thank you
for holding this hearing today.
This Committee last considered cyber preparedness of
financial institutions 3 \1/2\ years ago. Since then,
sophisticated, targeted cyber attacks have become all too
frequent, exposing the personal information of millions of
Americans, costing our economy hundreds of millions of dollars.
Cutting corners on cybersecurity risks real harm to real
people's lives. Each data breach or each cyber heist that makes
the news seems larger than the one before, and after a while,
we barely raise an eyebrow. But think about a family trying to
get a mortgage who finds out that their credit score has been
wrecked through no--they do not have knowledge about it and it
has been wrecked through no fault of their own. It is clear
these risks to the financial system and Americans' personal
data are growing.
Today's hearing will give us a window into how the
financial services sector works on cyber preparedness, fighting
cyber attacks, promoting cooperation among private and public
entities.
Financial institutions must work diligently not just to
maintain standards set by industry and Government, but also to
improve protections for financial infrastructure and customer
data whenever possible. As risks increase and threats become
more advanced, financial institutions and Government agencies
must facilitate and encourage information sharing.
Banks certainly have the resources to invest in protecting
their customers. The FDIC reported on Tuesday that banks are
doing better than ever. Including the benefit from the tax
bill, net bank income increased 27 percent compared to 2017.
That has been consistent, in most cases double-digit profit
increase over most of the last 8 years. Even without the tax
benefits Republicans in Congress bestowed on the largest
corporations and the wealthy, bank profits would have been up
12.6 percent from a year ago.
Record profits for banks should not just mean that top
executives get bigger bonuses and the largest shareholders
benefit from stock buybacks and dividends.
Banks should be investing in their businesses, whether it
is cybersecurity or a living wage for their employees. I
remember the average teller in this country makes $26,000 a
year. Rather than lobbying to be let off the hook from rule
after rule, the Nation's largest banks should focus their time
and effort on securing financial infrastructure against attacks
and protecting sensitive consumer data.
Law enforcement also plays a critical role in assessing and
warning about cyber threats, and its ability to share sensitive
cyber threat information more quickly will help combat those
threats. I know there has been good work done in this area. We
need to build on it. We cannot let up now. And that is why I am
glad the five of you are here.
A secure and resilient financial system is the foundation
of commerce and our economy. There is always the risk that
cyber thieves will try to steal money and consumers' personal
data or that a hostile country will seek to disrupt our
financial system. We cannot risk undermining faith in that
system.
It would take just one cyber attack to undermine our trust
in financial institutions. Once that happens, it will take more
than hearings, legislation, or policy changes to restore that
trust.
I look forward to hearing all of you address these issues.
Thank you all for joining us.
Chairman Crapo. Thank you, Senator Brown.
We will now move to our witnesses and their testimony. We
have with us five excellent witnesses today, and I will briefly
introduce Mr. Nelson, Mr. Daniel, and Mr. Venables, and Senator
Brown will then introduce our two witnesses from Ohio.
Senator Brown. Thank you.
Chairman Crapo. Mr. Bill Nelson is president and CEO of the
Financial Services Information Sharing and Analysis Center,
also known as FS-ISAC, and has held such a position since 2006.
FS-ISAC is a nonprofit association dedicated to protecting the
global financial services industry from physical and cyber
attacks. Its members include organizations from banks, credit
unions, securities firms, and insurance companies.
Mr. Michael Daniel is the president and CEO at the Cyber
Threat Alliance. CTA was formed in 2014 through an informal
agreement to share intelligence among Fortinet, McAfee, Palo
Alto Networks, and Symantec. Prior to joining the CTA, Mr.
Daniel served from June 2012 to January 2017 as Special
Assistant to President Obama and Cybersecurity Coordinator on
the National Security Council staff.
Mr. Phil Venables is the managing director and head of
operational risk management and analysis at Goldman Sachs. Mr.
Venables has been at Goldman Sachs 18 years. His first 16 years
he served as Goldman's chief information security officer, or
CISO, before moving into a wider role in Goldman's Risk
Division. Mr. Venables serves on the executive committee of the
U.S. Financial Services Sector Coordinating Council for
Critical Infrastructure Protection and is co-chair of the Board
of Sheltered Harbor.
Senator Brown.
Senator Brown. Thank you, Mr. Chairman.
It is my pleasure to introduce two Ohioans on this panel. I
do not get this honor that often, so thank you.
Carl A. Kessler III is a senior vice president, chief
information officer of First Mutual Holding Company, 25 years
of experience in technology, 15 in banking at super-regional
and community banks, of which Ohio has a number of them. While
working in banking, Mr. Kessler has tackled a broad range of
cybersecurity issues, from building banking websites to
designing security architecture. He began his career at the
Department of Defense after graduating from the Honors College
at Ohio University. Welcome. And Tom Fraser, the bank's CEO,
and Mr. Kessler both do a really important and crucial job
serving the banks' customers in northeast Ohio. The bank is
located in Lakewood, Ohio, west of Cleveland. Welcome, Mr.
Kessler.
Bob Sydow is a principal at Ernst & Young and Americas
cybersecurity leader. He has more than 30 years of experience
working with Fortune 500 companies and all aspects of
information security, data protection and privacy, identity and
access management, cyber threat management, and cyber
economics. I met with Mr. Sydow this week. I was impressed with
his expertise in all things cybersecurity, and I was also
impressed with his knowledge of all things Cincinnati Reds.
While I am a Cleveland Indians fan in the other end of the
State, I urge any of you that are baseball fans in this
audience to at least one time go to a Cincinnati Reds opening
day. It is a celebration of America's first baseball team.
Cincinnati is a baseball town, and I have been to opening day
half a dozen times there, and it is something, if you love
baseball, you want to experience. But Mr. Sydow has promised if
any of you will go, he will give you tickets and give you a
tour----
[Laughter.]
Senator Brown.----and tell you all things Cincinnati Reds
history.
So thanks to the both of you for joining us.
Chairman Crapo. Thank you, Senator Brown, and I think I
will try to take you up on your suggestion. I will not take the
tickets, however.
Gentlemen, we appreciate you being with us today and
bringing your expertise to assist us with this issue. We will
proceed in the order that you were introduced. I remind you
that we ask you to keep your oral remarks to 5 minutes. You
have a little clock there that is supposed to help you. And
this is one of those days where we are jammed for time, hence
the reason we moved the time of the hearing up. Both Senator
Brown and I are a little jammed for time. So I am reminding our
Senators as well that we want you to keep yourselves to your 5-
minute limit, if you can do so. Actually, we will try to help
you do so.
Mr. Nelson, you may proceed.
STATEMENT OF BILL NELSON, PRESIDENT AND CEO, THE FINANCIAL
SERVICES INFORMATION SHARING AND ANALYSIS CENTER (FS-ISAC)
Mr. Nelson. Thank you. Thank you, Chairman Crapo and
Ranking Member Brown and other Members of the Committee, for
inviting me to speak today. I do not have one of the timers, so
cut me off if I go over 5 minutes.
Chairman Crapo. Well, if you hear this sound [banging
gavel] that means the bell rang.
Mr. Nelson. I will discuss the topics that you mentioned
already: cyber risks, efforts by the financial services
industry to increase cyber readiness, and what more needs to be
done by the
private sector and Government to help protect companies' and
consumers' information.
As you mentioned in the intro, I have been CEO of FS-ISAC
since 2006 and have seen some major changes occur in the last
12 years. I think the biggest change has been the growing
sophistication and volume of cyber threats and attacks.
In response, the financial services sector has made
significant investment in cyber defenses and has come together
as a community to back major resiliency efforts. I have also
witnessed an evolution of the public-private partnership. Today
the financial services industry receives tremendous benefit
from that partnership that enables cyber threat intelligence to
flow to the sector and improve detection, prevention, and
response to cyber threats and other risks.
By way of background, you mentioned that FS-ISAC is a
private sector, nonprofit organization. We have been around
since 1999, and our formal mission is provided in the written
testimony. If I could sum it up in maybe just a few words, it
is really to protect the financial services sector.
There is an inherent strength in sharing derived from three
fundamental pillars: one, the public-private partnerships; two,
cross-sector sharing; and, most importantly, three, member-to-
member sharing. We often think of FS-ISAC as a virtual
neighborhood watch where financial institutions really keep an
eye out for each other. One company's reported incident can
help the entire sector respond and prevent the same attack from
affecting their firm.
Driven by the direction of our membership, FS-ISAC performs
a number of key critical functions: we share threat and
vulnerability information; we conduct coordinated exercises,
often with our Government partners; we manage rapid response
communications for both cyber and physical events; we produce
education and training programs; and we foster collaboration
with other key sectors and with Government agencies.
We have grown rapidly in recent years. When I started, we
had a little bit under 200 members. We have about 7,000
companies that belong to FS-ISAC today. These include, like you
mentioned earlier, commercial banks, credit unions, but also
stock exchanges, clearinghouses, brokerages, investment firms,
insurance companies, payment processors, and financial services
trade associations. We are headquartered in Reston, Virginia,
and have expanded globally with members in 44 countries today,
and we have a team of over 100 staff and consultants in eight
countries across five continents. That is a long way from when
I started in 2006 when we had me and about five outsourced
people. That was it. So we have grown really in response to the
threat.
Each day, cyber risks evolve as attacks increase. We have
invested a significant amount of money, but they continue,
these cyber threat actors, to target the financial services
sector. Their motivation varies. It can be corporate espionage.
It can be stealing money. It can be launching disruptive
attacks like we saw in 2012 and 2013 against about 50 financial
institutions, and even destructive attacks.
As they grow in their sophistication targeting, the primary
evidence of these attacks are the types of attacks leveraged
against financial institutions to steal money and disrupt. They
include things like phishing; targeted email spear-phishing
campaigns
resulting in account takeover where they steal your money; also
business email compromise which involves the compromise of
legitimate business email accounts to initiate unauthorized
wire
transfers or ACH; ransomware attacks, we all know about that;
distributed denial of service attacks, which can impede access
to online services; and data breaches, which steal sensitive
information.
I think the sector has really come together in a proactive
manner. As a result, we have greatly expanded our products and
services to our members. We have devoted a large number of
resources to really tailor them to smaller financial
institutions and their service providers. At the same time, we
have enhanced our analysis of threats and best practices for
defending against those threats.
We have expanded our exercise program, which includes an
annual cyber attack against payment systems, or CAPS exercises,
with thousands of participants last year, and have introduced
the new cyber range program that allows members to have hands
on keyboards, to gain experience to respond effectively to a
real-live cyber attack. And we have improved our capability to
respond to major cyber and physical incidents, including
emergency member calls. The last couple, we have had over 3,000
members participate on. And we have expanded our in-person
online member training programs.
In addition to these efforts, we have also created two new
subsidiaries--one to add an extra layer of security for
consumer accounts, and the other to reduce systemic risk. At
the request of leaders in the industry, we established the
Sheltered Harbor in 2016 to enhance the industry's resiliency
capabilities in the event of a major disaster or event.
In conclusion----
[Laughter.]
Mr. Nelson. I provide more details in my written statement,
but let me highlight four recommendations. We are encouraging
regulators to harmonize their cyber regulatory requirements,
leverage authorities in the Cyber Information Sharing Act,
CISA, and the USA PATRIOT Act to implement more effective
information-sharing programs; number three, establish cyber
deterrence and response capabilities, encourage adoption of
global cyber norms; and four, support efforts to develop a
technology-capable workforce.
Thank you very much. Thank you for the opportunity.
Chairman Crapo. Thank you for your flexibility. And we do
read your written testimony very carefully. I want you to know
that.
Senator--I mean Mr. Daniel. I just about made you one of
us. That probably was a demotion.
[Laughter.]
STATEMENT OF MICHAEL DANIEL, PRESIDENT AND CEO, CYBER THREAT
ALLIANCE
Mr. Daniel. Well, thank you very much. Thank you, Mr.
Chairman, Ranking Member, other distinguished Members of the
Committee. Thank you for the opportunity to come and speak with
you this morning.
What I think I can do is provide sort of a strategic
overview of the threat context in which this industry is
operating and then talk a little bit about what we have done to
try to tackle the problem and where we need to go going
forward.
When you look out at the landscape, because we live in a
digital age, almost everything in our country is now heavily
dependent upon the internet and cyberspace. And so, therefore,
these threats affect all of us. But the threat is actually
continuing to get worse, and it is getting worse in four ways.
One is it is becoming broader. As we create this Internet
of Things, we keep hooking more and more of stuff up to the
internet. And it is not just laptops and desktops anymore. It
is your watch, your phone, your car, your light bulbs, a whole
plethora of different devices. The threat is becoming more
prevalent as more and more malicious actors, whether they are
nation states or criminals, realize that they can try to
achieve their goals by operating through cyberspace. The threat
is becoming more dangerous as those actors are willing to
undertake more and more destructive activities. If we had been
having this hearing back when Bill first joined the FS-ISAC, we
would have been talking a lot about website defacement. None of
us talk about that anymore because that is the least of our
problems.
And then, finally, the threat is becoming more disruptive.
As I mentioned, with our digital dependence, as it increases,
things that used to be merely irritating now pose, you know,
organizational existential questions. You know, I often say
that when I first started working for the Federal Government in
1995, if the network went down, we just did something else for
the day. You know, we worked on our noninternet-connected
computers or we held meetings over the phone or did other
things. And now if the network goes down, you pretty much send
your workforce home because you cannot do anything.
Now, for the financial services industry in particular, you
know, they also face challenges related to both criminal and
nation-state-enabled cyber theft, and those are a real problem
for the industry. But it is also becoming clearer that the
threat of disruption, those nation states that target the
industry for the purpose of inflicting economic harm on the
United States and the West is becoming a more prevalent threat
as well.
Now, one thing I want to hit on is actually there is a real
question in here about exactly why cybersecurity is a hard
problem, because at the surface of it, it looks like it should
not be. After all, it is just computers and code. And so there
is a question of why we simply cannot create a technical fix to
this problem. But the
answer is because cybersecurity is not just a technical
problem. While there are technical issues about it, it is also
an economics issue, a business operations issue. It is a human
psychology issue. And it is a national security issue. And it
is all of those things rolled into one.
Cyberspace also plays by different rules than the physical
world, so a lot of our analogies for how to do things and how
to actually go about securing things in the physical world do
not work in an environment that is a notable network that
operates at light speed, where the concepts of time and
distance and proximity all have different meanings and borders
than they do in the physical world.
And then, finally, this is a new environment. Stretching it
to the maximum, cyberspace is barely older than me. And we have
not had time yet to develop the body of law and policy and
practice that we need to operate effectively in cyberspace.
Now, we have certainly made a lot of progress over the last
20 years, including particularly within the financial services
industry. I certainly agree with the characterization of the
industry as one of the most, if not the most advanced sector in
the country. And the level of investment from the FS-ISAC to
the Systemic Analysis and Resilience Center, Sheltered Harbor,
the investments that this industry has made are tremendous. But
I do think that there is more that we can do on both the
industry side and on the Government side. I think in particular
on the Government side there is a real need to look at how the
Government can focus on its comparative advantage where it has
capabilities that the private sector does not and leverage the
comparative advantage of the private sector where the private
sector has capabilities that the Government does not have.
The Government can also focus on incentivizing good
cybersecurity behavior, and we could talk about that in the
Q&A.
And then, last, on the industry side, I think continuing to
invest and having the industry figure out how the larger
institutions can help the smaller institutions that do not have
the same level of capability also make progress in their
cybersecurity is a very necessary step.
So, with that, I will conclude my opening remarks. Thank
you very much.
Chairman Crapo. Thank you, Mr. Daniel.
Mr. Venables.
STATEMENT OF PHIL VENABLES, CHIEF OPERATIONAL RISK OFFICER,
GOLDMAN SACHS
Mr. Venables. Thank you. Chairman Crapo, Ranking Member
Brown, and other Members of the Committee, thank you for this
opportunity to testify at this hearing today. As we all know,
this is an increasingly important topic.
A number of factors are contributing to increased risk
across the financial services sector, and this is primarily due
in many respects to the digitalization of finance and the
globally interconnected nature of the system. The same trends
that are increasing benefits of the global financial system are
also bringing on these new and enhanced risks.
On threats, as Bill and Mike have described, we are seeing
increases threats from organized criminal groups and nation
states for various different motivations around the world, and
it is also worth reminding ourselves that we are not just
facing cybersecurity risks. We are also seeing many risks in
relation to how technology has managed and provided risks from
resilience issues and software errors. And so while
cybersecurity is tremendously important, it is also significant
and also to focus on technology risk in general.
It is critical to have shared defenses across the sector so
that all institutions, large and small, can learn from each
other's best practices and so that threat information can be
shared among firms, reducing the likelihood that attackers can
execute their strategies without response.
We have a long history of robust information-sharing
processes, and as Bill describes, the FS-ISAC is acknowledged
as a preeminent example of such capability. We have established
tighter coupling between the major firms using the Financial
Systemic Analysis and Resilience Center, the so-called FS-ARC.
And also under the Department of Treasury's leadership with
various different initiatives through the Sector Coordinating
Council, we have also increased sector-wide resilience,
including formalized sector-wide drills and exercises that have
spawned other initiatives, like Sheltered Harbor--an initiative
to encourage and demand institutions maintain immutable data
vaults to resist cyber attack.
Turning our attention to regulators and regulation, we
benefit from a number of strong regulators across the financial
sector that stipulate cybersecurity and other controls that
reduce the risk of major incidents. This includes regular
examinations and reviews. We continue to support the need for
harmonization across regulation, domestically and globally, and
we commend the efforts to date from the industry and regulators
and Government on the use of the NIST Cybersecurity Framework.
Notwithstanding the strong relationship between the public
and private sectors, we continue to focus on improvements here,
particularly around metrics to make sure that we are able to
quantify the value and timeliness of the information flow
between the public sector and private sector.
Despite all this coordination and response to cybersecurity
threats, risk still remains, and we need to continue to be
vigilant to adjust the defenses of individual firms and the
sector as a whole by making sure we adopt innovative approaches
to protecting customer data as well as making sure that we are
protecting the services that we offer. The goal here is to
reduce single points of failure and also single focal points of
attack.
Finally, I would recommend all organizations that operate
critical public services or protect customer data adopt strong
defenses and security programs based on a number of different
approaches, specifically:
Integrate cybersecurity into the fabric of organizations,
from business risk management processes, strategy and product
development to the foundation of how the technology is built
and operated.
Second, improving capabilities amongst people, processes,
and technology. There needs to be continued emphasis on the
embedding of controls into critical technology products and
services. We need secure products, not just security products.
We should also recognize that cybersecurity risk mitigation is
not solely the responsibility of designated cybersecurity
professionals but is, perhaps more importantly, in the domain
of leadership, risk managers, and engineers at all levels of
organizations. In other words, we need more security-minded
people, not just security people.
And, finally, design for defensibility. Our goal should be
to design our technology and information processing
environments to be more inherently defendable and resilient in
the face of attacks, and we have to keep examining our global
supply chains to look for security issues and avoid excess
concentration risk in services and geographies.
Thank you, Mr. Chairman, for allowing me to provide this
input, and I look forward to taking questions as we go through
the panel. Thank you.
Chairman Crapo. Thank you.
Mr. Kessler.
STATEMENT OF CARL A. KESSLER III, SENIOR VICE PRESIDENT AND
CHIEF INFORMATION OFFICER, FIRST MUTUAL HOLDING COMPANY
Mr. Kessler. Chairman Crapo, Ranking Member Brown, and
distinguished Members of the Committee, thank you for the
opportunity to testify before you today.
I will share the unique perspective of a front-line
practitioner on the practical pros and cons of cybersecurity
regulation, information sharing, and community bank
collaboration.
Two key regulatory changes have positively improved the
approach of community banks in managing cybersecurity risks. In
the wake of the Dodd-Frank Act reforms, supervision of our
affiliate banks migrated from the OTS to the OCC. In the last
few years, FFIEC established the Cybersecurity Assessment Tool,
or CAT. These changes have led to an ongoing dialogue with
regulators. The CAT provides a standard way to assess risk and
provides guidelines for what controls might be appropriate.
Highly trained examiners are critical. Because of the
changing nature of the threat environment, an exam is never a
static, check-the-box activity. It is always a dynamic
conversation. My recommendation to this Committee is to ensure
the consistent availability of highly trained IT examiners
whose skills are in high demand in both the public and private
sectors.
Another consideration for this Committee is to ensure that
similar cybersecurity rigor exists among nonbank financial
services companies. How do we safeguard customer data at
companies that are outside the oversight of prudential
regulators?
Community banks rely heavily on a network of third-party
service providers. While we always maintain primary
accountability for safeguarding customers' information, a
significant portion of the risk lies with core processors,
payments networks, and large providers.
This concentration of financial services into a few
providers
creates both advantages and challenges. One challenge is that
the current system relies on a high degree of blind trust in
the service provider with limited transparency. We depend on
our regulator to
examine our service providers and identify patterns of
compromise and ensure remediation. At the same time, law and
regulation
require us to monitor the effectiveness of our service
provider's controls. This opaque approach runs contrary to best
practices in vendor management.
One solution might be to create a cybersecurity scorecard
aggregating data from many sources including regulatory
reviews. This scorecard would impact vendor selections and
create positive momentum toward control improvements.
It is most critical that we have timely access to
information sharing of active threats through public and
private partnerships. The key for banks is that a comprehensive
ecosystem of financial service providers shares threat
information in real time to an entity qualified to analyze,
verify, and then communicate it back digitally to our bank
where we can use it to adapt our controls. We need our third-
party providers to share cyber threat information quickly with
industry partners like FS-ISAC, the goal being to respond in
seconds or minutes rather than days or weeks.
Timely information sharing is foundational to the
industry's ability to combat a cyber threat. We cannot act on
information we do not have. Important questions remain
regarding if, when, and how businesses can share threats. There
is still a great reluctance to share information. Liability,
contract, and privacy concerns are the most often cited
reasons. While customer notification and privacy laws are
clearly needed, simplification and modernization of the
relevant laws and regulations should enable information
sharing. This is a good time to re-examine the effectiveness of
cybersecurity law. Certainly, any solution must guard against
shifting the liability to consumers from those who failed to
protect their data.
Our mutual holding company is faced every day with the
challenges required to implement an information security
program. We deliver that same program to our affiliate banks in
a manner that they otherwise could not afford, design, or
staff. In our three affiliations, we have preserved a local
banking presence, improved security controls, and done so at a
minimal marginal cost. This has proven a game changer for our
affiliates.
In summary, the best way to protect consumers is to
increase transparency and information sharing within the
financial services cybersecurity ecosystem. This Committee
could help move this forward by encouraging the transparency of
the performance of third-party service providers. You can also
help by passing legislation which further encourages
information sharing so that active threats are identified and
mitigated in minutes.
Thank you for the opportunity to testify before you today.
I stand ready to work with you in any way that I can to protect
consumers and our financial system, and I look forward to
answering your questions.
Chairman Crapo. Thank you, Mr. Kessler.
Mr. Sydow.
STATEMENT OF BOB SYDOW, PRINCIPAL AND AMERICAS CYBERSECURITY
LEADER, ERNST & YOUNG LLP
Mr. Sydow. Thank you, Chairman Crapo, and thank you,
Ranking Member Brown, for that kind introduction. The Reds need
help.
My name is Bob Sydow. I am Ernst & Young's (EY) Americas
cybersecurity practice leader. I refer the Committee to my
written testimony on details on my remarks.
Cyber attacks are on the rise. No organization, large or
small, public or private, is immune to the threat. Our clients
face three significant challenges: emerging interconnected
technologies drive fundamental transformations and create
complex third-party ecosystems; the volume, velocity, and
precision of attacks; and the shortage of cybersecurity
resources and skilled professionals.
EY works with clients across all sectors, and many should
be commended for their efforts. In my experience, financial
services, especially the largest banks, are considered best in
class, not only in terms of organization and investment but
also for leading engagement with stakeholders across the
ecosystem.
Large banks are accustomed to higher levels of regulatory
scrutiny, and their third-party risk management programs tend
to be more mature and robust. But challenges remain. Today
financial institutions deal with third-, fourth-, and fifth-
party risk. In addition to vendor risk most institutions
struggle to secure resources and talent. Experienced cyber
professionals are in high demand. Often small firms turn to
third-party providers to meet those needs.
There is no one-size-fits-all solution, so I will focus on
three areas where EY believes risks can be mitigated: corporate
governance and risk management, the AICPA Cyber Reporting
Framework, and policy solutions.
Ultimately, the board is responsible for governing a
company's risk appetite and providing credible challenge to
management. By doing so, boards help protect investors and
enhance the company's value and performance. Banks use a three-
lines-of-defense risk management model. The larger ones are
adopting this model for cyber. EY considers this a best
practice. Increasingly, regulators, investors, and others want
financial institutions to build cyber resiliency strategies
into the three lines.
Another challenge is understanding and communicating about
a cyber program's efficacy. While NIST and others have
developed implementation guidance, there has been no means to
evaluate and report on program effectiveness. This distinction
is subtle but significant.
In response, the American Institute of CPAs recently
developed the Cyber Risk Management Evaluation and Reporting
Framework. This is voluntary and can provide stakeholders with
reasonable assurance that the identification, mitigation, and
response controls are in place.
No framework can guarantee against a breach, but the AICPA
cyber risk model can offer an independent, validated
understanding of a company's systems, processes, and controls.
Unfortunately, there is no single legislative, regulatory, or
market solution
that can guarantee against a cyber event. Bad actors are not
constrained by regulatory, liability, or jurisdictional issues
let alone ethics.
Policymakers and the business community should work
together to foster collaboration and improve intelligence
sharing. We need flexible and harmonized policy solutions that
recognize the dynamic challenge of cybersecurity and clarify
conflicting directives.
We need to balance the need for compliance with a need to
manage cybersecurity and protect consumers. EY believes
companies that engage in good-faith efforts, establish
enterprise cyber risk management frameworks, and adopt best
practices should be recognized, especially relative to
liability and penalty measures.
Finally, EY encourages Congress to support modernization of
Government's cyber posture, to focus on developing solutions to
address cyber workforce shortages, and to educate the public
and help the country as a whole improve its cyber hygiene. EY's
purpose is to build a better working world, and so I thank you
for providing the firm an opportunity to share our views and
expertise. I welcome your questions.
Chairman Crapo. Thank you very much, Mr. Sydow.
In the interest of time, I am going to go last, if there is
time before I have to leave, and so I will turn first to
Senator Brown.
Senator Brown. Thank you, Mr. Chairman.
Mr. Kessler, do you think the current baseline for
protection of consumer information is adequate? Or would you
like additional control over how your personal information is
stored or used by financial institutions?
Mr. Kessler. Well, I think we are all interested in knowing
what is happening with our personal information. I am
personally assured when I am able to receive real-time alerts
of when that information is changed, when it is affected, and
changes to my credit reports. I think that there are obviously
opportunities to continue to share more information with our
consumers in that respect.
Senator Brown. And when there is a breach involving
personally identifiable information, I assume you think it is
important for a financial institution to quickly notify
customers, giving them the ability to protect themselves by
freezing or monitoring their credit file?
Mr. Kessler. Certainly, we like to take--as a mutually
owned community bank, we like to take all the necessary actions
to protect our customers in a timely way. So, yes, we find it
very important to notify the customers as soon as is practical
after working with the necessary law enforcement officers.
Senator Brown. Thank you.
Mr. Sydow, many community bank IT services are provided
through large third-party service providers. Talk about the
economies of scale when it comes to cybersecurity that
community banks benefit from by using large service providers.
Mr. Sydow. Well, it is a matter of resource, Senator Brown.
The larger organizations can afford the staff and recruit and
retain the kind of talent that you need in a cybersecurity
department and the focus that they can provide. They have the
resources to buy the technologies and install and implement
those that a smaller organization would not have. So if a
smaller bank were to use those services, they have access to
cybersecurity kind of resources that they would not have if
they tried to do that in-house or on their own.
Senator Brown. OK. Thank you. President Obama in 2009
established the position of White House Cybersecurity
Coordinator to work straight cybersecurity efforts across all
Government agencies. President Trump recently eliminated that
position. That is the position Mr. Daniel held in the Obama
administration. Will that help or harm Government's efforts to
make the country and especially the financial system more
resilient and stronger against cybersecurity threats? Are you
concerned about that?
Mr. Daniel. Well, yes, I am Senator. I think the reason
that position was created was because, as a very new policy
area, we need to drive better coordination across all the
different parts of the Federal Government that have a role in
cybersecurity, and so I believe that having a strong leadership
at the White House level is a real necessity right now.
Senator Brown. Do you know why he eliminated it?
Mr. Daniel. I do not. I presume that they were looking for
ways to streamline the bureaucracy on the NSC staff. At least
that was the statement that was given. But I am not sure of the
reasoning behind it.
Senator Brown. OK. Thank you.
Mr. Sydow, you talked about workplace shortages in my
office this week and then in your testimony, and this is not
really a question, but as evidenced by the look of this panel
and, frankly, the look of most of us up here, as evidenced by
the fact that, of the 30 largest banks in this country, there
is a female CEO only at KeyBank in Cleveland. We do not really
do a very good job in financial services and technology at
bringing a more diverse workforce, one of the reasons, clearly,
that we all face--that you and we face workforce shortages and
attracting people, as Mr. Sydow pointed out. So I hope that we
all pay more attention to STEM programs for women and for
people of color. We will bring more qualified people in, give
more opportunities, and, frankly, have more diverse
perspectives in the way we all do our jobs.
Thank you, Mr. Chairman.
Chairman Crapo. Thank you.
Senator Rounds.
Senator Rounds. Thank you, Mr. Chairman.
Mr. Daniel, I would like to more or less just visit with
you for a little while, and I would love input from the others
as well. I have the opportunity to serve as the Committee
Chairman on a Subcommittee for the Department of Defense's
cybersecurity. I am just curious. Along the same lines as
Senator Brown has indicated, that there had just been a change
in which we do not have anybody at the White House who is
directly responsible for the cyber defense, I am just curious.
You have had the opportunity to work at the Federal level. Now
you are part of a nonprofit organization that represents a
number of different financial institutions.
In February of last year, the Department of Defense's
Science Advisory Board put out both a classified and an
unclassified version, not very long, 26, 27 pages, explaining
the need for our country to have not only a strong--the ability
to attribute where attacks from outside the country were coming
into the country, but it also identified that we would not have
the capability to keep people out of our critical
infrastructure if they wanted to get in, both organized crime
organizations but also other near peer competitors, nation
states.
Along with that, it indicated that for the next 10 years we
would be at risk and that one of the best approaches we could
do would be to make it very expensive for those organizations
to get into our financial institutions--in fact, any of our
critical infrastructure. But it also made the point that we had
to have a very strong offensive capability as a deterrent,
similar to a nuclear deterrent today.
I would like to know, right now at the financial
institutions level--and you work with a number of them--do you
believe that we have a model in place today on a voluntary
basis, which I am in favor of, but one in which we are at the
same level across the different institutions that can then be
protected almost in an umbrella-like position by Homeland
Security capabilities, Department of Treasury capabilities, and
then we will talk about DoD capabilities. But just your
thoughts on that and how they connect with the Federal
responsibilities.
Mr. Daniel. Sure. So I think you are very right that if you
look at our level of digital dependence, as I talked about, and
particularly in the financial services industry, clearly cyber
threats are a major problem that this industry has to be
dealing with. I think when you look at the nature of the
threats that they face, it is going to--anybody that tells you
they can give you, as several of the panel members said, a
guarantee that you will not have any cyber incidents at all,
they are selling you snake oil. And what you can do, however,
is manage that risk and drive that risk lower, and that
requires cooperation between both the Government and the
private sector in some ways that we are not completely used to
in the physical world. And I think it requires bringing all of
the capabilities to bear both from the private sector side and
enabling good information sharing and coordination and
collaboration on the private sector side, but also within the
Government, between, as you mentioned, the Department of
Treasury, Homeland Security, Defense, State, Justice, and in
between the Government and the private sector.
Senator Rounds. Let me bring this--because we are all going
to be time limited today. Do you think the American public
today thinks that with regard to their financial services,
their assets, their checking accounts and so forth, do you
think they believe that the Federal Government has a role to
play in protecting those assets?
Mr. Daniel. I think they do.
Senator Rounds. Would it be fair to say that today Homeland
Security has the ability to try and notify you and Homeland
Security has the ability to try and assist in the defense? But
with regard to going outside, if the attribution indicates that
it is coming from outside, is it fair to say that Homeland
Security does not have the ability to respond offensively to
stop those attacks before they actually occur?
Mr. Daniel. Well, I think that the ability to--it is a
shared responsibility on the defensive side, and that is why I
say that you have got to do that good integration across all of
the different parts of the Federal Government that do have both
the network defense mission and the offensive mission.
Senator Rounds. Let me put it this way: If there had been
an attack on an institution here and it was an attack--we have
a bombing and so forth, everybody would assume that the Federal
Government has the first role in protecting against that. Would
it be fair to also say that when it comes to cyber attacks, we
have a challenge in that we do not have the policy in place
today to provide for that direct protection up front?
Mr. Daniel. Well, I actually do not believe that it is
possible for the Federal Government to provide that same kind
of protection in cyberspace that it does in the physical world
due to the way that cyberspace works. And I believe that it
will always be a shared mission between the private sector and
the Federal Government to achieve the level of protection that
we need.
Senator Rounds. Thank you.
Mr. Chairman, my time has expired, but I think this is a
very good meeting to start out that discussion. Thank you, sir.
Chairman Crapo. Thank you.
Senator Reed.
Senator Reed. Thank you very much. Gentlemen, thank you for
your excellent testimony. Also, let me as the ranking Democrat
thank and commend Senator Rounds for his leadership on the
Cybersecurity Subcommittee. Thanks, Mike.
Senator Crapo, Senator Brown, thank you. This is a very
important issue. One reason I think it is very important is
that I have legislation, S. 536, the Cybersecurity Disclosure
Act, bipartisan legislation with Senator McCain, Senator
Collins, and Senator Warner, and it would simply require
disclosure by public companies, which is the usual tradition of
public companies, of whether they have a director who is a
cyber expert or they have some other arrangement. We do not
mandate what they do, but I think it is essential to have
public companies particularly tell their shareholders and the
markets what they are doing at the highest level when it comes
to this issue of cybersecurity. And you have described all the
different ramifications throughout your testimony.
But I would like to just focus for a moment, if I could,
with Mr. Daniel, and that is, Chairman Clayton was here a few
weeks ago, Mr. Daniel, and he said:
I think cybersecurity is an area where I have said previously I
do not think there is enough disclosure in terms of whether
there is oversight at the board level that has a comprehension
for cybersecurity issues. That is something that investors
should know, whether companies have thought about the issues,
whether there is a particular expertise on the board or not,
that is something companies should know. It is a very important
part of operating a significant company. Any significant
company has cyber risk issues.
And my question would be: Do you agree with that sentiment?
Mr. Daniel. Yes, I do. I think that the nature of
cybersecurity right now is that we actually do need more
disclosure. We have an information asymmetry, if you will, and
it is hard for markets to operate efficiently when there is
information asymmetry. So steps that the Government can take to
enable more investors, the public, and others to have more
information about how companies are tackling the cybersecurity
problem I think is generally a good thing.
Senator Reed. And just a quick follow-up. You have noticed,
I would guess--I do not want to put words in your mouth--
variable sort of attention to these details. There are some
companies that have very sophisticated individuals on the Board
or arrangements. There are other companies that are essentially
free riders. Is that true?
Mr. Daniel. Well, I think that this is an area where
companies are still learning how to address the issue, and some
industries and companies have been way more forward-leaning
than others. So I do think it is true that the capability
across the board varies a lot.
Senator Reed. Thank you.
Mr. Sydow, again, thank you for your testimony. I was very
struck with the comment:
At Ernst & Young, we believe that boards must be
educated about cybersecurity so that they are able to
make appropriate decisions anchored in sound logic and
data. By doing so, boards will not only be protecting
shareholders, but they will be enhancing the company's
value.
And, interestingly enough, the Vice Chair of the Fed, Mr.
Quarles, stated:
The idea of having a board member with cyber expertise, when I
have been on boards that had a board member with that kind of
expertise, that is an extremely useful--that has not just been
a nice thing to have. It has been extremely useful.
So, again, the basic theme, does this make sense to have
this disclosure provision so that boards have some expertise?
Mr. Sydow. Senator Reed, thank you for the question. I have
been in this role about 5 years, and I have gone to a lot of
Board meetings, and I think there has been increasing
importance placed on cybersecurity in those discussions, and
often there is a challenge between the translation between the
technical world and the business world at those meetings. And I
think that is something that--a gap that needs to be closed.
However, in my remarks I also said to you that there is a
shortage of qualified cybersecurity professionals, especially
the people that can make that translation. So as long as you
have flexibility in that and allow the boards ways to get
access to those kind of individuals, I think that makes sense.
Senator Reed. Indeed, this legislation is not prescriptive.
It is simply, ``Tell us what you are doing. In fact, tell your
shareholders and the markets what you are doing,'' which I
think makes a great deal of sense.
One of the reasons, among many, as Ranking Member of the
Armed Services Committee, we had the general officer in charge
of TRANSCOM, all of our transportation assets, and in an
international crisis, he would be responsible to move people by
aircraft, by sea, all of our military personnel to get the
mission done. And he just said, volunteered that he talked to
cybersecurity officers and companies that have no dialogue with
their directors. And I can assure you that if something
happens, probably the first strike will not be a kinetic strike
against the military. It will be a cyber strike against this
infrastructure of movement, logistics, et cetera. So this is
another reason why I think we really do have to have some
legislation like we are proposing.
So thank you all very much, gentlemen. Thank you, Mr.
Chairman.
Senator Brown. [Presiding.] Senator Heitkamp.
Senator Heitkamp. Thank you, Ranking Member Brown, and
thank you for having this hearing. I think it is critical that
we have the ongoing conversation.
A couple points to begin with. I think the American public
has given up, and I think that there is a huge variance between
understanding privacy and understanding cybersecurity. They are
not the same thing. And, you know, so most Americans say, look,
I no longer believe that I have privacy. I do not know that you
can regulate this. I do not know that you can control this. But
they definitely want cybersecurity.
And so one of the things that I believe as a former law
enforcement official is that, you know, you can have all the
most sophisticated law enforcement equipment, surveillance
equipment, but you have got to teach people to lock the door.
You have got to teach people to lock their car. You have got to
teach people to pay attention, maybe put some surveillance
equipment of their own. And so I talk about cyber hygiene and
the role that cyber hygiene should play either with employees,
not just, you know, at that level of the people sitting on the
board, but at every level being trained and understand the
challenges, but also with membership or clients or patients,
what role do they play? What role do vendors play?
We all harken back to what happened with Target. The Target
breach was related to a vendor and a back-door worm that came
in. So how do we build better resiliency, cyber resiliency,
within the community, writ large, within all users, so that
they understand that there are simple things that they can do
that will help protect the cyber system, protect our overall
system, while we are looking for that iron dome--let us put it
that way, that iron dome that is going to make what we do
impenetrable--which, quite honestly, I am not convinced you are
ever going to get an impenetrable iron dome. And I think that
the fault lines are always going to be at that lower level.
So someone, anyone on the panel who wants to take on the
issue of cyber hygiene and what we should be doing here to
encourage it, to educate, to move this issue of every user
needs to be informed on how we protect ourselves from a cyber
attack as a country as a whole, kind of a ``lock your door''
strategy.
Mr. Venables. Thank you, Senator, for the question. I will
go first, and then others can chip in. I think you raise an
extremely important point. I think in many respects we need to
focus on basic cyber hygiene to make sure the easy attacks
cannot be successful so we can focus our energy on the most
sophisticated attacks. And I think it is the responsibility of
all companies not only to make sure their employees and their
own infrastructure is protected, but also to educate those
employees and to educate our customers. I think this is a
partnership that we can do between Government and the private
sector to educate everybody around what best practices they can
do to adopt the right controls for----
Senator Heitkamp. I really do believe, as a former kind of
customer protection/consumer protection advocate, that people
want the tools. They want to understand how to do this. What
can we do to provide easier accessible tools to lock the door?
Mr. Nelson.
Mr. Nelson. Yes, thank you. Just to give a plug for the
multi-State ISAC, it is a State and local Government ISAC, and
the
October Cybersecurity Awareness Month, they produce every month
a cybersecurity newsletter. It is weight-labeled, so you can
put it on your company's letterhead, give it all to your
employees. It is a great effort. It has been going on for a
couple years, and we all kind of get geared up for that month
in October to educate consumers.
So there are some efforts underway. It is a Government
initiative, too, at the Federal level and the State level.
Senator Heitkamp. Mr. Daniel?
Mr. Daniel. Thank you, Senator. I also think that it is
incumbent upon the industry, the cybersecurity industry, to
make that cyber hygiene and the cybersecurity that you talk
about as simple as possible for consumers to do. You know, for
example, right now our guidance out to consumers is to have a
16-character password that is not any actual words in the
English language, that has all sorts of----
Senator Heitkamp. And, you know, for a spreadsheet full of
media passwords, they are all going to be different, like
really?
Mr. Daniel. Yes. And we need to get much better at enabling
people to have very simple ways to do their cybersecurity. Sort
of the analogy I use is that we make it very simple for people
to use seat belts when you get in a car, and we do not expect
you to answer questions about whether or not you want the
antilock brakes to work. And so I think we need to try to find
the same, similar kinds of solutions and approaches in
cybersecurity.
Senator Heitkamp. What grade would you give us right now in
terms of how protected we are in a cyber hygiene world?
Mr. Daniel. Well, I think we are certainly better off than
where we were, say, you know, 5 or 6 years ago. So we certainly
have made a lot of improvements. The problem is the bad guys
keep improving as well. So I think that we still have a long
way to go.
Senator Heitkamp. Just a couple more comments, if that is
OK.
Mr. Kessler. Certainly, educating all Americans, as you are
suggesting, is important but a monumental task. We try to
approach it by educating our internal employees not only how to
properly handle customers' information but their own, and then
we attempt to engage with our customers when there is an event.
For example, I think where you are going is if somebody is
willing to buy gift cards in order to pay the IRS, there is a
problem there. And how can we communicate to folks that this is
not something they should be doing?
I like the notion of a Cyber Education Month, and one of my
peers here suggested including cybersecurity education in
curriculums in higher education and in other parts of our
academic--our normal education, which I think is a really good
idea. Thank you.
Senator Brown. Senator Cortez Masto.
Senator Cortez Masto. Thank you. Thank you also. This is
such an important conversation, and we have been having this, I
know, on various committees that I sit on. I appreciate the
discussion today.
Let me say, you know, about 10 years ago, I remember
sitting with our Nevada Banking Association, and we were
talking about how we guard against identity theft. Now, 10
years later, we have a proliferation of cyber threats and
attacks that we had not even contemplated at that time. But I
was struck, Mr. Daniel, by your comment to Senator Rounds that
this cyber infrastructure is a little different and how we
manage the enforcement and collectively address these issues.
And it is not just Government's role to comment. It is
everybody's role now to play a part in addressing the cyber
infrastructure and protecting against cyber threats. And I
think that is important for everybody to understand. That is
the first time I have heard somebody say that. And it is. It is
important because it goes back to this issue that we have been
talking about. Everyone has a role in education. To me,
education is the first step in prevention. But everybody has
that role in education. Everybody has a role in the
coordination and the information sharing. When I say everyone,
from Government to the private sector, the consumer, everyone
has a role, and the businesses as well. And then the workforce
shortage that we have, that I have heard here as well, we can
all play in this discussion.
Let me follow up on a couple of comments that were made.
One of them, Mr. Kessler, you talked about the need to pass
legislation that encourages information sharing. Can you go
into a little bit more about that and what you are talking
about? Who is sharing the information? What type of information
are you referring to?
Mr. Kessler. Sure. Thank you very much. As a community bank
and a smaller institution, we would benefit from a lot of what
Mr. Daniel has already talked about in terms of the sharing of
indicators of threat throughout the industry. So as another
bank identifies something, they would share it, and we would
automatically protect against that.
There are challenges today, when I talk to my service
providers and ask them are they participating with FS-ISAC, the
answer is yes. Are they sharing threats in real time? I often
get the answer no, and the cited reasons are they have
confidentiality agreements with us, they have privacy
requirements, all things that we all agree are absolutely
valuable and essential, but at the same time, from my point of
view, are preventing us from receiving some of that threat
intelligence that would help us to further protect the
customer's privacy.
Mr. Nelson. I would like to comment on that. I think one of
the great things about the FS-ISAC is you can share anonymously
on the portal, so I would encourage your third-party processor
to get in touch with me, and we can work on that. We get legal
objections all the time. A lot of times we first get involved
in the FS-ISAC, you think, ``Oh, my name is going to be in the
paper tomorrow if I share.'' Well, it does not happen. We have
pretty good controls around that information. It is not shared
with attribution. In fact, every time there is an attack, our
members are sharing online real-time. In fact, I was visiting a
CISO in Charlotte, North Carolina. You can guess which one.
There are a couple big ones there. And I was meeting with him,
and he had to leave to go into a special meeting for an attack
that was occurring. I whip out my BlackBerry or at that time I
guess it was my iPhone, looked at it, and there was the alert
already. I did not say where it was coming from. I knew it was
from him. So it was happening that fast while they were
actually in a war room handling the attack.
So it can occur. It is just getting the right people. And
lawyering up is not the answer. The answer is talk to us, let
us get involved in it, and it is a pretty good voluntary
system. We get lots of members sharing information. We have
other third-party processors that are sharing.
Senator Cortez Masto. Thank you. So I would be interested
in knowing at the Federal level if there is legislation that
actually needs to be introduced or if it is more just
communication and working together.
I know my time is running out, but we are talking a lot of
acronyms here as well. FS-ISAC, can you explain a little bit
more what that is? And I recognize, I come from Nevada, I am
not so sure we have that type of coordination. I know it is on
the coasts, but I am not sure it is happening in every single
State, or there is that collaboration.
Mr. Nelson. It is happening in every State. It is happening
in 44 countries. We have 7,000 companies that are members now.
It was interesting. In 2014, Senator Crapo mentioned that was
the year of the data breach. It was also the year that the
FFIEC, which is the regulatory agencies, the banking regulatory
agencies, like the FDIC, OCC, even the National Credit Union
Administration, and others, put out a policy statement saying
you should share information if you are one of our regulated
entities, and you need to belong to FS-ISAC. We
affectionately--_
Senator Cortez Masto. Which stands for and means?
Mr. Nelson. Financial Services Information Sharing and
Analysis Center. And when that happened, we affectionately
refer to that as the membership tsunami started. We had 2,200
companies join that year, and we have been growing ever since.
When I started, we had 200 members in 2006, and it has just
been hockey stick growth the last few years.
Senator Cortez Masto. Thank you. I know my time has run
out. Thank you very much.
Senator Brown. Senator Jones.
Senator Jones. Thank you, Mr. Chairman. And thank you to
all the witnesses for being here. I agree that all of a sudden
everything that I am seeing up here, there is some element of
cybersecurity. It does not matter what committee I am on. It
touches everything. And I think you guys touched on this before
I got here, and that is the cyber workforce and trying to keep
pace with the demand.
In Alabama, we have got Auburn University, which has got an
incredible facility. Their cyber research center, University of
Alabama in Huntsville, has one. And so we are doing our share
down there. But if you could, just expand a little bit on
challenges that are being faced because so many industries are
now competing for this workforce. And that is only going to
grow, I believe. It is only going to grow.
And so what can we do, what can the industry do? What are
the challenges? Is there anything that we can look at in the
Senate and the Congress to try to help with increasing the
workforce for cybersecurity? I will just let you guys fight it
out. Who wants to answer?
Mr. Venables. I can go first, Senator. I think it is a
really interesting question because I think while the backdrop,
we have to
continue to encourage STEM education at all levels to feed a
solid technology and engineering workforce for the Nation. I
think also we have to not just focus on having trained and
dedicated cybersecurity professionals, but thinking across all
sectors from whether it is business risk management through to
engineering through to product design, in making sure and
encouraging in some way that every part of that, whether it is
vocational training, academic training, professional
qualifications, have an element of thinking about
cybersecurity, privacy, and other aspects of technology risk
and ethics about how we use technology.
So I think while it would be very important to continue to
focus on creating more cybersecurity professionals, I think
most of us worry just as much about making sure that every part
of our workforce, both private and public, is equipped with the
skills to think about how to manage this risk as a core part of
their job.
Senator Jones. That is good.
Mr. Sydow. Senator, the other thing I think we can do is
expand the pool. Right now females only represent 9 percent of
the cyber workforce, and we have the same issue across
technology. We need to continue to encourage young ladies to
join the profession. I know at EY we do several things, Girls
That Code, other things to encourage organizations to get women
into the workforce. I think that would be helpful to expand the
base.
Senator Jones. Right. We have done a pretty good job of
that in the political world because they are all running for
office this year. But I agree with you, that is incredibly
important. You know, Bishop State, I was down there visiting a
junior college recently, and Apple has a coding program that
they are working on with the students down there. I would
assume that cybersecurity is always going to be a part of that
as well. So thank you.
I do not know if anybody else has anything on that, but if
not, I have got one more.
Mr. Daniel. Well, the only thing I would add, Senator, is
that I also think that we need to diversify our thinking about
what we mean about the cyber workforce. Just as in health care
not everybody is trained up to the same level as a neurosurgeon
specialist, we need to diversify our thinking about the levels
of training and who does what in the workforce so that, again,
we can also continue to expand that pool.
Senator Jones. Perfect. Thank you for those. Those were
great answers. Thank you.
I want to kind of followup real briefly on something that I
think Senator Reed kind of touched on as well, and that is the
assessment of the risk, because I understand his bill to try to
get more information into investors and the marketplace about
cybersecurity at companies. But I am wondering if any of you
think that those ought to be--you know, something about
cybersecurity threats ought to be included in the risk. When a
business or, in particular, for instance, a municipality is
rated, bondholders often would look at a municipality, for
instance, as to whether or not that bond is going to be safe
because of cybersecurity. Is there a way that we should rate
using cybersecurity as well?
Mr. Venables. I think there is a number of existing
disclosures that occur particularly for public companies as
part of their regular filings and risk disclosures, and
certainly all the requirements to disclose if major events,
particularly material events, occur.
I think there is also a lot of work in the industry where
there is more and more public ratings of the outward appearance
of various different companies, and certainly I think a lot of
the big audit firms, as the gentleman from Ernst & Young
mentioned, working with us on various different standards
through the AICPA to be able to vet and independently assess
the level of security and risk in those companies. I think it
would be interesting to further explore how that could be
married with other types of public disclosures so you get a
full picture of the risk of organizations. I think it is
certainly something there is a lot of activity on and probably
is worth future consideration.
Senator Jones. Great. Well, thank you all very much.
Thank you, Mr. Chairman.
Chairman Crapo. [Presiding.] Thank you. Senator Brown has
one----
Senator Brown. Yeah, one question. It is really a yes or no
question for Mr. Kessler. You talked about how important it is
to notify your customers. Did Equifax share information with
you about the breach in time to help your bank's customers?
Mr. Kessler. No.
Senator Brown. OK. Thanks.
Chairman Crapo. Senator Warner, just under the wire. You
have got 5 minutes or less.
Senator Warner. Thank you, Mr. Chairman, for that gracious
accommodation.
[Laughter.]
Chairman Crapo. We always appreciate you.
Senator Warner. Mr. Venables, we have a lot of legacy IT
systems that are out there. Some of the systems are still
Fortran and COBOL. You know, how do we make sure, as we do
upgrades--and I understand the United Kingdom just went through
a complete meltdown when they tried to--one of their banks
tried to do an upgrade of their system. How are we thinking
through this issue as we think about 21st century cybersecurity
when we have got the legacy IT systems in place?
Mr. Venables. Thank you, Senator. I think it is a
fascinating question because one of the things in my testimony
you are always keen to point out was cybersecurity is
tremendously important but it is not the only technology risk
society faces. We have multiple different risks, not least
including how we continue to maintain and update legacy systems
to make sure those are equally protected with all the new
systems that we are building.
One of the things that is interesting, I think particularly
most financial institutions, but I think many other large
corporations have pretty exacting standards for change
management, software quality assurance, standards for how they
apply preventative maintenance to systems to reduce exactly
that type of major project and major IT migration risk.
The other thing that I think is worth pointing out as well
is while there is a tremendous amount of focus from the
financial
regulators on cybersecurity, there is also still an equivalent
amount of focus on change management, software acquisition and
development, testing assurance, major project risk management.
In fact, there is a whole shelf full of FFIEC IT examination
handbooks, and quite a large number of them are about project
risk and major IT migration risk, and it is certainly something
that I think all major financial institutions experience quite
a lot of scrutiny over not just cyber, but also their IT
project risk management standards.
Senator Warner. For a lot of these systems, the legacy
systems, frankly, the original software vendor may not have
continued to offer those systems, have not continued to upgrade
them, so there are these huge vulnerabilities?
Mr. Venables. I think part of the challenge, again, not
just confined to the financial sector but across the world at
large, is making sure you stay up to date within some
reasonable window so that the older systems that may not be
supported by vendors, you are not exposed to risks from those.
So I think just like any other type of apparatus, you have to
invest in preventative maintenance and upgrades to keep
yourself within some window to manage that technology risk.
Senator Warner. Anyone can address this, but my concern is
because of the interconnectivity of all of your systems, aren't
you only as strong as your weakest link? If a single--if an
institution does not keep up, doesn't that make the whole
system vulnerable?
Mr. Venables. Well, not necessarily an individual
institution, but certainly what we look at through the
organizations we have set up, like the FS-ISAC and the FS-ARC,
and also in work with the Department of Treasury and various
other initiatives, we are exactly looking for those systemwide
risks that could affect everybody that may be contributed by
one or more elements of that, and so we are definitely focused
on systemic risk.
Senator Warner. I think this is probably outside the scope
of the whole hearing, but to me, when we do not have a single
data breach notification requirement, when we have an Equifax
making as gross an error as they did and no obligation to
report, or even when Yahoo has hundreds of millions outside the
financial system but that is not even reportable on a SEC
filing, they do not think it was material enough, I do not see
how these massive failures should not fall into at least the
level of a material disclosure in terms of SEC filings. So
what--and I think I am down to 47 seconds, the last question.
Maybe I will leave it at that and just come back to you
individually, because I would like to have gotten the more
macro approach of how we are going to get at this.
I just came from another intel brief, classified brief.
This problem is going to only exponentially grow, and I am not
sure--one of the things I think particularly as we think about
from both the hardware and software side, if we think about
financial institutions, for example, that might be starting to
purchase ZTE and Huawei equipment, you know, the
vulnerabilities that we may be building into our systems
because we--and this is more the intelligence community's
responsibility--are not fully informing the financial sector
and other sectors of some of what we now call classified
problems that we have got to get out, is only going to get
much, much worse.
So my apologies for getting here late, to the Ranking
Member, and my hope is I will have a chance to pursue some of
these conversations with you individually. Yes, sir?
Mr. Nelson. Senator, I would like to comment. We at the FS-
ISAC, we are an information-sharing body, and we have people
embedded at a top secret level at the NCCIC, the National
Cybersecurity Communications and Integration Center, at DHS. So
we are seeing some of that, and when we get--when it is
relevant, actionable for a community, we are sharing it. Also,
FS-ARC is a subsidiary, and, Phil, you are involved in that.
They are doing it at a much more systemic level to see if there
is any systemic impact. So we have some of that in place. I
think we could do more.
Senator Warner. My concern is, you know, virtually every
mid-sized to larger financial institution around should have
somebody that has got classified status and clearances
because--and this is where I am trying to push on the intel
side. The intel side has not been as forthcoming to the----
Mr. Nelson. We could use a little bit of help in getting
more people classified quicker.
Senator Warner. Well, the fact that there is a 74,000-
person backlog is insane, and that is a national security risk
that----
Mr. Nelson. I agree.
Mr. Venables. Yeah, we would certainly support a much
better clearance process to achieve that goal.
Senator Warner. Right.
Senator Brown. [Presiding.] Thank you, Senator Warner.
All of us, every Senator, can submit questions to you, and
the questions are due Thursday, May 31st, a week, and please,
each of you, if Senators do submit questions in writing, please
respond to them as quickly as you can.
This concludes the hearing. Thank you for being here today.
The hearing is adjourned.
[Whereupon, at 10:43 a.m., the hearing was adjourned.]
[Prepared statements and responses to written questions
supplied for the record follow:]
PREPARED STATEMENT OF CHAIRMAN MIKE CRAPO
Today, we will hear about cybersecurity in the financial sector.
Today's witnesses come from a wide range of organizations, and can
provide us with insight on the threats faced by and the preparedness of
the financial sector when it comes to cyber.
Four years ago, this Committee held a similar hearing where I noted
that a recently aired ``60 Minutes'' segment called 2014 ``the year of
the data breach.''
Given the various data breaches over the past few years, most
notably the Equifax data breach last year, I am not sure 2014 still
holds that title.
As our society increases its reliance on technology and becomes
accustomed to immediate access to information and services from
companies, the risk of--and the potential damage caused by--data
breaches continually increases.
Americans are becoming more aware of the amount of information,
including personally identifiable information or PII, that is stored by
companies and there is a growing realization that this information can
be stolen or misused.
The collection of PII by both the Government and private companies
is something that has long troubled me. Many question how both use the
data collected and how such data is secured and protected. ``The
collection and use of PII will be a major focus of the Banking
Committee moving forward, as there is broad-based interest on the
Committee in examining this.
Today, we will hear from our witnesses regarding cybersecurity and
about the risks to the financial services industry and its
preparedness.
We have heard from many regulators before this Committee about
their focus on and oversight of cybersecurity and how it is critical to
the operations of companies and our markets.
This is especially true for companies in the financial services
space.
The financial sector itself is a main target for hackers because,
as many have said, ``that's where the money is.''
Banks are under constant attack every day. Because of this, they
and other firms in the financial services industry have devoted
substantial resources to protecting information systems, and the
industry is widely viewed as one of the most advanced sectors in terms
of prioritizing cybersecurity.
Today, I hope to learn more about: the risks to the financial
services industry from cyberattacks and cyber threats; the work being
done in the financial services industry to increase cyber readiness,
combat cyberattacks, and increase resiliency; and what more needs to be
done by the private sector and Government to help protect companies'
and consumer's information.
It is critical that personal data is protected, consumer impact in
the event of a breach is minimized, customers' ability to access credit
and their assets is not harmed, and the financial sector is resilient
enough to continue to function despite a cyber breach at a financial
sector company.
______
PREPARED STATEMENT OF BILL NELSON
President and CEO, The Financial Services Information Sharing and
Analysis Center (FS-ISAC)
May 24, 2018
Chairman Crapo, Ranking Member Brown and other Members of the
Committee: Thank you for inviting me to testify at this hearing on
``Cybersecurity: Risks to Financial Services Industry and Its
Preparedness.'' My name is Bill Nelson and I am President and CEO of
the Financial Services Information Sharing and Analysis Center (FS-
ISAC), as well as Chairman of the Global Resilience Federation (GRF)
for cross-sector threat-intelligence sharing.
At your request, I will cover the following topics:
Current cyber-risks and threats that the financial-services
industry faces;
Efforts by the financial-services industry that are already
underway in order to increase cyber-readiness, combat cyber-
attacks and strengthen the industry from cyberthreats; and
Proposed additional measures by public and private sectors
to better protect companies' and consumer's information.
Before I describe these, I want to provide background about the
role the FS-ISAC plays in the financial sector. Three key takeaways I
would like to leave you with today:
Despite a dynamic and ever-changing cyberthreat
environment, the financial sector has invested heavily to
protect the sector's assets and consumers' information from
adversaries and cybercrime;
The financial sector has collaborated effectively to
enhance cyber-resilience; and
The financial sector continues to benefit from strong
public-private partnerships that enable cyberthreat
intelligence to flow through the sector and improve sector
detection, prevention, and response to cyberthreats and other
risks.
FS-ISAC: Information Sharing to Fight Cybercrime
FS-ISAC's mission is to help assure the resilience and continuity
of the global financial-services infrastructure and individual firms
against acts that could significantly impact the sector's ability to
provide services critical to the orderly function of the economy. As
such, FS-ISAC stands front and center in the face of continued cyber-
attacks against our sector. FS-ISAC shares real-time threat and
vulnerability information, conducts coordinated contingency planning
exercises, manages rapid-response communications for cyber- and
physical events, conducts education and training programs, and fosters
collaboration with and among other key sectors and Government agencies.
Think of FS-ISAC as a ``virtual neighborhood watch,'' where financial
institutions help keep an eye out for each other.
FS-ISAC was formed in 1999 in response to Presidential Decision
Directive 63 (PDD 63) of 1998, which called for the public and private
sectors to work together to address cyberthreats to the Nation's
critical infrastructures. After the 9/11/2001 attacks, and in response
to Homeland Security Presidential Directive 7 (and its 2013 successor,
Presidential Policy Directive 21) and the Homeland Security Act, FS-
ISAC expanded its role to encompass physical threats to the sector. FS-
ISAC is a 501(c)(6) nonprofit organization and is funded by its member
firms, sponsors and partners.
Rapid Growth Both Nationally and Globally
FS-ISAC has grown rapidly in recent years. Today, we have about
7,000-member organizations of all sizes, including commercial banks,
credit unions, exchanges, brokerages and investment companies,
insurance companies, payment processors and professionals, and trade
associations. We also maintain close ties with other financial-industry
trade associations as well as select, trusted Community Emergency
Response Teams (CERTs) and Computer Security Incident Response Team
(CSIRTs), law enforcement agencies, and other information-sharing
initiatives around the world.
The FS-ISAC is based in Reston, VA. Because today's cybercriminal
activities transcend country borders, the FS-ISAC has expanded globally
and has active members in 44 countries. The FS-ISAC has over 100
employees and consultants in eight countries across five continents.
Financial Firms Respond to a Dynamic Threat Environment
In many respects, the current threat environment feels like an
``arms race,'' and the financial sector has done a lot to enhance its
individual and collective capabilities. Each day, cyber-risk evolves as
attacks increase in number, pace and complexity. The financial sector
has invested significantly to detect, prevent and respond to
cyberthreats and other risks. Our member firms constantly adapt to this
changing threat environment. At the same time, malicious cyber-actors,
with increasing sophistication and persistence, continue to target the
financial-services sector. These actors vary considerably, in terms of
motivations and capabilities, from nation-states conducting corporate
espionage or launching disruptive and even destructive attacks, to
advanced cybercriminals seeking to steal money and hacktivists intent
on making political statements.
The financial sector (in addition to other critical-infrastructure
sectors) is increasingly concerned about the possibility of attacks
that could potentially undermine the integrity of critical data, or
lead to the manipulation or destruction of data. This growing threat
affects all institutions in our sector, regardless of size or type of
financial institution (e.g., bank, credit union, insurer, payment
processor or brokerage/investment firm).
Tactics Used by Adversaries and Criminals to Target Financial Firms
There are numerous tactics that malicious cyber-actors use to
target institutions, including the following:
Targeted spear-phishing campaigns, which are fraudulent
emails that
appear to be legitimate. These emails trick users into
supplying sensitive
information such as passwords that can result in the theft of
online credentials and fraudulent transactions.
Destructive malware attacks that impact the
confidentiality, integrity and availability of data.
Ransomware attacks, which involve malware that is
downloaded and used to restrict access to an infected computer
(often via encryption) until a ransom is paid (often in
Bitcoin).
Distributed-denial-of-service (DDoS) attacks, which can
impede access to services for extended periods of time.
Pretexting, which is built on a false narrative and
establishment of trust to ultimately initiate unauthorized
activity such as wire transfers. One form of this type of
scheme is known as a ``business email compromise'' attack.
Data breaches, which steal sensitive information including
payment and account information.
Supply chain threats.
Insider threats.
Beyond Sharing: FS-ISAC and Financial Sector Resilience
Driven by the direction of our membership, FS-ISAC performs a
number of key critical functions. We share threat and vulnerability
information; conduct coordinated exercises; manage rapid-response
communications for cyber- and physical events; produce education and
training programs; and foster collaboration with other key sectors and
Government agencies. We have greatly expanded our products and services
to members. In particular, we have devoted a large number of resources
to expand our services and tailor them to smaller financial
institutions and their service providers.
1. Information Sharing
FS-ISAC enables its members to voluntarily and efficiently share
real-time threat and vulnerability information for cyber- and physical
incidents. We delivery timely, relevant and actionable cyber- and
physical threat information through email, web portal, telephone, and
automated feed alerts from various trusted sources and our members. FS-
ISAC maintains policies, procedures and controls to ensure that all
threat information shared by members is properly gathered, stored,
labeled and used in a manner that abides by related sharing agreements,
privacy protections, circles of trust, member operating rules, regional
requirements and governing laws.
FS-ISAC cooperates with members and partner organizations,
including several public-private partnerships. These include
facilitating information sharing from Government partners to the FS-
ISAC community and assisting members in engaging Government and law
enforcement members when required. For example, an FS-ISAC employee
participates in the watch floor of the U.S. Department of Homeland
Security's (DHS) National Cybersecurity and Communications Integration
Center (NCCIC), playing an important role in our public-private sector
information and analysis sharing.
The Basis for the Community: Circles of Trust
We support numerous ``circles of trust'' based on roles (e.g.,
chief information security officers, business continuity executives,
payments professionals, compliance experts) and institutions (e.g.,
asset managers, broker dealers, clearing houses, community banks,
credit unions, payment processors). We host regular threat-information
sharing conference calls for members and invite subject matter experts
to discuss the latest threats, vulnerabilities and incidents affecting
critical infrastructure. We organize and coordinate numerous regional
member meetings, roundtables, workshops and other forums that allow
face-to-face exchange between members.
Our largest trust circle--the Community Institution and Association
Council--includes thousands of community banks and credit unions that
actively share information about threats, incidents and best practices.
Since 2014, over 4,500 community institutions have joined FS-ISAC.
Within this Council, member discussions and participation increased 24
percent in 2017. In the last 12 months, the FS-ISAC's industry-focused
webinars on numerous topics, including protections against fraud,
threat-intelligence methods and cybersecurity tools, were attended by
nearly 20,000 attendees.
In addition, FS-ISAC works with numerous national and State-based
financial and payments organizations, including the American Bankers
Association (ABA),
Financial Services Roundtable (FSR), Credit Union National Association
(CUNA), Independent Community Bankers of America (ICBA), National
Automated Clearing House Association (NACHA) and Securities Industry &
Financial Markets
Association (SIFMA), as well as card payment associations, payment
processors and State banking associations.
2. Creating and Invoking Playbooks for Incident Response
FS-ISAC maintains the financial-services sector's ``All Hazards
Crisis Response Playbook,'' which outlines the processes and
considerations for identifying and responding to significant threats or
events. As an example of sector-wide collaboration, this playbook was
developed in conjunction with many of our members and other industry
associations. We also lead sector-level crisis-response coordination
and manage the Critical Infrastructure Notification System (CINS) for
emergency threat or incident notifications to members.
Reducing Fear, Uncertainty, Doubt Through Media Response
FS-ISAC seeks to reduce fear, uncertainty and doubt through sector-
level responses on significant cyber- and physical events. The FS-ISAC
Media Response Team was established in 2014, following highly visible
cyberattacks that impacted the financial-services sector and other
sectors like retail that were broadly reported in the press. The Team's
mission is to accurately assess the actual current and potential risk
of cybersecurity events (as opposed to the potential media ``hype''
commonly seen) and leverage the FS-ISAC brand to properly respond to
media activity using a fact-based approach. The team also strives to
educate reporters and the public about cybersecurity and financial-
sector practices, concepts, and terminology.
3. Always Ready: Cyber-Exercises and Incident Response
Exercises are a proactive step to practice plans, find and close
gaps, and better protect systems and communities. FS-ISAC began
conducting exercises in 2010 with the Cyber-Attack Against Payments
Systems (CAPS) exercises. FS-ISAC has since added exercises, such as
drills, to test the All-Hazards Crisis Response Playbook as well as
regional exercises. In 2014, we launched the ``Hamilton Series'' of
exercises in collaboration with the U.S. Treasury Department and the
Financial Services Sector Coordinating Council (FSSCC). These exercises
simulate a variety of plausible cybersecurity incidents or attacks to
better prepare the financial sector and the public sector for
cyberattacks. They also aim to improve public-and private-sector
policies, procedures and response capabilities. The ``Hamilton Series''
has included leaders from the U.S. Treasury Department, financial
regulatory bodies, the Department of Homeland Security and law
enforcement agencies. Starting in 2018, FS-ISAC added range-based
cyber-exercises for more technical, hands-on-keyboard experiences to
raise capability maturity levels and resiliency across the sector.
Collectively, these efforts build on the strong risk-management culture
within the financial-services sector, in conjunction with extensive
regulatory requirements.
FS-ISAC has improved its ability to respond to major cyber- and
physical events, including emergency member calls regarding new
vulnerabilities and threats. The last call we had had over 3,000
participants.
4. Support for the FSSCC, Sheltered Harbor, FSARC, Regional Coalitions
and Other Sectors
FS-ISAC supports several programs, either through direct funding or
through subsidiary arrangements. These are outlined below.
Addressing Policy Issues: The Financial Services Sector Coordinating
Council (FSSCC).
The FSSCC was established in 2002 to coordinate the development of
critical-infrastructure strategies and initiatives with its financial-
services members, trade associations and other industry sectors. The
FSSCC works with the public sector on policy issues concerning the
resilience of the sector. Members include 70 financial trade
associations, financial utilities and critical-infrastructure financial
firms.
FS-ISAC serves as the operational arm of FSSCC, providing
operational support of FSSCC initiatives. The FS-ISAC and FSSCC have
built and maintained relationships with the U.S. Treasury and Homeland
Security Departments, all the Federal financial regulatory agencies
(e.g., Federal Deposit Insurance Corp., Federal Reserve Board of
Governors, Federal Reserve
Banks, Office of the Comptroller of the Currency, Securities and
Exchange Commission), and law enforcement agencies (e.g., Federal
Bureau of Investigation, U.S. Secret Service). Many of these public-
sector agencies are part of the FSSCC's public-sector counterpart, the
Financial and Banking Information Infrastructure Committee (FBIIC),
which is chaired by the U.S. Treasury Department.
An Extra Layer of Security for Consumer Accounts:
Sheltered Harbor. Sheltered Harbor was established in 2016 as an
LLC, operating under FS-ISAC's umbrella, to enhance the financial-
services industry's resiliency capabilities in the event of a major
disaster or event. The concept for Sheltered Harbor arose in 2015
during a series of successful cybersecurity simulation exercises
between public and private sectors known as the ``Hamilton Series.''
Sheltered Harbor is based on industry-established standards and the
concept of mutual assistance. Should a financial institution be unable
to recover from a cyber-attack in a timely fashion, firms that adhere
to the Sheltered Harbor standards will enable customers to access their
accounts and balances from another service provider or financial
institution. Sheltered Harbor members access specifications for common
data formats, secure storage (``data vaults'') and operating processes
to store and restore data and receive a Sheltered Harbor
acknowledgement of adherence to the specification. As of April 2018,
Sheltered Harbor membership covers more than 69 percent of U.S. retail
bank deposit accounts and 56 percent of U.S. retail brokerage client
assets.
Systemic Risk Reduction: Financial Systemic Analysis and Resilience
Center (FSARC).
The CEOs of eight U.S. Government designated critical
infrastructure firms--Bank of America, BNY Mellon, Citigroup, Goldman
Sachs, JPMorgan Chase, Morgan Stanley, State Street, and Wells Fargo--
came together to proactively identify ways to enhance the resilience of
critical infrastructure underpinning the U.S. financial system. The
result was the creation of the FSARC as a subsidiary of the FS-ISAC.
Shortly after the FSARC was founded, an additional eight financial
institutions, including the key financial market utilities identified
by the U.S. Department of Homeland Security as operators of essential
critical infrastructure, joined the FSARC as member firms.
The FSARC's mission is to proactively identify, analyze, assess and
coordinate activities to mitigate systemic risk to the U.S. financial
system from current and emerging cybersecurity threats. This is
accomplished through focused operations and enhanced collaboration
between participating firms, industry and Government partners. Key
FSARC functions include:
1) Identifying operational risks associated with systemically
relevant business processes, functions, and technologies
underpinning the financial sector (collectively ``Identified
Systemic Assets'');
2) Developing resiliency plans to address those risks;
3) Working with critical-infrastructure operators and the U.S.
Department of Homeland Security, intelligence and defense
communities to deliver strategic early warnings of attack on
Identified Systemic Assets;
4) Working with law enforcement agencies to disrupt sophisticated
malicious actors that may pose a systemic risk to the sector
over time or may be targeting Identified Systemic Assets.
Thinking Nationally, Acting Locally: Regional Coalitions. Financial
institutions in more than a dozen areas participate in the ``FIRST''
(Fostering Industry Resilience and Security through Teamwork) movement
through the formation of public-private partnerships focused on
Homeland security and emergency management issues with the public
sector. Each coalition provides the opportunity for members to
collaborate with one another and with Government at all levels about
issues of resilience and security.
FS-ISAC has established regional coalitions in the Northeast
(Connecticut, Maine, Massachusetts, New Hampshire, New Jersey, New
York, Rhode Island and Vermont), Mid-Atlantic (District of Columbia,
Delaware, Maryland and Northern Virginia) and California (San
Francisco, Fresno and Los Angeles). Through regional coalitions, FS-
ISAC learns the ground truth about the local effects of crises, while
the coalitions obtain national-level crisis and threat information from
FS-ISAC. FS-ISAC also supports RPCfirst, an umbrella organization for
all of the regional coalitions across the Nation.
Cross Sector Collaboration and Sharing
The FS-ISAC collaborates with other sectors, including the National
Council of ISACs (NCI). Formed in 2003, the NCI today comprises 24
organizations designated as their sectors' information sharing and
operational arms.
Last year, the FS-ISAC spun off its Sector Services division into a
new standalone, not-for-profit called the Global Resilience Federation.
I serve as the chairman of GRF, which is an information-sharing hub and
intelligence provider. GRF
develops and distributes cyber-, physical and geo-political security
information among not-for-profit ISACs, ISAOs, CERTs and other
information sharing communities across vital sectors around the world.
The company assists in the creation and operation of ISACs and ISAOs,
or, if requested, support for the expansion of existing communities.
This ``community of communities'' was founded by charter members--FS-
ISAC, Legal Services Information Sharing and Analysis Organization (LS-
ISAO) and Energy Analytic Security Exchange (EASE)--and has since been
joined by National Health ISAC, Oil and Natural Gas ISAC, Multi-State
ISAC, Retail Cyber Intelligence Sharing Center and National Retail
Federation. As a cross-sector hub that also works with Government and
industry partners, GRF facilitates and supports cross-sector
intelligence sharing as well as collaboration.
Regulatory Requirements and Risk Management Culture
The financial sector has historically led the way in making
substantial investments in not only security infrastructure and highly
qualified experts to maintain the systems, but also in driving
collaboration across industries and with the Government. Financial
institutions recognize that customers trust them to protect their
investments, their records and their information. Individual financial
institutions invest in personnel, infrastructure, services and top-of-
the-line security solutions and protocols to protect their customers
and themselves, and to respond to cyber-attacks. These investments
protect the individual institutions and their customers, but on its
own, an individual institution generally only has the ability to
protect what is within its control. Financial institutions, however,
are interconnected to each other, with other sectors and with the
Government. This reliance on others gives the financial-services sector
a unique and critical role in the cyber-landscape and requires
coordinated action for the most effective response. Recognizing the
cyberthreat environment continues to expand in complexity and
frequency, and that individual institution efforts alone will not be
enough, executives from the financial-services sector have stepped up
efforts to work together.
Cybersecurity Practices Often Burdened by Regulation and Supervisory
Oversight
Financial institutions are subject to comprehensive regulations and
supervisory requirements with respect to cybersecurity and the
protection of sensitive customer information as well as business
resiliency. For example, Title V of the Gramm-Leach-Bliley Act of 1999
(GLBA) directed regulators to establish standards for financial
institutions to protect customer information. Pursuant to GLBA,
regulators have imposed broad information security requirements for
regulated financial institutions with strong enforcement authority. In
addition to issuing regulations almost two decades ago, the Federal
financial regulators have issued extensive ``supervisory guidance''
through the Federal Financial Institutions Examination Council (FFIEC)
that outlines the expectations and requirements for all aspects of
information-security and technology-risk issues, including
authentication, business continuity planning, payments and vendor
management.'' Among the obligations to secure systems and protect data
under GLBA and supervisory guidance, financial institutions must:
Develop and maintain an effective information-security
program tailored to the complexity of their operations;
Conduct thorough assessments of the security risks to
customer information systems.
Oversee service providers with access to customer
information, including requiring service providers to protect
the security and confidentiality of information;
Train staff to prepare and implement information-security
programs;
Test key controls, systems and procedures, and adjust key
controls and security programs to reflect ongoing risk
assessments;
Safeguard the proper disposal of customer information; and
Update systems and procedures by taking business changes
into account.
Many Regulations and Standards with Which to Comply
Financial institutions must comply with cybersecurity requirements
and guidance from numerous regulatory bodies depending on their charter
and activities. What's more, depending on the type of financial
institution, organizations may have additional compliance and
nonregulatory standards; for example, institutions that handle payment
information also are required to comply with nonregulatory standards,
such as the Payment Card Industry Data Security Standard (PCI-DSS).
This adds to the compliance burden of financial institutions, as well
as that of merchants and other organizations that handle payment
information.
Most recently, the FFIEC issued the Cybersecurity Assessment Tool
(CAT)--an assessment tool designed to help smaller institutions, in
particular, identify their risks and determine their cybersecurity
preparedness. The CAT provides a repeatable and measurable process for
financial institutions to measure their cybersecurity preparedness over
time and aligns with the NIST's Cybersecurity Framework. In 2016, the
FS-ISAC and FSSCC leveraged the FFIEC's CAT to produce a ``crowd-
sourced'' version that incorporated automation to assist financial
institutions in utilizing the FFIEC document.
Recommendations to Further Protect Financial Institutions and Customers
Finally, you asked me to describe what more needs to be done by the
private sector and the Government to help protect companies' and
consumers' information. For many years the financial sector has been
working diligently and collaboratively to make significant improvements
in five major areas:
Enhance Information Sharing
Improve Strategic and Tactical Analytics
Improve Crisis Management Response and Coordination
Improve Core Components of the Cyber Eco-system through R&D
Improve Executive Communication and Advocacy
The financial-services sector has made significant progress in all
of these. In so doing, the financial sector has developed strong
collaborative relationships with numerous Government agencies
(including law enforcement, DHS, Treasury, and U.S. regulatory
agencies). These efforts have enhanced the resiliency of the financial-
services sector. We also have worked closely with other ``critical
infrastructure'' sectors (e.g., telecommunications, energy) to enhance
their capabilities and to address interdependencies.
While we are making good progress, much more work needs to be done.
The following are four major recommendations. Some of these
recommendations were developed in collaboration with the Financial
Services Sector Coordinating Council (FSSCC) and publicly released in
early 2017.
1. Encourage Regulators to Harmonize Cyber-Regulatory Requirements.
Given that financial institutions are subject to numerous regulatory
and supervisory requirements with respect to cybersecurity, protection
of sensitive customer information, business resiliency, penetration
testing, vendor management, etc., there is little need for additional
regulation in this space. Instead, there is a need to reduce the burden
of implementing regulations for financial firms. What the sector most
needs now is a focused and coordinated effort among State, Federal, and
global regulators to harmonize regulatory requirements. In so doing,
this is a good opportunity to leverage the National Institute of
Standards and Technology (NIST) Cybersecurity Framework.
While regulatory requirements are a powerful and effective way to
ensure that financial institutions have adequate controls in place, a
growing challenge facing large and global financial institutions today
is the need for greater coordination and harmonization among the
regulatory agencies, within the United States and globally. This will
help financial firms keep pace with new threats, new financial business
process models, and the necessary skillsets to evaluate the
intersection of those two for security and resiliency purposes. A
common refrain we hear from senior executives and practitioners in
large and global firms is the need for regulators to harmonize
regulatory requirements at both the policy and examination levels to
reduce unnecessary regulatory compliance burdens and to better focus
limited resources to mitigate cyber-risks. In addition, it would help
if the U.S. Congress and Administration enacted a consistent and strong
data protection and breach notification law across State and national
platforms.
Related to this recommendation to harmonize regulatory
requirements, we also encourage Congress and regulatory rulemaking
bodies to integrate cyber-risk assessment into the legislation and
rulemaking processes. Hence, Congress and regulatory rulemaking bodies
should weigh the implications of concentrating sensitive data that will
create new cyber-targets when evaluating potential legislation and
rulemaking. The potential aggregation of personally identifiable
information via the SEC Rule 613 Consolidated Audit Trail or retrieving
highly sensitive penetration testing and vulnerability data on
regulated institutions are examples of situations where care should be
taken to avoid creating new risks and creative solutions should be
sought collaboratively with industry.
2. Leverage Authorities in the Cybersecurity Information Sharing
Act of 2015 (CISA) and USA Patriot Act of 2001 to Implement More
Effective Information Sharing Programs. FS-ISAC and others in the
financial sector supported the enactment of the Cybersecurity
Information Sharing Act of 2015 (CISA). CISA encourages sharing for a
cybersecurity purpose and includes incentives to entice entities to
share information, including protection from liability claims,
exemption from disclosure laws and regulatory use, and antitrust
exemption. CISA enables sharing of information including: malicious
reconnaissance, methods to defeat controls or exploit vulnerabilities,
security vulnerabilities, malicious cyber-command and control,
exfiltration of data and other attributes related to cyberthreats.
Mandated by the Cybersecurity Act of 2015, the Department of
Homeland Security (DHS) developed a system to automate the sharing of
threat indicators on a machine to machine basis. This system is called
Automated Indicator Sharing or AIS and was put into service in 2016; it
is free to use.
AIS leverages two internationally recognized standards for sharing:
One is the data standard called Structure Threat Information Expression
(STIXT) and the other is the delivery standard known as Trusted
Automated eXchange of Indicator Information (TAXIIT). Threat indicators
include data like malicious IP addresses, email addresses associated
with ransomware, phishing or social engineering attacks, known
cybercriminal campaign information and much more.
Representing its members, the FS-ISAC agreed to participate in the
Automated Indicator Sharing (AIS) program on a trial basis in 2016. We
have engaged in numerous collaborative technical discussions with DHS
and Treasury concerning the AIS program over the past 2 years.
FS-ISAC and member firms have provided direct and consistent
feedback to DHS regarding the early implementations of the AIS program.
This feedback includes the need for DHS to strongly structure vetting
of AIS participants, the need to verify the integrity of data
transmitted and received within AIS, and the importance of providing
context around the information. DHS has indicated it has heard the
financial sector's feedback and is taking steps to incorporate that
feedback and has recently committed to delivering on improvements that
add context to indicators, includes rated scoring of vetted sources,
utilizes the latest version of STIX/TAXII standards, and ability for
AIS recipients to screen sources and receive data only from sources
that each recipient approves.
We also encourage our U.S. Government partners to improve response
time and the quality of shared information and analysis and to
prioritize essential ``lifeline'' sectors in planning and event
response. Focus Federal resources to assist those sectors whose
operation is fundamental to the national defense and economy, such as
financial services, electric power, and telecommunications, to mitigate
against cyberthreats and to help in recovery. Continued private-public
collaboration is required to develop the list of cyber-defense
capabilities that can be used to respond to a significant cyber-
incident affecting the Nation's critical infrastructure. Ensure that
the relevant members of the lifeline sectors receive the appropriate
security clearances. Also, seek improvements in sharing classified
information, passing clearances and collaborating with the private
sector in a classified environment. Together with the communications
sector and the electricity subsector, FS-ISAC led the development of a
playbook for lifeline sectors, completed earlier this year. We began
drilling it during Cyber Storm and the National Level Exercise and plan
a Hamilton Series tri-sector exercise for it in the fall. One of the
next steps involves expanding the lifeline sectors for which it would
be applicable. Another is ensuring that the tri-sector playbook
connects with plans the Federal Government would use during a
significant incident. The U.S. Departments of Treasury, Homeland
Security and Energy have seen the playbook, though further Government
socialization and coordination remains.
In addition, we encourage the U.S. Government to invest further in
financial services-supporting infrastructure and risk-based cyber R&D.
To ensure strong investment in the cybersecurity and resiliency of key
Federal organizations, processes and systems essential to the
functioning to the financial services system, it's important for the
U.S. Government to assign clear responsibilities and increase
significantly resourcing for efforts to detect, analyze and mitigate
cyber threats to the financial system. This includes a dedicated effort
within the Intelligence Community and an operational-level contingency
planning, indications/warnings, and exercises program. It's important
to fund cybersecurity defense and R&D initiatives commensurate with the
risk that cybersecurity threats pose to the Nation's security,
including funding to identify risks and mitigation techniques for
emerging Internet of Things (IoT) and quantum computing technologies.
Finally, we encourage the Financial Crimes Enforcement Network
(FinCEN) to provide greater clarity on legal protections for financial
institutions that want to share information in accordance with the USA
Patriot Act. On November 30, 2016, FinCEN participated in a FS-ISAC-
sponsored webinar about information sharing on suspected money
laundering. This interaction helped anti-money laundering (AML)-
regulated financial institutions better understand FinCEN's views of
the potential risk mitigation opportunities available by sharing
information about suspected money laundering under section 314(b) of
the USA Patriot Act. Since the webinar, many of the financial
institution executives who participated in the webinar, which was open
to all AML-regulated financial institutions, have asked for written
confirmation of the information that FinCEN officials provided
verbally. Financial institutions indicated that written confirmation is
necessary to encourage financial institutions to leverage the authority
provided under section 314(b) of the USA Patriot Act. If FinCEN
provides written guidance about what suspected money laundering and
terrorist financing information can be shared with an association of
approved financial associations under the USA Patriot Act Section
314(b), then financial institutions that are members of an approved
314(b) sharing information association would file Suspicious Activity
Reports (SARS) with more actionable information. In turn this might
enhance the U.S. Government's efforts to investigate, extradite and
prosecute transnational cyber criminals.
FS-ISAC provided a list of six questions and our understanding of
the answers to FinCEN on numerous occasions and is still waiting for a
response. FS-ISAC would like to request that FinCEN publicize the
answers so financial institutions can reference these answers. This
would provide financial institution executives with much needed
assurances of FinCEN's views and thus encourage greater information
sharing about suspected money laundering by financial institutions
pursuant to section 314(b) and other U.S. laws that authorizing the
sharing of suspected money laundering and suspected terrorist
financing.
3. Establish Cyber-Deterrence and Response Capabilities and
Encourage Adoption of Global Cybernorms. The Congress and
Administration should articulate how the U.S. Government will respond
to certain types of attacks and how these actions might impact the
financial-services sector and other critical infrastructure sectors.
The U.S. Government should also increase efforts to extradite and
prosecute cyber criminals. Attacks on the financial services industry
and critical infrastructure should be considered a violation of an
explicit global norm; violations of this norm should be pursued
vigorously. The U.S. Government should also enable and expand cross-
sector, real-time and actionable cyber threat information sharing and
situational awareness. The U.S. Government should also continue to
engage with the global community to develop and adopt international
norms of behavior that discourage targeting of financial institutions
and other critical-infrastructure sectors.
4. Support Efforts to Develop a Technology-Capable Workforce. The
U.S. Government should partner with the private sector and academia to
develop education and training programs to meet the business needs of
today and tomorrow in addressing the significant shortage of cyber
security professionals and the education system in producing enough
skilled cybersecurity professionals.
CONCLUSION
The financial sector has made a significant investment in
cybersecurity, risk reduction and resilience. However, threats,
vulnerabilities and incidents affecting the sector continue to evolve.
Individual firms have responded by making significant investments in
technology and risk reduction improvements at their respective
companies. Collectively, the sector has made improvements in
information sharing and made strides in focusing on systemic risk,
mutual assistance, enhanced resiliency and consumer protection. While
more needs to be done, including additional collaboration with
Government and global partners, the financial sector is making good
progress and on balance has invested heavily to protect the sector's
assets and consumers' information from adversaries and cybercrime.
______
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
PREPARED STATEMENT OF PHIL VENABLES
Chief Operational Risk Officer, Goldman Sachs
May 24, 2018
Chairman Crapo, Ranking Member Brown, and other Members of the
Committee, thank you for inviting me to testify at this hearing on
Cybersecurity: Risks to Financial Services Industry and Its
Preparedness. I appreciate the Committee's focus on such an important
issue. My name is Phil Venables; I am the Chief Operational Risk
Officer of Goldman Sachs. I have been with the firm 18 years and my
first 16 years at the firm I was Chief Information Security Officer
before moving into a wider role in our Risk Division.
Today, I am going to provide my perspective on the cyber-threats
the financial sector faces, the broader technology risk landscape, the
need for shared defenses and what can be done to keep improving the
security and resilience of the financial system. A number of factors
are contributing to increased inherent risk across the sector
including, but not limited to, the increased digitalization of
financial services and the globally interconnected nature of the
financial system. The same trends that are increasing benefits of a
global financial system are also bringing on these new and enhanced
risks.
First on threats, it will probably come as no surprise that the
financial sector, globally, is targeted by a wide range of
cybersecurity threats including from organized criminal groups with
financial motivation as well as nation states for a broad array of
reasons.
Additionally, it is worth reminding ourselves that cybersecurity is
not the only risk to information or technology systems. Risks posed
from software errors, misconfiguration, outages and other resiliency
issues can also cause as much impact as cybersecurity events.
It is critical to have shared defenses across the financial sector
so that all institutions, large and small, can learn from each other's
best practices and so that threat information can be shared among
firms, reducing the likelihood attackers can execute their strategies
without response.
We have a long history of robust information-sharing processes,
with the FS-ISAC acknowledged as a preeminent example of such
capability. Additionally, we have established tighter coupling between
systemically important institutions through the Financial Systemic
Analysis and Resilience Center, the so called FS-ARC. In addition, the
sector's coordinating council under the Department of Treasury's
leadership have proved instrumental in increasing sector resilience.
Formalized sector-wide drills and exercises have spawned other
initiatives, like Sheltered Harbor--an approach for firms to ensure the
maintenance of immutable data vaults.
Turning our attention to regulators and regulation, we benefit from
a number of strong regulators across the financial sector that
stipulate cybersecurity and other controls that reduce the risk of
major incidents. This includes regular examinations and reviews. We
continue to support the need for harmonization of regulation,
domestically and globally, and we commend the efforts to date on the
use of the NIST Cybersecurity Framework. Additionally, we should be
watchful for unintended detrimental consequences to cybersecurity from
noncybersecurity legislation or regulation.
Notwithstanding the strong relationship on this issue between the
public and private sectors, we continue to examine ways to enhance
coordination. For instance, there is room for improvement in the
responsiveness to financial sector Requests for Information. The
establishment of the DHS National Cybersecurity and Communications
Integration Center (NCCIC) in 2009 created the ability to have
financial sector representatives in a cleared, collaborative space
working directly with partners from Government and other industries for
common purpose. Collaboration,
engagement, responsiveness, between and among DHS, other U.S.
Government and industry partners continues to improve as relationships
build and partners are better able to understand each other's
information needs. We would propose that metrics be established between
the Government and financial sector to quantify and validate the flow,
value and timeliness of information shared between the financial sector
and public sector to quantify the state of these relationships.
Despite all this coordination and response to cybersecurity
threats, risk still remains and we need to continue to be vigilant to
adjust the defenses of individual firms and the sector as a whole by
making sure we adopt innovative approaches to protecting customer data
and services as well as designing for resilience to reduce single
points of failure and single focal points of attack.
Finally, I would recommend all organizations that operate critical
public services or protect customer data adopt strong defenses and
security programs based on, at a minimum, the following approaches:
1. Integrate cybersecurity into the fabric of organizations--from
business risk management processes, strategy and product development to
the foundation of how the technology is built and operated, including
planning for resilience in the face of attacks. Sustaining
cybersecurity is a first class business risk along with all other
risks--beginning with the Board and executive leadership and through
all levels of the enterprise.
2. Improve capabilities amongst people, process and technology.
There needs to be continued emphasis on the embedding of controls into
critical technology products and services: we need secure products, not
just security products. We should recognize that cybersecurity risk
mitigation is not solely the responsibility of designated cybersecurity
professionals but is, perhaps more importantly, in the domain of
leadership, risk managers and engineers at all levels of organizations.
I would support a national program to embed cybersecurity training into
all academic and professional training and qualifications: we need more
security-minded people, not just more security people. I fully endorse
efforts to deal with the shortage of trained cybersecurity
professionals to help manage these risks, but I also note that there is
a wider issue related to the productivity of the cybersecurity
professionals we already have and more needs to be done by Government
and industry to improve tools, processes and the orchestration of
defense across multiple platforms to get the most out of those people.
3. Design for defensibility. Our goal should be to design our
technology and information processing environments to be more
inherently defendable and resilient in the face of attacks, and we have
to keep examining our global supply chains for security issues and
excess concentration risk on specific services or geographies.
Thank you again Mr. Chairman for allowing me to provide this input
into this important process and we remain committed to assisting
further as needed. I'm happy to answer any questions you or the other
Members may have at this time.
______
PREPARED STATEMENT OF CARL A. KESSLER III
Senior Vice President & Chief Information Officer (CIO)
First Mutual Holding Co.
May 24, 2018
Chairman Crapo, Ranking Member Brown and distinguished Members of
the Committee, thank you for the opportunity to testify before you
today. I am pleased that the Committee continues to place a focus on
cybersecurity risks and their implications to the financial system,
businesses, and consumers.
As Chief Information Officer of a holding company comprised of
several mutual community banks, I will share the unique perspective of
community banks on cybersecurity regulation, information sharing,
community bank collaboration and customer transparency.
Cybersecurity Regulation
Two key regulatory changes have positively improved the approach of
community banks in managing cybersecurity risks. In the wake of the
Dodd-Frank Act reforms, supervision of our affiliate banks migrated
from the Office of Thrift Supervision (OTS) to the Office of the
Comptroller of the Currency (OCC). The OCC has been consistent and
adamant in raising all bank's readiness to address cybersecurity risks.
Their outreach and guidance have yielded vast improvements in the cyber
posture of community banks. In the last few years, the Federal
Financial Institutions Examination Council (FFIEC) established the
Cybersecurity Assessment Tool (CAT) for evaluating cyber controls in a
uniform way among depository institutions.
Both regulatory actions have created a firm, but fair, supervisory
approach in responding to emerging threats. While some may question
these changes on the grounds of cost and a ``one size fits all
approach,'' it is indisputable that regulatory oversight protects both
the banking system and the consumers. We have found that the regulators
apply the FFIEC CAT tool in a manner consistent with the risk a bank
poses. I believe that cybersecurity defenses and monitoring systems are
integral infrastructure investments akin to those community banks have
traditionally made in physical security safety. I encourage this
Committee to continue its work with prudential regulators on these
important matters.
With respect to OCC supervision and the advent of the FFIEC CAT, I
understand both the perspectives of regional banks and community banks,
having served in leadership capacities in both. I am pleased regulators
use the same information technology (IT) examiners and general
framework at institutions of all sizes. These examiners possess a
strong understanding of cybersecurity risks and the controls deployed
to protect banks and consumers. For any institution there is an
inherent baseline of risk and a set of fundamental controls needed to
protect consumer information. The approach of using dedicated IT
examiners and practices fosters continuous improvement in preventing
and detecting cybersecurity threats at institutions of all sizes.
At the same time, this approach also leads to ongoing dialogue with
regulators. How much risk does our community bank present? What is most
critical for the protection of our bank, our customers and our
financial system? How should cybersecurity investment dollars be
deployed? The FFIEC CAT helps institutions frame these risk questions.
First, it provides a standard way to assess how much inherent risk an
institution generates. Second, the FFIEC CAT provides guidelines for
what controls might be appropriate to mitigate those risks.
After completing our holding company's assessment in 2015, we
concluded that our existing information security program was well-
aligned to the baseline expectations of the FFIEC CAT and, in fact,
exceeded them. Subsequent actions focused our cybersecurity investment
strategy to attain compliance with our level of risk and to address new
threats as they arise.
Prudential regulation in conjunction with the FFIEC CAT is
important to our bank's cyber readiness. Highly trained examiners are
critical to administering the CAT. Because of the nature of the threat
environment and the rapidly evolving domain of cybersecurity controls,
an exam is never a static, check-the-box activity. It is always a
dynamic conversation. My recommendation to this Committee is to ensure
the consistent availability of highly trained IT examiners whose skills
are in high demand in both the public and private sectors.
Another consideration for the Committee is to ensure that similar
cybersecurity rigor exists among nonbank financial services companies.
How do we safeguard customer data at companies outside the oversight of
prudential regulators?
Information Sharing
As the cyber threat landscape evolves, a critical enabler is timely
access to information sharing of active threats with community banks,
through public and private partnerships.
To address the Committee's question of ``what more needs to be done
by the private sector and Government to help protect companies' and
consumers' information,'' we must first identify where the significant
risks lie. According to the Independent Community Bankers of America
(ICBA), 99.5 percent of all banks are community institutions, half of
which have assets under $250 million.\1\ Almost all community banks do
not operate an in-house transaction processing center. In other words,
most community banks do not process customer transactions in their own
data centers. They rely on a network of third-party service providers
to deliver banking services. While maintaining primary accountability
for safeguarding consumers' information, we rely on third-party
providers including core processors, payments networks, and larger
banks.
---------------------------------------------------------------------------
\1\ See ICBA Stats & Facts available at http://www.icba.org/go-
local/why-go-local/stats-facts.
---------------------------------------------------------------------------
Only a few core processors provide IT services, such as customer
transaction processing, mobile banking, and Bank Secrecy Act/Anti-money
Laundering solutions. All banks interact through networks (ATM, debit
card, and ACH) which are the backbone of the payments system. Some
large banks provide processing for community banks through white
labeled correspondent services. Although community banks represent the
largest segment of banks in number, the risks associated with
technology operations are aggregated in the data centers of just a few
core processors,\2\ payments networks and large banks.
---------------------------------------------------------------------------
\2\ The top three core processors hold a 70 percent market-share
although how much of that is conducted in their data center versus the
banks' data centers is unclear. https://bankinnovation.net/2018/02/
fiserv-has-largest-u-s-marketshare-of-top-bank-core-processors/.
---------------------------------------------------------------------------
Clearly, this concentration of IT services provides both advantages
and challenges for managing community bank cybersecurity. The advantage
is that through scale, the large service providers have more resources
to address cyber threats. An additional benefit could also be realized
if these providers acted transparently and shared cyber threat
information with industry partnerships like the Financial Services
Information Sharing and Analysis Center (FS-ISAC) and with their
community bank clients.
Core processors are active acquirers of technology companies and
continually roll out new products. Although a core processor's
information security plan may be sound today, each new acquisition
introduces its own risk \3\ into the environment. Thus, risk is
constantly shifting within a core provider, and by extension to
community banks and consumers.
---------------------------------------------------------------------------
\3\ In April, American Banker ran this story ``BankThink Banks are
from Mars, fintechs are from Venus: Bridging the matchmaking gap'' by
Terry Ammons which does a good job of representing the risks of a
fintech acquisition; available at https://www.americanbanker.com/
opinion/banks-are-from-mars-fintechs-are-from-venus-bridging-the-
matchmaking-gap.
---------------------------------------------------------------------------
I know our core processor is reviewed regularly by the OCC and
FFIEC. We have limited access to the results of these reviews. If a
bank were in the center of a significant event like a contract renewal
or if there were a security breach in the recent past, the bank can
request additional information. Community banks also have access to
third-party audits conducted on a core processor's controls. Such a
report is limited and only communicates if a core processor's controls
are deemed effective. The actual number of breaches is typically not
disclosed. Thus, a community bank must trust that if there is a
significant pattern of breaches, its regulator will ensure that the
causes are identified and remediated. The only way to know if a breach
has occurred is if the bank is directly impacted or if the breach is
significant enough to result in a news story that names a bank that
happens to use that same service provider. Although these third parties
are the stewards of our customer's information, we have very little
insight into their overall security performance. In summary, law and
regulation require banks to monitor closely the effectiveness of their
service provider's controls related to cybersecurity and protecting
nonpublic customer information. The current system relies on a high
degree of blind trust in a service provider with limited transparency.
This opaque approach runs contrary to best practices in information
sharing and vendor management.
To partially compensate for this lack of transparency, banks I
manage use a third party to track the information security performance
of critical providers. My desire is more transparency in how service
providers protect our customer information. For example, one solution
might be to create a cybersecurity scorecard aggregating data from many
sources including regulatory reviews. Such an approach must be
carefully weighed against a chilling effect on information sharing.
This scorecard, properly executed by a trusted third party, would
enable banks to make better choices as they select vendors and create
positive momentum toward control improvements.
It is important to explain what ``information sharing'' and
``transparency'' mean to a community bank. The key for banks is that a
comprehensive ecosystem of financial services providers shares threat
information in real time to an entity qualified to analyze, verify, and
communicate it immediately to a bank where it can be used to adapt its
controls.
FS-ISAC pioneered this kind of service and our bank was an early
adopter. Upon validation of a threat by FS-ISAC, critical information
such as the internet address of the attacker was automatically sent to
our firewalls and blocked. This solution required our bank to setup a
duplicative connection. Our ideal solution involves a close partnership
between banks, our third-party service providers, a trusted third party
and our security provider so that threats flow immediately to us via
the existing mechanisms we have in place. The goal is to respond in
seconds or minutes rather than days or weeks.
The most critical factor in thwarting a cyberattack is speed. The
technology continues to improve as machine learning and artificial
intelligence become more prevalent. The technology though cannot act on
data it does not have. Important questions remain regarding if, when,
and how businesses can share threat and/or breach information. In my
conversations within the industry, there is still a great reluctance to
share information. Liability, contract and privacy concerns are the
most often cited reasons. I would suggest this is a good time to
reexamine the effectiveness of cyber security law particularly as it
affects information sharing. Timely information sharing is foundational
to the industry's ability to combat a cyber threat. It may be
worthwhile to require that service providers share threat and breach
information with an authorized, trusted third party. In consideration
for this sharing requirement, this Committee could consider expanding
safe harbor liability provisions for third parties who meet certain
strict requirements. This would clearly enhance consumer information
protections.
Community Bank Collaboration
I would like to share a few unique and not-so-unique actions we
have taken to help protect our customers. Established in 2015, our
mutual holding company was founded on the belief that strong
independent banks play a vital role in our
communities. As Ohio's largest independent, depositor-owned entity, we
are faced every day with the cost, complexity and capacity required to
implement an effective information security program. We believe that
our holding company model leverages these capabilities with our
affiliate banks in a manner that they otherwise could not afford,
design, or staff. In our three affiliations we have preserved a local
banking presence, improved security controls and done so at a minimal
marginal cost for the holding company. This proves the cost savings for
individual small banks is a game changer. We believe this is a real,
practical example of the kind of collaboration envisioned by the OCC in
their January 2015 paper ``An Opportunity for Community Banks: Working
Together Collaboratively.''\4\
---------------------------------------------------------------------------
\4\ https://www.occ.treas.gov/publications/publications-by-type/
other-publications-reports/pub-other-community-banks-working-
collaborately.pdf.
---------------------------------------------------------------------------
Customer Transparency
Finally, when talking about transparency and information sharing,
we tend to focus on companies and Government entities. In all instances
however we need to put the consumer at the center of this discussion.
We are encouraged by the ability of technology to empower our
customers. For example, many of us receive real-time alerts regarding
our debit cards or when our credit report changes. I know this hardly
seems to address ``what more needs to be done,'' but keep in mind it's
always about improving the speed at which we can detect and react to a
threat. Giving consumers the tools and access to information makes us
all safer.
Transparency and information sharing with the consumer is
paramount. A key challenge for banks is the complexity of customer
notification and privacy laws that exist today. While clearly needed,
the simplification and modernization of the relevant laws and
regulations can enable information sharing and therefore enhance
consumer protections. Certainly, any solution must guard against
shifting the liability to consumers from those who failed to protect
their data.
Conclusion
Key takeaways:
Continue supporting the regulatory review process and the
FFIEC CAT
Encourage transparency regarding the effectiveness of the
security programs of the third-party service providers in our
financial system including nonbank entities
Review the effectiveness of current cybersecurity law with
a focus on information sharing
Review how the existing complexity of customer information
and privacy protections laws may be slowing down the exchange
of critical threat information
Encourage community banks to collaborate
Engage and empower the customer as a valued part of the
cybersecurity solution
The best way to protect consumers is to increase transparency and
information sharing within the financial services cybersecurity
ecosystem. This Committee can help move this forward by encouraging the
transparency of the performance of third-party service providers. You
can also help by passing legislation which further encourages
information sharing so that active threats are identified and mitigated
in minutes.
Thank you for the opportunity to testify before you today. I stand
ready to work with you in any way that I can to protect consumers and
our financial system and look forward to answering your questions.
______
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
RESPONSES TO WRITTEN QUESTIONS OF THE SENATE BANKING COMMITTEE
FROM BILL NELSON
Q.1. Mr. Nelson, in your written testimony you requested
greater clarity on legal protections for financial institutions
that want to share information in accordance with the Patriot
Act. What clarity would you like to see?
A.1. Under section 314(b) of the USA Patriot Act, financial
institutions may share information when there is suspicion of
money laundering and terrorist activity. This authority
provides financial institutions with an opportunity to reduce
money laundering and terrorism financing. However, doing so
necessarily involves sharing personally identifiable
information, such as names and account information.
In the absence of specific legal guidance regarding the
manner in which such information may be shared, banking
attorneys have limited sharing to those instances in which
money laundering or terrorist activity can be confirmed. It
would be preferable to share such information earlier in the
process, but liability concerns preclude it.
For example, in the case of suspected money mule activity
associated with business email compromise, banks have
questioned FinCEN if payment information can be shared between
approved financial institutions and an approved association of
financial institutions under the safe harbor of section 314(b).
FinCEN has
responded verbally that this information can be shared and
encouraged the sharing to provide more complete information in
SAR filing. FinCEN has not provided written guidance to this
question. Sharing the information in this example by a large
network of FinCEN-approved financial institutions would reduce
risk to the financial institutions and their customers. Federal
law enforcement would benefit from more complete SAR filing
information that will lead to more effective investigations and
prosecution of cyber criminals.
Q.2.-Q.3. A year and a half ago, William and Margaret Frederick
sold their home in Ohio so they could buy a home in Las Vegas,
Nevada. The couple expected to make a $216,000 profit on the
sale. But, their real estate agent read a hacked email
supposedly from William--the fake email had three L's in Bill
instead of two--and sent the profit to the hacker. William was
83 and Margaret 77. Someone stole the money they intended to
live on in retirement. Real estate transaction fraud is a
problem in Nevada and nationwide. Thieves wait for the right
time to impersonate a bank or realtor and send you different
wire transaction instructions. Estimates are as much as $400
million a year in losses. What more can financial institutions
do to prevent thieves from stealing people's down payments,
earnest money and even the entire home payment if someone is
buying a home for cash? Please identify the best
practices for realtors, title agents and mortgage brokers? One
way to protect consumer's information is to not collect it. For
example, why should merchants of any sort, including doctors,
insurance companies and utilities, require social security
numbers as part of their information or data-set on their
customers? Should we limit Social Security numbers provided to
merchants?
A.2.-A.3. In this example, it appears that criminals, using
money mules to launder the funds, stole the money. When banks
discover this type of potentially criminal activity they are
required to file Suspicious Activity Reports (SAR) with FinCEN.
While banks want to share this suspicious activity within a
network of FinCEN-approved financial institutions under the
protections of section 314(b) of the USA Patriot, some banks
are reluctant to share this suspicious activity because FinCEN
has not provided written guidance. If banks had network
intelligence about active money mule accounts in the Nevada
case, the money transfer to the criminals may have been delayed
and investigated by the bank staff. A bank investigation could
then lead to the money transfer being stopped.
Closing attorneys, mortgage brokers and title companies
should be encouraged to join an ISAC for their industry. Given
that criminals change tactics regularly, it's helpful for
communities to share information about these tactics and
effective risk mitigation measures. This ``strength in
sharing'' approach goes a long way in protecting the companies
and their customers. In addition, collaboration with law
enforcement agencies are also effective in educating the
community and sharing tips. For example, the FBI's Internet
Crime Complaint Center (IC3) has published numerous
publications, including this one in May 2017 on tactics for
defending against business email compromise (BEC): https://
www.ic3.gov/media/2017/170504.aspx. The recommendations below
come from the IC3 report referenced in the link.
Businesses with an increased awareness and understanding of
the Business Email Compromise (BEC) scams are more likely to
recognize when they have been targeted by BEC fraudsters.
Therefore, they are more likely to avoid falling victim and
sending fraudulent payments. Businesses that deploy robust
internal prevention techniques at all levels (especially for
front line employees who may be the recipients of initial
phishing attempts) have proven highly successful in recognizing
and deflecting BEC attempts. Some financial institutions
reported holding their customer requests for international wire
transfers for an additional period of time to verify the
legitimacy of the request.
The following list includes self-protection strategies:
LAvoid free web-based email accounts: Establish a
company domain name and use it to establish company
email accounts in lieu of free, web-based accounts.
LBe careful what you post to social media and
company websites, especially job duties and
descriptions, hierarchal information, and out-of-office
details.
LBe suspicious of requests for secrecy or pressure
to take action quickly.
LConsider additional IT and financial security
procedures, including the implementation of a two-step
verification process. For example:
LOut-of-Band Communication: Establish other
communication channels, such as telephone calls, to
verify significant transactions. Arrange this two-
factor authentication early in the relationship and
outside the email environment to avoid interception by
a hacker.
LDigital Signatures: Entities on each side of a
transaction should utilize digital signatures. This
will not work with web-based email accounts.
Additionally, some countries ban or limit the use of
encryption.
LImmediately report and delete unsolicited email
(spam) from unknown parties. DO NOT open spam email,
click on links in the email, or open attachments. These
often contain malware that will give subjects access to
your computer system.
LDo not use the ``Reply'' option to respond to any
business emails. Instead, use the ``Forward'' option
and either type in the correct email address or select
it from the email address book to ensure the intended
recipient's correct email address is used.
LBeware of sudden changes in business practices. For
example, if a current business contact suddenly asks to
be contacted via their personal email address when all
previous official correspondence has been through
company email, the request could be fraudulent. Always
verify via other channels that you are still
communicating with your legitimate business partner.
LCreate intrusion detection system rules that flag
emails with extensions that are similar to company
email. For example, a detection system for legitimate
email of abc_company.com would flag fraudulent email
from abc-company.com.
LRegister all company domains that are slightly
different than the actual company domain.
LVerify changes in vendor payment location by adding
additional two-factor authentication, such as having a
secondary sign-off by company personnel.
LConfirm requests for transfers of funds. When using
phone verification as part of two-factor
authentication, use previously known numbers, not the
numbers provided in the email request.
LKnow the habits of your customers, including the
details of, reasons behind, and amount of payments.
LCarefully scrutinize all email requests for
transfers of funds to determine if the requests are out
of the ordinary.
Q.4. What other sorts of information should financial
institutions or others STOP collecting?
A.4. Financial institutions collect information to identify
individuals, assess credit worthiness and maintain security.
This detailed collection of personal information is required by
law and regulation. This personal information is required to be
protected by the Gramm-Leach-Bliley Act of 1999 (GLBA) and the
regulations issued by numerous financial regulatory agencies.
Financial institutions are examined by bank regulators to
determine if the information collected is adequate and
appropriate. Regulatory examiners also review the security of
this personal information in compliance with GLBA. Bank
regulators may be more knowledgeable in answering the question,
what information should banks stop collecting?''
Q.5. What are the pros and cons of a Federal data breach law?
A.5. I fully support handling data breaches in a manner that
safeguards customer data, addresses breaches expeditiously, and
properly involves law enforcement so as to bring bad actors to
justice. One means of achieving this would be to create a
Federal data breach law that would eliminate the possibility of
a plethora of regulatory and/or State laws on the subject, some
of which would prove inconsistent and contradictory in part.
The current development of cybersecurity law is hindered by
such problems, leading the financial sector to pursue efforts
to harmonize such Federal and State laws.
One concern with a Federal approach is its possible effect
on smaller organizations, such as community banks and credit
unions. A Federal law should not be tailored to the largest,
global institutions, but should be flexible enough to apply to
smaller entities without burdening them.
Q.6. How should Federal data breach laws coexist with other
international laws?
A.6. Whether regulatory, State, Federal, or foreign,
cybersecurity rules generally, and data breach laws
specifically, should be reasonable, consistent, and harmonized.
Firms will increasingly be subjected to the laws of many
nations in the growing global economy. We must do our best in
this environment to facilitate the flow of commerce, while also
protecting consumer data and responding appropriately and
effectively to any breach of that data. In this situation, NIST
may be able to play an important role.
Q.7. Firms that fail to secure their data pay substantial
penalties. Hundreds of hackers go to prison. The woman [Paytsar
Bkhchadzhyan] who hacked into Paris Hilton's accounts and stole
her credit card information received a 5-year prison term.
Taylor Huddleston (26) of Arkansas was sentenced to serve
nearly 3 years for building and selling a remote access Trojan
(NanoCore) to hackers. Can you give me some examples of fines,
penalties and sentences for firms and individuals that engaged
in cyber theft? Are these costs an appropriate deterrent?
A.7. Aleksandr Andreevich Panin and Hamza Bendelladj were
sentenced to a combined 24 years and 6 months in prison for
their roles in developing and distributing the SpyEye banking
trojan, a powerful botnet similar to the ZeuS malware. Both
hackers were charged with stealing hundreds of millions of
dollars from banking institutions worldwide. The Department of
Justice characterized SpyEye as a ``preeminent malware banking
Trojan,'' which was used to infect over 50 million computers
worldwide from 2010 to 2012, causing nearly $1 billion in
financial losses to individuals and financial institutions
globally.
I support the sentences handed down in this case, which
were justified and tailored to deter other hackers. However,
the allure of stealing hundreds of millions of dollars while
ensconced in safe havens from which arrest and conviction are
unlikely render lengthy sentences, as well as fines,
insufficient deterrents. The relative ease and low cost of
cyber crime is unlikely to abate without greater cooperation
among international law enforcement agencies. Moreover, where
nation states are involved, the Federal Government should play
a greater role in deterrence and enforcement.
Q.8.-Q.10. Seventy-seven percent of cyber attacks come from the
outside. Yet sometimes, figuring out who the hackers were is
hard to figure out. Hackers can spoof evidence. They can embed
other hackers' tools. How big of a problem is figuring out
attribution for hacks? Are there ways we can enhance
information sharing between industry and the Federal Government
to enable more rapid detection and response to cyber attacks?
What tools or resources would make it easier for financial
institutions to correctly attribute cyber-attacks?
A.8.-A.10. Obfuscation techniques adopted by threat actors can
inhibit timely and accurate attribution. Many cyber defenders
can be more interested in learning threat actor tactics,
techniques, and procedures which will help to detect anomalous
activity than the threat actor origin. Attribution for the
private sector can be most helpful, however, in identifying
adversary intent. Armed with knowledge of intent, the financial
sector can put additional monitors on systems. Furthermore,
while the private sector is reliant on many sources of
information, Government is uniquely situated to assess intent
with the greatest credibility based on its intelligence sources
and methods. Perhaps the most valuable way to alert the private
sector about threat actor attribution and intent is through
timely declassification of intelligence, or to provide
requisite clearances and classified exchanges for industry
professionals who can make security decisions within their
organizations. Likewise, timely information on changes in known
adversary methods and tools is also helpful in correctly
attributing activity. Many financial institutions do not have
the resources to independently attribute cyber activity and are
reliant on timely Government releases or attribution provided
by vendors.
Q.11. In 2015, French-language TV station, TV5Monde was
subjected to a significant cyber-attack which disrupted its
broadcast for several hours by Fancy Bear. These are the same
Russian government and military hackers that hacked the
Democratic National Committee. Multiple television channels
went dark. Social media channels run by the broadcasters began
to spew ISIS propaganda. The attack was the work of Russian
hackers which pretended to be ISIS. Russian government hackers
also attacked the World Anti-Doping Agency, the power grid in
Ukraine and the French electorate with another document dump.
How significant is the threat to private businesses--from
hostile foreign governments or terrorist organizations?
A.11. Nation-state-sponsored activity is a top concern of
financial firms. While the majority of the financial sector
most commonly sees criminal activity, the risk of impact posed
by nation-state
actors is much greater. Furthermore, cyber criminals typically
seek to steal funds, but have a vested interest in keeping the
financial infrastructure intact. Nation states could have more
nefarious intentions to disrupt the functions of the financial
system in an effort to impact the U.S. economy. Businesses are
reliant on the integrity of third parties and other critical
infrastructure dependencies_such as electricity,
communications, water, etc._in order to keep their businesses
running. Nation-states have seemingly been the most interested
threat actors in disrupting or destroying these functions,
evidenced in part by NotPetya, WannaCry, and Shamoon attacks.
Q.12. Some of the lessons from that attack was documenting IT
processes, restricting access to IT processes, and keeping
communications separate from incident responses. What should
businesses do now to prepare for a possible attack in the
future?
A.12. Thoughtful and exercised incident response plans are
encouraged for all financial institutions. The plans should
involve multiple offices within the organization including
security, legal, communications, business resilience and
executive leadership. Incident response plans can aid in more
accurate and prompt information sharing, as well.
Businesses should also focus on the security of their
third-party suppliers and remain in an active dialogue about
their security practices. The prevalence of third-party risks,
such as digital supply chain attacks, has increased as attack
surface expands through use of the cloud and online services.
Such attacks can affect institutions of all kinds, even those
with robust cybersecurity measures in place. As evidence,
NotPetya was initially distributed via a compromised accounting
software update from the provider's server and, separately,
malicious actors leveraged compromised credentials and malware
to corrupt another software provider's updates to distribute
malicious data-stealing code. Further, a USG Technical Alert
released this year shed light on ongoing campaigns affecting
critical infrastructure sectors which compromised staging
targets, such as third-party suppliers, with less secure
networks to reach intended victims.
------
RESPONSE TO WRITTEN QUESTION OF SENATOR JACK REED FROM MICHAEL
DANIEL
Q.1. In your written testimony, you stated that:
the Government can facilitate disclosure of information that
can help customers, clients, shareholders, and other relevant
parties take appropriate defensive actions, better assess risk,
and advocate for improved security. Examples of such
requirements could include data breach reporting, information
about material cybersecurity risks on financial statements, and
public acknowledgements about how a publicly traded company is
assessing and managing its cyber risk, particularly at the
board of director's level. Such disclosures do not assist
criminals or other bad actors--they already know where the
weaknesses are; instead these requirements allow market forces
to operate more efficiently.
Could you please go into greater detail about how cybersecurity
disclosure would allow market forces to operate more
efficiently?
A.1. Right now, consumers often lack information about a
product or service's cybersecurity. As a result, they cannot
factor that
information into a purchasing decision. Just as with disclosing
calorie counts in food products, if consumers had more access
to information they could use that information to make better
choices. And if some consumers began to discriminate among
products or services based in part on their cybersecurity, then
producers and suppliers would have an incentive to create more
secure outputs.
------
RESPONSE TO WRITTEN QUESTION OF SENATOR MARK WARNER FROM
MICHAEL DANIEL
Q.1. Is verifying that financial institutions have an internal
cybersecurity audit function or an independent third-party
assessment sufficient, or should financial regulators develop
their own view of the cybersecurity posture of supervised
entities in addition to requiring independent third-party
assessment?
Are you and others in the industry seeing an uptick in
interest from regulators in cyber risk? What issues do
regulators focus on in their examinations?
What do you believe is the appropriate role of the
financial regulators in assessing the cybersecurity of
institutions they regulate?
A.1. I believe that regulators should largely rely on third-
party assessments, rather than trying to develop the capability
in-house to conduct reviews at the scale required for our
financial sector. That said, financial regulators should have
staff capable of interpreting those assessments and determining
whether the assessment demonstrates that the institution is
meeting its requirements.
I cannot speak to what financial regulators focus on in
their examinations but I can suggest the Committee explore the
oversight and examination material of the financial regulatory
agencies and bodies such as the Federal Financial Institutions
Examination Council.
The key issue is whether the institution is appropriately
considering systemic risk as well as the immediate risk to the
company in managing its cybersecurity. Institutions have an
incentive to ensure that they can conduct business, maintain
customers, and preserve their reputation. However, the
incentives are not strong enough on their own for the
institution to invest in cybersecurity that in turn helps drive
down risk across the sector (and therefore to the broader
economy) as a whole. That's where--systemic risk to the broader
sector and economy--the Government regulators should focus.
------
RESPONSES TO WRITTEN QUESTIONS OF SENATOR CORTEZ MASTO FROM
MICHAEL DANIEL
A year and a half ago, William and Margaret Frederick sold
their home in Ohio so they could buy a home in Las Vegas,
Nevada. The couple expected to make a $216,000 profit on the
sale. But, their real estate agent read a hacked email
supposedly from William--the fake email had three L's in Bill
instead of two--and sent the profit to the hacker. William was
83 and Margaret 77. Someone stole the money they intended to
live on in retirement.
Real estate transaction fraud is a problem in Nevada and
nationwide. Thieves wait for the right time to impersonate a
bank or
realtor and send you different wire transaction instructions.
Estimates are as much as $400 million a year in losses.
Q.1. What more can financial institutions do to prevent thieves
from stealing people's down payments, earnest money and even
the entire home payment if someone is buying a home for cash?
Please identify the best practices for realtors, title agents
and mortgage brokers?
A.1. Although the Internet often makes fraud easier to
perpetrate, the best practices to combat cyber-enabled fraud
are often the same in other domains. I would point to
references like the Federal Trade Commission, the Financial
Crimes Enforcement Network, the Federal Bureau of
Investigation_Financial Institution Fraud division, the
Financial Services Information Sharing and Analysis Center, and
similar organizations that lay out best practices to combat
fraud.
One way to protect consumer's information is to not collect
it. For example, why should merchants of any sort, including
doctors, insurance companies and utilities, require social
security numbers as part of their information or data-set on
their customers? Should we limit Social Security numbers
provided to merchants?
LWhat other sorts of information should financial
institutions or others STOP collecting?
LState and International Laws Relating to
Cybersecurity
LWhat are the pros and cons of a Federal data breach
law?
LHow should Federal data breach laws coexist with
other international laws?
A.2. The first step in managing cyber risk more effectively is
understanding your information environment: what information
does your organization hold and why is it holding it? An
organization should only hold and manage information for which
there is a legitimate business purpose, and it should only hold
that information for as long as needed for the business purpose
(or according to law, if the organization has legal obligations
for data retention). Thinking through these questions will
enable an organization to determine what information it really
needs to collect and store, and then how long it needs to
retain that information.
In terms of digital identity and how best to conduct
identity proofing without relying on social security numbers, I
would recommend that the Committee look at research being done
related to digital verification processes in cyberspace. Some
examples of this work and related suggestions can be found at
the National Strategy for Trusted Identities in Cyberspace
(NSTIC) and the Better Identity Center here in Washington, DC.
Q.3. Firms that fail to secure their data pay substantial
penalties. Hundreds of hackers go to prison. The woman [Paytsar
Bkhchadzhyan] who hacked into Paris Hilton's accounts and stole
her credit card information received a 5-year prison term.
Taylor Huddleston (26) of Arkansas was sentenced to serve
nearly 3 years for building and selling a remote access Trojan
(NanoCore) to hackers.
Can you give me some examples of fines, penalties and
sentences for firms and individuals that engaged in cyber
theft? Are these costs an appropriate deterrent?
A.3. This specific question falls outside my area of expertise.
However, measuring deterrence is always challenging, whether in
the physical world or in cyberspace.
Q.4.a. Seventy-seven percent of cyber attacks come from the
outside. Yet sometimes, figuring out who the hackers were is
hard to figure out. Hackers can spoof evidence. They can embed
other hackers' tools.
How big of a problem is figuring out attribution for hacks?
Are there ways we can enhance information sharing between
industry and the Federal Government to enable more rapid
detection and response to cyber attacks?
A.4.a. Attribution remains a challenging endeavor for multiple
reasons. First, attribution involves combining technical
capabilities, data from a number of victims, and considerable
time. While the U.S. Government and cybersecurity companies
have improved their attribution capabilities significantly,
even these organizations have to invest considerable resources
into this work. Second, even if cybersecurity companies can
attribute malicious activity to a particular group or
adversary, taking the next step of tying that attribution to an
individual in the real world is even harder.
Q.4.b. What tools or resources would make it easier for
financial institutions to correctly attribute cyber-attacks?
A.4.b. We can definitely improve information sharing between
the Federal Government and the private sector. In particular,
we need to build the technical mechanisms, the business
processes, and the legal understandings to enable this exchange
to occur at both machine speed and at human speed.
Financial institutions may not be able to attribute most
malicious activity on their own and it may not be in their best
interest to do so. However, they can provide forensic and other
data that can help organizations, such as threat researchers
and Government agencies that can make the attribution.
Q.5. In 2015, French-language TV station, TV5Monde was
subjected to a significant cyber-attack which disrupted its
broadcast for several hours by Fancy Bear. These are the same
Russian government and military hackers that hacked the
Democratic National Committee. Multiple television channels
went dark. Social media channels run by the broadcasters began
to spew ISIS propaganda. The attack was the work of Russian
hackers which pretended to be ISIS. Russian government hackers
also attacked the World Anti-Doping Agency, the power grid in
Ukraine and the French electorate with another document dump.
How significant is the threat to private businesses--from
hostile foreign governments or terrorist organizations?
A.5. Criminal actors conduct the overwhelming majority of
malicious activity online and, as a result, are the primary
cybersecurity threat to most businesses.
However, the threat from nation-state actors is very real
and organizations should take it seriously. Fortunately, the
best practices that work against criminal organizations can
also impede nation-state actors. Therefore, companies should
focus on implementing cybersecurity best practices, regardless
of the adversaries they face.
The threat from most terrorist organizations remains fairly
nascent. Terrorist groups are effective at using the Internet
as a recruiting platform, but their ability to use it to carry
out operations remains limited. Some groups attempt to hack
into companies to expose private information, but few have the
capability to do more than that right now. However, given
terrorists' high motivation to cause damage, if a nation-state
decided to supply a terrorist organization with malware or
other tools, that group's capability to cause harm could grow
rapidly.
Q.6. Some of the lessons from that attack was documenting IT
processes, restricting access to IT processes, and keeping
communications separate from incident responses.
What should businesses do now to prepare for a possible
attack in the future?
A.6. All organizations should adopt a holistic risk management
approach and that should include managing their cyber risk.
Best practices for managing cyber risk have been promulgated in
the Cybersecurity Framework published by the National Institute
of Standards and Technology and in collaboration with the
private sector and other Government agencies. Such an approach
can guide an organization to understand its information assets
and business processes; invest in more effective protections;
have a capability to detect when malicious activity is
occurring; develop an incident response plan for when bad
events occur; and create a plan for restoring business
operations as soon as possible. Adopting a holistic approach is
the most effective way a company can prepare for malicious
cyber activity.
------
RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARNER FROM PHIL
VENABLES
Q.1. How do banks--much less regulators--evaluate and manage
risk of IT environments that combine not only third-party
software and products, but also decades-old legacy IT?
A.1. Third-party software and hardware risk is an ongoing
challenge requiring institutions to have clear policies and
practices to manage the risk of third-party products in the
environment. In more sophisticated organizations a risk
assessment, code analysis and operational penetration testing
may be conducted to ensure any critical and externally facing
applications and platforms are appropriately hardened.
Legacy IT infrastructure risk is a challenge facing many
medium-to-large organizations. Most financial institutions have
been required by Federal regulators to conduct an appropriate
risk analysis of their IT environment to identify that
infrastructure which is not able to have software patches
applied to address current vulnerabilities and threats.
Sophisticated organizations prioritize protection and
remediation of these legacy environments based on relative risk
of the platforms and technology. Externally facing
systems are generally the priority for remediation and Federal
regulators will generally require evidence of an appropriate
ongoing vulnerability management and vulnerability scanning
program to ensure that high-risk vulnerabilities are adequately
being managed.
Effectively managing third-party and legacy infrastructure
risk is predicated on the organization having up-to-date
inventories of hardware and software and understanding the
associated risks. This can be challenging in large, global
organizations and requires significant and ongoing discipline
with appropriate policies and practices to ensure consistency.
Q.2. Could the kind of meltdown we're seeing in the United
Kingdom with TSB Bank happen in the United States as a result
of an IT migration?
A.2. Public reporting on the TSB Bank incident indicates the
issue was caused by a variety of failures in the organization's
testing, change management, migration, communications and
regulatory engagement processes.
The migration of such a large volume of customers (5.2
million) in one activity is a significant risk. There is no
public information available as to what testing took place
behind the scenes prior to the upgrade and what processes
failed in the transition so our ability to assess what went
wrong in the migration is extremely limited. Media reporting
also indicates TSB, and parent company Banco Sabadell, declined
assistance from Lloyd's early in the migration crisis.
Sound change management policies and practices, exercised
and comprehensively tested using a phased migration approach
are clear recommendations for any complex or significant
migration or upgrade. For significant changes and migrations it
is recommended to have a prepositioned communications plan
supporting clear and transparent customer and regulatory
notification should issues be encountered.
------
RESPONSES TO WRITTEN QUESTIONS OF SENATOR CORTEZ MASTO FROM
PHIL VENABLES
Q.1. What more can financial institutions do to prevent thieves
from stealing people's down payments, earnest money and even
the entire home payment if someone is buying a home for cash?
Please identify the best practices for realtors, title agents
and mortgage brokers?
A.1. Fannie Mae and Freddie Mac provide comprehensive resources
including fraud mitigation best practices to provide guidance
for all entities in the mortgage transaction flow.
https://www.fanniemae.com/singlefamily/mortgage-fraud-
prevention
http://www.freddiemac.com/singlefamily/fraud.html
http://www.freddiemac.com/singlefamily/pdf/fraudprevention
_practices.pdf
Small- to medium-sized organizations supporting mortgage
services should review and follow cybersecurity best practices,
such as those offered by the ``Staysafeonline'' website
maintained by the National Cybersecurity Alliance, in order to
provide appropriate protection for the personal identifying and
bank account information they collect. Public reporting
indicates some mortgage brokers and smaller organizations may
be utilizing public email services for transacting business
that if compromised could allow identity theft and fraud.
Businesses should conduct a security review of their email
accounts based on the provider's recommendations and implement
the appropriate enhanced security offerings for these email
services.
https://staysafeonline.org/cybersecure-business/
https://landing.google.com/advancedprotection/
https://help.yahoo.com/kb/SLN5013.html
Fannie Mae and Freddie Mac further offer recommendations
for consumers around red flags that may be indicative of fraud
during mortgage transactions. One significant indicator of
attempted wire transfer fraud may be an unexpected email
indicating a late change to the payee/beneficiary account
information prior to an upcoming funds transfer. The safest
course for consumers is to not trust any wire transfer
instructions received via email and to validate all financial
details via phone call to a confirmed number that was not
provided in any email communications.
https://www.fanniemae.com/content/news/mortgage-fraud-news-
0116.pdf
https://www.fanniemae.com/content/tool/mortgage-fraud-
prevention-consumers.pdf
http://www.freddiemac.com/singlefamily/fraud.html
http://www.freddiemac.com/perspectives/robb_hagberg/2017
0612_combating_mortgage_fraud.html
Q.2. What other sorts of information should financial
institutions or others STOP collecting?
A.2. We support the adoption of the principle of ``data
minimization'' under which a business should collect and
process only such personal information as is necessary for it
to achieve the task at hand, whether that be servicing the
customer, complying with its own legal or regulatory
obligations, or pursuing some other legitimate purpose.
Q.3. State and International Laws Relating to Cybersecurity
A.3. To date, most States have avoided the imposition of
detailed, prescriptive requirements as to the safeguarding of
personal and business related information opting instead for a
high level, and more flexible, approach of requiring businesses
to implement and maintain ``reasonable security procedures and
practices'' appropriate to the nature of the information
processed, the type of activities conducted, the size and
complexity of the organization, etc. Notable exceptions to this
general rule are Massachusetts, Nevada and, more recently and
only as to organizations s under its supervision, New York
State's Department of Financial Services.
In general, the ``data protection'' laws outside of the
United States are principles based, particularly as it relates
to security controls. Although an obligation to maintain the
security of
personal data is one of these principles, most countries have,
like the majority of our states. These laws generally do not
impose
prescriptive safeguarding obligations and instead taken the
approach of imposing an obligation to implement ``appropriate
technical and organizational measures'' to protect personal
data. This approach is reflected in the E.U. General Data
Protection Regulation which took effect late last month. Laws
focusing on the protection of information other than personal
data or on cybersecurity measures more generally have been less
common. That trend changed, as to Europe at least, in 2016 with
the adoption of the Network and Information Security Directive
which was required to be implemented by E.U. Member States on
or before May 9, 2018. The Directive is the first EU-wide piece
of legislation concerning cybersecurity.
Q.4. What are the pros and cons of a Federal data breach law?
A.4. The main and very significant benefits of a Federal data
breach notification law are consistency and efficiency.
Although the State laws on this point share many similarities,
there is enough divergence in the underlying requirements to
make responding to an incident having a multi-State impact very
challenging. Analysis of these differences across State laws
and their application to the specific facts of each incident is
time consuming and can result in unnecessary delay in notifying
impacted individuals. A single requirement at the Federal level
would promote consistency. Assuming a breach notification
regime is to be required, there is very little downside in
having this imposed at the Federal, rather than at the State,
level.
Q.5. How should Federal data breach laws coexist with other
international laws?
A.5. Individuals, regardless of where they are located, who are
exposed to a significant risk of harm when their personal
information is compromised due to a cybersecurity breach,
should be apprised of that breach and given sufficient
information to take the measures necessary to protect
themselves. State breach notification laws have led the way in
this regard and, with the inclusion of a breach notification
requirement in the new General Data Protection Regulation, the
European Union has now formally acknowledged the value of this
principle. In light of this new E.U. requirement, it is more
important than ever that the United States adopt a single
breach notification regime nationwide in order to ensure that
incidents having international impact are responded to
promptly, consistently and efficiently.
Q.6. Can you give me some examples of fines, penalties and
sentences for firms and individuals that engaged in cyber
theft? Are these costs an appropriate deterrent?
A.6. Recent examples of sentencing and penalties for criminal
groups and individuals are as follows:
LOn April 18 2018, Dwayne C. Hans of New York was
sentenced to 36 months in prison for attempting to
steal more than $3 million from the Pension Benefit
Guaranty Corporation, Defense Logistics Agency and
General Services Administration. He was ordered to pay
restitution of $134,000.00 for activities conducted
between July 2015 and October 2016, when he committed
fraud by impersonating an authorized representative of
a U.S. financial institution and a defense contractor.
Hans had previously pleaded guilty to one count of wire
fraud and one count of computer intrusion. https://
www.justice.gov/usao-edny/pr/cyber-criminal-sentenced-
36-months-prison-attempting-steal-more-3-million-
financial.
LOn November 30, 2017, Russian cyber-criminal Roman
Valeryevich Seleznev aka Track2, Bulba and Ncux, was
sentenced to serve 168 months in prison for one count
of participation in a racketeering enterprise and 168
months in prison for one count of conspiracy to commit
bank fraud with the sentences to run concurrent to one
another. In both cases, Seleznev was ordered to serve 3
years of supervised release to run concurrently and
ordered to pay restitution in the amount of
$50,893,166.35 in Nevada and $2,178,349 in Georgia.
Seleznev pleaded guilty to the charges and admitted
affiliation with the Carder.su organization, an
Internet-based, international criminal enterprise whose
members trafficked in compromised credit card account
data and counterfeit identifications and committed
identity theft, bank fraud, and computer crimes.
https://www.justice.gov/opa/pr/russian-cyber-criminal-
sentenced-14-years-prison-role-organized-cybercrime-
ring-responsible.
LOn May 25, 2017, three Nigerian cyber actors were
sentenced for Federal offenses including mail fraud,
wire fraud, identity theft, credit card fraud, theft of
Government property, and conspiracies to commit bank
fraud and money laundering. The maximum penalty imposed
on a defendant was 115 years in prison and the minimum
sentence handed down was 25 years. Overall 21
defendants had been charged in the case which was led
by Homeland Security Investigations. The stronger
penalties were imposed due to the bank fraud and money
laundering elements of their activities. https://
www.justice.gov/opa/pr/three-nigerians-sentenced-
international-cyber-financial-fraud-scheme.
Federal Judges may face difficulty in determining
sentencing in cyber crime cases due to the broad types and
scope of impact, including where there may be difficulty in
articulating a direct financial loss. Based on sentencing
guidelines from the Department of Justice, fraud cases where
there is direct loss to specific victims are generally easier
to determine than matters where there is no direct loss, such
as theft of information. Further, in general charges asserted
in most cyber crime cases are generally a subset of a broader
array of activity by the perpetrator, and for some alleged
crimes there may be only limited evidence for some crimes.
Consequently, many cyber criminals may only ever be charged and
sentenced based on a small subset of their overall criminal
behavior, which in many cases stretches back over many years.
Many overseas higher order cyber-criminal actors are
unlikely to ever face prosecution and sentencing due to their
location in countries that will not extradite or work with U.S.
law enforcement. Further in some countries, advanced cyber
criminals may present a potential asset to Government military
and intelligence capabilities so there is even less incentive
to proceed with prosecution. The use of cyber criminals to
support state-sponsored cyber operations was publicly confirmed
with the release of the indictment in the Yahoo email
compromise incident. https://www.justice.gov/opa/pr/us-charges-
russian-fsb-officers-and-their-criminal-conspirators-hacking-
yahoo-and-millions.
There is likely some deterrent value in stiff sentencing
for cases, but the broad nature of offenses and diversity of
sentencing is likely to present little deterrent to those
adversaries located overseas, particularly if they have
relationships supporting intelligence and military operations.
Q.7. How big of a problem is figuring out attribution for
hacks? Are there ways we can enhance information sharing
between industry and the Federal Government to enable more
rapid detection and response to cyber-attacks?
A.7. The ability to potentially attribute cyber threat
activities to a specific actor or series of actors varies
greatly based on the type and impact of the incident.
Attribution is generally a complex problem and an investigative
challenge based on the availability of a set of technical
fragments of evidence, which are aggregated, analyzed and
compared against other cyber activities where the perpetrators
have been identified with some degree of confidence.
At the strategic level, where nation states are the primary
threat actors, geopolitical context may suggest from an
intelligence perspective that an adversary is responsible for a
set of cyber threat activity that was triggered in response to
specific event(s).
Ability to attribute consequently varies between national
security and purely criminal threats, with national security
threat actors much more likely to be proactively monitored by
the Intelligence Community. In criminal cases there is
generally a requirement for significant forensic reconstruction
of events to be able to coherently trace and attribute
malicious activity. Further in the majority of cyber-criminal
cases involving fraud and theft, following the network and
financial transaction trails will generally lead overseas as
criminals know that cross international jurisdictions
substantially increases the complexity of investigation for
U.S. agencies, particularly if some of the traffic is routed
through countries which have tense or poor relations with the
United States.
Nation state military and intelligence services may also
attempt to actively obfuscate and potentially misattribute
activity.
The financial sector has a variety of robust information
sharing arrangements with U.S. Government agencies through
sector associations including the Financial Services
Information Sharing and Analysis Center (FS-ISAC) and Financial
Systemic Analysis and Resilience Center (FSARC), and at the
individual financial institution level. During the 2011-2014
Distributed Denial of Service (DDoS) attacks the FS-ISAC and
individual member institutions worked collaboratively and
individually with the Government agencies to identify,
attribute and mitigate cyber threat activities. That
collaboration has continued through the current time.
Q.8. What tools or resources would make it easier for financial
institutions to correctly attribute cyber-attacks?
A.8. To further clarify, the term cyber-attack is, at times,
misused in the media which unfortunately confuses the issue of
determining the actual objective of an adversary, which may be
surveillance, theft, disclosure, manipulation/alteration or
disruption/destruction, and much of which has distinctly
different impacts to a victim organization.
Attribution is generally a confidence weighted activity and
the ability of a private institution, or group of institutions,
to successfully attribute cyber activity varies greatly on the
type of activity and the type of adversary. In nation-state
cases, there may be geopolitical indicators which provide a
level of inference lacking in other types of cyber activity.
Publicly attributing cyber activity may present risk to any
institution making the statements as an adversary may become
particularly focused on that institution in response. This was
seen during the 2012 DDoS attacks where an institution that
publicly attributed the attacks in media to Iran was subjected
to ongoing focus as a result.
Q.9. How significant is the threat to private businesses--from
hostile foreign governments or terrorist organizations?
A.9. Nation states have conducted cyber-criminal, cyber
espionage and cyber-attack actions against private sector firms
globally.
Q.10. What should businesses do now to prepare for a possible
attack in the future?
A.10. Businesses should understand the domestic and global
operational risk environment in which they operate and have a
clear view of which assets are at most cyber risk. They must
adopt a defense-in-depth approach to cybersecurity that
emphasizes a ``default deny'' approach and assesses
organizational controls against most like adversary
capabilities.
Determining the identity, capabilities and likelihood of
the most significant cyber adversaries an organization faces is
an ongoing activity that can then be used to assess the
adequacy of the controls against the threat's technical
capabilities.
This ability to conduct this risk analysis is predicated on
the following organizational capabilities:
LIdentifying targeted campaigns against the
organization from broader activity targeting the
industry and Internet as a whole
LAnalyzing and attributing the campaigns that have
been previously observed and are currently being
observed
LAscertaining the adversary's objectives in the
campaigns
LUtilizing observations and threat intelligence to
develop a model of adversaries technical capabilities
and then prioritizing them based on the highest
technical capabilities
LModeling adversaries' capabilities against the
organization's control capabilities should result in a
residual risk assessment of the organization's
abilities to defend against their prioritized adversary
capabilities and highlight control gaps or deficiencies
that need enhancement.
More broadly this type of analysis should be conducted on an
ongoing basis against the broader cyber threat environment to
ensure the organization always understands its ability to
mitigate current and developing cyber threats.
------
RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARNER FROM BOB SYDOW
Q.1. Do regulators, who have the ability to supervise the banks
and their relationships, but not the third-party vendors
themselves, have sufficient authority to monitor these risks
appropriately?
A.1. Regulators have been addressing the topic of third-party
risk and the vendors across a number of dimensions, including
but not limited to:
LIssuing guidance and requirements for outsourcing
risk and third-party risk management
LSetting expectations that regulated firms have
effective programs over their third parties to confirm
that they are fulfilling the firms' contractual,
compliance, consumer protection, legal and obligations
LExamination of how firms manage third parties--
especially critical vendors--within the context of how
they assess and manage risks across various domains
(e.g., cyber, critical business processes, Recovery and
Resolution Planning).
For example, the Office of the Comptroller of the Currency
(OCC) has issued the following guidance for managing third-
party risk:
When circumstances warrant, the OCC may use its authority to
examine the functions or operations performed by a third party
on the bank's behalf. Such examinations may evaluate safety and
soundness risks, the financial and operational viability of the
third party to fulfill its contractual obligations, compliance
with applicable laws and regulations, including consumer
protection, fair lending, BSA/AML and OFAC laws, and whether
the third party engages in unfair or deceptive acts or
practices in violation of Federal or applicable State law. The
OCC will pursue appropriate corrective measures, including
enforcement actions, to address violations of law and
regulations or unsafe or unsound banking practices by the bank
or its third party. The OCC has the authority to assess a bank
a special examination or investigation fee when the OCC
examines or investigates the activities of a third party for
the bank. (OCC Bulletin 2013-29.)
Another example is:
Guidance for Managing Third-Party Risk,'' FIL-44-2008,
published by the Federal Deposit Insurance Corporation. It
states in part: ``Review of third-party relationships
contributes to the FDIC's overall evaluation of management and
its ability to effectively control risk. Additionally, the use
of third parties could have a significant effect on other key
aspects of performance, such as earnings, asset quality,
liquidity, rate sensitivity, and the institution's ability to
comply with laws and regulations. Findings resulting from the
review of an institution's third-party relationships will be
addressed as needed in the Report of Examination. Appropriate
corrective actions, including enforcement actions, may be
pursued for deficiencies related to a third-party relationship
that pose a safety and soundness or compliance management
concern or result in violations of applicable Federal or State
laws or regulations. Financial institutions are reminded that
indemnity or other contractual provisions with third parties
cannot insulate the financial institution from such corrective
actions.
Q.2. Are regulators focusing on third-party vendor management
in their examinations? Are you seeing increased enforcement or
other critical action from regulators against banks due to
insufficient compliance programs for third-party vendor
management?
A.2. EY sees banking regulators conducting exams that include a
specific focus on third-party vendor management. The focus of
these exams is across topics ranging from governance, due
diligence, risk assessment, ongoing monitoring, cyber,
resiliency, contracting and the cataloging and inventory of
third-party vendors.
Q.3. In its semiannual report in 2017, the Office of the
Comptroller of the Currency noted that concentration in third-
party service providers, such as providers of enterprise
software or security products and services, has increased
cybersecurity supply chain risk. Do you agree with this
assessment? Do you believe that there is a potential systemic
risk issue with dependencies on key third-party vendors or the
wide use of certain software? Should regulators require a
software bill of materials to understand what's inside third-
party IT products?
A.3. A number of factors are contributing to an increase of
cybersecurity supply chain risk including: emerging
interconnected technologies that drive fundamental
transformations and create complex third-party ecosystems; the
volume, velocity and precision of attacks; and the shortage of
cybersecurity resources and skilled professionals.
Additionally, many entities face not only third-party risk, but
may also need to consider fourth and fifth parties in their
evaluation of risk.
While vendors can help provide solutions to address some of
the resource constraints, third parties inherently create
additional risk. Any single entity can be a potential threat
entry point, which may cause a ripple effect across the
enterprise or industry. Heightened regulatory and market focus
have increased pressure on financial institutions to account
for how third-party suppliers and vendors use and protect their
data and manage sustainable operations, especially for critical
services.
Additionally, many financial services companies work with
Fin Tech and RegTech companies or are looking for efficiency
and innovation through use of the cloud. These also put further
focus on third-party vendor cybersecurity risks.
The private sector is also focused on components of the
supply chain that could create systemic risk and is working
with the regulatory community to identify, evaluate, plan and
exercise cyber response plans. This includes but is not limited
to the power and utilities sector, payment processors,
servicers, financial market utilities and infrastructure
providers. Continued collaboration and focus on these efforts
will be critical for preparedness.
Leading practices for companies to enhance their cyber
capabilities, including consideration for third parties,
include:
LIdentify their most important assets consisting of
critical business processes, systems, infrastructure,
data and dependent third parties that are most critical
to the financial institutions, including their role in
the broader financial services ecosystem.
LProtect their high-value assets and underlying
system architecture for enhanced security.
LDetect threats and vulnerabilities to proactively
identify threats with better threat intelligence,
detection and management capabilities.
LRespond to cyber incidents to rapidly contain the
damage, and mobilize the diverse resources needed to
minimize impact--including direct costs and business
disruption, as well as reputation and brand damage.
LRecover from cyber disruptions to resume normal
business operations as quickly as possible.
Q.4. Is verifying that financial institutions have an internal
cybersecurity audit function or an independent third-party
assessment sufficient, or should financial regulators develop
their own view of the cybersecurity posture of supervised
entities in addition to requiring independent third-party
assessment?
A.4. Traditionally, the main role of internal audit, which is
often referred to as the third line of defense in the three
lines of defense (3LoD)\1\ risk management model described
below, has been to provide an independent and objective
assessment of the firm's processes across the first and second
lines of defense, with the focus on operational effectiveness
and efficiency as part of the firm's overall risk governance
approach. As qualified technical resources are limited,
internal audit groups often turn to co-sourcing arrangements
with a qualified third party to augment their teams to provide
technical resources to assess risk and execute audit programs
to validate controls over applications and technology
infrastructure, cyber risk governance and risk managements,
conduct independent penetration testing and vulnerability
assessments, etc.
---------------------------------------------------------------------------
\1\ This Includes excerpts from EY's Cyber risk management across
the lines of defense, EYGM Limited, April 2017.
---------------------------------------------------------------------------
In cases where a firm has taken the appropriate actions so
that qualified technical resources are available to support
their internal audit team, the need for an independent third-
party assessment and/or independent regulatory review would not
appear to be necessary. Conversely, in cases where a firm does
not have sufficiently qualified technical resources inhouse and
has elected not to utilize the services of a qualified third
party, some form of annual--independent assessment may be
necessary.
Q.5. Are you and others in the industry seeing an uptick in
interest from regulators in cyber risk? What issues do
regulators focus on in their examinations?
A.5. In light of the heightened threat presented by cyber
risks, regulators globally have stepped up their focus on
cybersecurity. Each regulator reviews cybersecurity in its own
way, and takes into consideration its own view of the cyber
risks in the industry and specific institutions, when
conducting its reviews.
Across the course of their ongoing supervisory reviews,
supervisors increasingly assess a bank's ability to manage
cyber risk across the 3LoD. The first line operates the
business, owns the risk and designs and implements operations.
The second line defines policy statements and the risk
management framework, provides a credible challenge to the
first line and is responsible for evaluating risk exposure for
executive management and the board to consider when
establishing a risk appetite. The third line of defense, which
is also commonly referred to as ``internal audit,'' is
responsible for the independent evaluation of the first and
second lines.
EY has found that establishing a 3LoD approach to cyber
risks is not a trivial task for an organization, but it is
becoming essential in the cyber world we have entered.
Financial services firms are still grappling with how to best
implement the model across their businesses for existing
nonfinancial risks. Adding cyber risk management as well as
strong board oversight during the implementation of the 3LoD
model poses an even greater challenge for organizations.
First line of defense
A strong first line of cybersecurity defense requires a
significant effort. Whether in the retail bank, investment
bank, corporate bank, private bank or any other area, business
heads will have to perform a thorough examination to determine
whether the business is doing enough to manage cyber risk.
Information security groups can no longer apply one-size-fits-
all solutions to the entire enterprise. Instead, each line of
business must carefully define the cyber risks and exposures it
faces. Cyber risks need be woven into the fabric of the first
line's risk and control self-assessment and into fraud, crisis
management, and resiliency processes.
The lines of business will need to actively monitor
existing and future exposures, vulnerabilities, threats and
risks associated with their activities. In addition to
leveraging technologies, businesses need to determine the
impact that cyber risk will have on its clients, operational
processes and strategies. These new responsibilities require
significant investment in people and tools, including upgraded
monitoring and analytic capabilities to provide improved
assessments of current levels of cyber risk.
Second line of defense
The independent second-line cyber risk management function
manages the enterprise cyber risk appetite and risk management
framework within the context of the overall enterprise risk
strategy. This group challenges the first line's application of
the board-approved cyber framework and appetite. Second-line
risk management plays a critical role in managing cyber risks
and should not be walled off as a separate risk function. As
the keeper of a firm's board-approved risk tolerance, it
determines how to appropriately measure cyber risks, embedding
quantitative and qualitative (e.g., reputational) thresholds
for cyber risks into the statement of risk tolerance for the
firm. Moreover, these clearly established appetite and
associated thresholds need to cascade down into the operations
for each line of business.
Given the relative novelty of applying the 3LoD model to
cyber risk, most of the first and second lines focus
appropriately on more effective management of these risks
rather than the narrower issue of compliance. However, with an
increasing volume of regulatory guidance and mandatory
requirements stemming from industry, professional and
regulatory standards, cyber will increasingly constitute a
material compliance risk. Accordingly, supervisors should
assess whether financial institutions integrate cyber risk
compliance into second-line risk management.
Third line of defense
Traditionally, the main role of the third line of defense
has been to provide an independent and objective assessment of
the firm's process across the first and second lines of
defense, with the focus on operational effectiveness and
efficiency as part of the firm's overall risk governance
approach. Regulators are now focusing on how effective and
independent a firm's internal audit team is when it comes to
reviewing the firm's approach to cybersecurity. For example,
banking regulations focused on cybersecurity often include
references to the importance of an ``annual independent
assessment,'' such as those included in Federal Financial
Institutions Examination Council (FFIEC) and NIST requirements
and guidelines.
As a foundation, EY recommends that the internal audit team
include within its overall audit plan an evaluation of the
design and operating effectiveness of cyber risk management
across the first and second lines of defense. Traditionally,
industry standards, such as the NIST's Cybersecurity Framework
guidelines have been used as the benchmark for evaluating a
firm's effectiveness. Going forward, internal audit teams at
financial institutions may need to create their own framework
or apply multiple industry frameworks. By doing so, internal
auditors will maintain greater objectivity in assessing cyber
risk management effectiveness, eliminating the potential blind
spots that can result from using a common standard throughout
all three lines of defense.
Under the 3LoD model, internal auditors perform procedures
such as assessments, validation of applications and technology
infrastructure, evaluations of third-party risks, conduct some
level of intrusive-based testing, either by themselves or using
third parties, incorporate cyber into regular audits and have a
responsibility to stay abreast of cyber threat intelligence.
Board oversight of cyber risk management
Supervisors should also assess the degree to which boards
of directors provide effective challenge and oversight of the
bank's cyber risk management. Boards need to understand the
maturity of their organizations' approach relative to evolving
industry and regulatory trends. A cyber risk maturity
assessment should be broad in nature, considering people,
process and technology as well as existing and planned
improvement or remediation activities.
The view on program maturity needs to be combined with a
proper assessment of existing threats and vulnerabilities, and
the evolving threat landscape. Boards should press management
to quantify cyber risk as much as possible so that quantitative
statements on the degree of cyber risk are incorporated into
the firm's risk appetite statement. The cyber risk appetite
statement should link directly to cyber and technology
operational thresholds and tolerances. Boards should insist on
more credible cyber risk reporting, in the context of the
approved cyber risk appetite. Boards should also determine how
they evaluate the quality, accuracy and timeliness of cyber
metrics. Boards should challenge how they oversee cyber risk
across their own governance structure.
The board should revisit its strategy for keeping directors
abreast of cyber threats, trends and the evolving business
implications. Boards should press management to quantify cyber
risk as much as possible so that quantitative statements on the
degree of cyber risk are incorporated into the firm's risk
appetite statement. The cyber risk appetite statement should
link directly to cyber and technology operational thresholds
and tolerances. Aspects of cyber risk management should be
built into an ongoing training program throughout the year,
with overview sessions and deep dives on the most relevant
topics and issues.\2\
---------------------------------------------------------------------------
\2\ For an example of an effective cyber risk dashboard, see
Appendix F of the ``Cyber-Risk Oversight: Director's Handbook Series,''
National Association of Corporate Directors, 2017.
---------------------------------------------------------------------------
Ultimately, the board is accountable for requiring that
management adapts quickly enough to manage this enterprise risk
more effectively and efficiently, and it is charged with
providing a credible challenge to management's approach.
Q.6. What do you believe is the appropriate role of the
financial regulators in assessing the cybersecurity of
institutions they regulate?
A.6. We see several regulatory roles related to cybersecurity
including:
LEngaging in public/private sector dialogues and
efforts to support sharing intelligence and leading
practices
LConsidering how effectively cyber resiliency has
been built into an organization's three lines of
defense as referenced in my testimony
LConsidering the level of board engagement in cyber
risk management
LAdvancing opportunities to seek sources of new
talent for both public and private sector needs, as
observed during my testimony
Companies that exercise good faith efforts, establish cyber
risk management frameworks and adopt such leading practices as
outlined in the previously submitted testimony should benefit,
not only within the company, but in the eyes of stakeholders,
regulators and enforcement agencies, especially relative to
liability and penalty measures.
------
RESPONSES TO WRITTEN QUESTIONS OF SENATOR CORTEZ MASTO FROM BOB
SYDOW
Q.1. A year and a half ago, William and Margaret Frederick sold
their home in Ohio so they could buy a home in Las Vegas,
Nevada. The couple expected to make a $216,000 profit on the
sale. But, their real estate agent read a hacked email
supposedly from William--the fake email had three L's in Bill
instead of two--and sent the profit to the hacker. William was
83 and Margaret 77. Someone stole the money they intended to
live on in retirement.
Real estate transaction fraud is a problem in Nevada and
nationwide. Thieves wait for the right time to impersonate a
bank or realtor and send you different wire transaction
instructions. Estimates are as much as $400 million a year in
losses.
What more can financial institutions do to prevent thieves
from stealing people's down payments, earnest money and even
the
entire home payment if someone is buying a home for cash?
Please identify the best practices for realtors, title agents
and mortgage brokers?
A.1. Consumer education about common financial fraud methods
and how to securely communicate their sensitive data should be
driven as a combined effort by the private sector and public
entities to foster an ongoing culture of greater awareness.
Financial institutions can work to implement two-way
verification of identities on the web, mobile and other virtual
spaces to gain greater confidence that they are interacting
with their intended customer and for the customer to have
confidence they are communicating with their intended
institution. Additional monitoring controls for higher-risk
consumers and transactions should be considered, but this
should be balanced with the need to maintain fluidity and
velocity of transactions without adding risk to the banks
themselves for delays or rejected payments. Underpinning all of
these controls, however, is the growing need for an improved
form of digital identification for all entities, consumer and
institutional, that can support enhanced authentication and be
easily used and verified for online transactions.
Educating individual business owners about cybersecurity
and cyber posture is a topic on which the public and private
sector should work together. EY recognizes the importance of
better cyber hygiene throughout the ecosystem, and would
encourage policymakers to consider what levers it has available
to reach individual business owners.
Q.2. One way to protect consumer's information is to not
collect it. For example, why should merchants of any sort,
including doctors, insurance companies and utilities, require
Social Security Numbers as part of their information or data-
set on their customers? Should we limit Social Security Numbers
provided to merchants?
A.2. The value of the Social Security Numbers (SSN) as a
private and unique identifier must be viewed relative to the
risk that currently exists based upon years of propagating this
same identifier across multiple systems. In my view, continued
usage of this same identifier, coupled with the aggregation of
cybersecurity breaches that have gained access to this
identifier, diminish its value and instead heightens the risk
associated with using it. Unique identifiers must be evaluated
from multiple perspectives before deciding upon their value.
For example, the use and collection of an identifier that is
unique to a particular industry segment may be reasonable, if
its usage across various entities encourages innovation,
benefits society, limits other risks or provides convenience to
consumers and furthermore, if the risks associated with using
the identifier do not outweigh those values or may be
mitigated. It is the data that is associated with the unique
identifier that creates the risk and hence there may be ways to
still achieve value while minimizing risk by limiting those
data elements about an individual that are associated with any
identifier.
In other contexts, there may be better ways than using a
unique identifier to manage risk. One example is when the
identifier
is being used solely for the purpose of authenticating
someone's
identity. There are other ways to achieve this, including
through encrypted identifiers and multifactor authentication.
Q.3. What other sorts of information should financial
institutions or others STOP collecting?
A.3. Many companies across industries are required to collect
SSNs to comply with legal and regulatory requirements. For
example, financial institutions are required to collect and
retain SSNs when customers open an account or apply for a
mortgage. Health insurance companies are also mandated by
Government to collect SSNs for individuals they insure. In such
cases, companies cannot voluntarily choose whether or not they
collect SSNs from their customers.
When considering policies to change the collection and use
of SSNs, it is important to understand whether the proposal
would impact the use of the SSN as an identifier or
authenticator. SSNs were created to be a unique identifier, and
organizations continue to use them in this way to connect
disparate pieces of information about a person. Today, SSNs are
also widely used as authenticators to verify the identity of a
person. This is problematic because authenticators are only
valuable if they remain a secret--which is not the case with
SSNs after years of massive data breaches have made them widely
available to criminals on the dark web.
State and International Laws Relating to Cybersecurity
Q.4. What are the pros and cons of a Federal data breach law?
A.4. Because pros and cons can vary for differing stakeholders,
policymakers in Congress are in the best position to determine
the path forward that balances the needs of constituents and
other key stakeholders. EY believes key considerations include
the potential benefit of harmonization and the need for
interoperability across jurisdictions, which we address
elsewhere in this document.
Q.5. How should Federal data breach laws coexist with other
international laws?
A.5. In EY's view, it is important for U.S. policymakers to
consider the potential for conflict that could arise across
jurisdictional differences in laws. EY routinely hears from
clients how regulatory harmonization at the State, Federal, and
international levels has the potential to reduce compliance
costs and free up capital to invest limited financial resources
available to improve their security posture. Conversely, it
would add to costs and complexity to have disparate approaches
that are not interoperable.
Q.6. Firms that fail to secure their data pay substantial
penalties. Hundreds of hackers go to prison. The woman [Paytsar
Bkhchadzhyan] who hacked into Paris Hilton's accounts and stole
her credit card information received a 57-month prison term.
Taylor Huddleston (26) of Arkansas was sentenced to serve
nearly 3 years for building and selling a remote access Trojan
(NanoCore) to hackers.
Can you give me some examples of fines, penalties and
sentences for firms and individuals that engaged in cyber
theft? Are these costs an appropriate deterrent?
A.6. There are various Federal and State Government authorities
that bring enforcement actions relating to cybercrime. A non-
exhaustive list includes the following. The Federal Trade
Commission brings actions alleging that companies have engaged
in unfair or deceptive practices that failed to adequately
protect consumers' personal data; information on such cases is
available at www.ftc.gov/datasecurity.
The U.S. Securities and Exchange Commission (SEC) also
brings actions alleging account intrusion and failure to
safeguard customer data, for example, information on such cases
is available at www.sec.gov/spotliqht/cybersecurity-
enforcement-actions. Because various States have their own data
protection and breach notification laws, some States have State
authorities with enforcement authority relating to cybercrime.
Additionally, there can be criminal sanctions for cyber
theft. To take one recent example, the U.S. Department of
Justice (DOJ) announced charges against 36 people from the
United States and six foreign countries earlier this year
alleging that they were responsible for hundreds of millions of
dollars of losses from the acquisition and sale of stolen
identities and other information. See ``Thirty-six Defendants
Indicted for Alleged Roles in Transnational Criminal
Organization Responsible for More than $530 Million in Losses
from Cybercrimes,'' DOJ Press Release No. 18-145 (Feb. 7,
2018), available at www.justice.gov/opa/pr/thirty-six-
defendants-indicted-alleged-roles-transnational-organization-
responsible. Notably, although DOJ announced the arrests of 13
of the people charged, it was uncertain whether the 23
remaining defendants would ever face trial in the United
States.
There are a variety of criminal statutes available to
Federal prosecutors. See, e.g., ``Prosecuting Computer
Crimes,'' DOJ OLE Litigation Series, Appendix A, ``Unlawful
Online Conduct and Applicable Federal Laws,'' available at
www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf. For
example, the Computer Fraud and Abuse Act, 18 U.S.C. 1030,
provides for maximum sentences of 10 years for a first offense
and 20 years for a second offense. While cybersecurity experts
generally feel that there is an important role for law
enforcement to play in apprehending cyber criminals, many
express the sentiment that these efforts are unduly hampered by
the length of criminal sentences that are imposed. More often,
cybersecurity experts tend to realize that bad actors in this
space are able to operate across the globe, including in places
that make it difficult for U.S. law enforcement authorities to
reach them.
This is not to say that there is no place for criminal and
regulatory enforcement in the cyber realm. Clearly, there is.
However, especially given the rapidly changing nature of the
threat, and the extent to which the threat can originate
overseas, enforcement will never be sufficient on its own.
Institutions need to protect themselves and their stakeholders
because many actors in cybercrime are unlikely to be deterred,
no matter how robust the penalties. As a result, EY encourages
the Committee to focus not only on enforcement but also on ways
to incentivize responsible and effective corporate governance
and risk management strategies by rewarding good behavior and
adoption of leading practices.
As stated in the written testimony EY submitted to the
Committee, not only do threats evolve day-by-day, but those who
want to do harm are not constrained by regulatory, liability or
jurisdictional issues, let alone ethics. While no one can
guarantee that any or all attacks can be prevented, the market
is developing best
practices and ways to mitigate risk and impact. Companies that
exercise good faith efforts, establish cyber risk management
frameworks and adopt such best practices as outlined in this
testimony should benefit, not only within the company, but in
the eyes of stakeholders, regulators and enforcement agencies,
especially relative to liability and penalty measures.
Q.7. Seventy-seven percent of cyber attacks come from the
outside. Yet sometimes, figuring out who the hackers were is
hard to figure out. Hackers can spoof evidence. They can embed
other hackers' tools.
How big of a problem is figuring out attribution for hacks?
Are there ways we can enhance information sharing between
industry and the Federal Government to enable more rapid
detection and response to cyber attacks?
A.7. Attribution can be incredibly difficult depending on the
sophistication of the adversary and as a result of the
transient nature of digital evidence. An adept adversary
understands forensics and cyber investigative methodology and
will take steps to minimize their digital fingerprints if they
choose to obscure attribution. Additionally, attribution often
requires correlation between different investigations or
sources of information. Therefore, many organizations that do
not routinely respond to breaches lack the data to make
correlations and assessments regarding attribution. Finally,
some key data points that are helpful in providing attribution
are maintained by private or foreign entities that may be
unwilling to provide this critical information.
There are a number of initiatives currently underway to
promote the sharing of information between the private and
public sector including:
LThe Department of Homeland Security's Cyber
Information Sharing and Collaboration Program (CISCP)
LThe Cybersecurity Information Sharing Act (CISA)
program, and related Automated Indicator Sharing
Initiative
LThe Federal Bureau of Investigation's InfraGard
program
LThe U.S. Department of Energy's Cybersecurity Risk
Information Sharing Program for the electric utility
sector
LSector-specific as well as regional Information
Sharing and Analysis Centers (ISACs)
These initiatives are each having a positive effect on
marketplace efforts to combat cyber attacks, but there is
always more that can be done, including: (1) providing enhanced
liability protection for private sector companies when good-
faith efforts are made when sharing information, (2) increasing
the speed with which information is disseminated, and (3)
increasing the speed of security clearance investigations
(needed before access can be provided to certain protected
information).
Q.8. What tools or resources would make it easier for financial
institutions to correctly attribute cyber-attacks?
A.8. Attribution can be incredibly difficult depending on the
sophistication of the adversary and the transient nature of
digital evidence. The rapidly escalating volume, velocity and
sophistication of cybersecurity attacks on the financial
services ecosystem continues to present a significant challenge
to financial institutions in safeguarding their sensitive data.
Financial institutions should continue to enhance their cyber
capabilities--people, process and technology by identifying
their high-value assets; securing their high-value assets and
underlying architecture; proactively detecting threats and
vulnerabilities; rapidly responding to cyber incidents to
contain the damage; and recovering from cyber disruptions to
resume normal business operations as quickly as possible.
Additionally, financial institutions should explore the
possibility of sharing cyber threat information in a
confidential, timely manner with their peers and appropriate
external stakeholders and also collaborating with them to
protect the financial system ecosystem.
Q.9. In 2015, French-language TV station, TV5Monde was
subjected to a significant cyber-attack which disrupted its
broadcast for several hours by Fancy Bear. These are the same
Russian government and military hackers that hacked the
Democratic National Committee. Multiple television channels
went dark. Social media channels run by the broadcasters began
to spew ISIS propaganda. The attack was the work of Russian
hackers which pretended to be ISIS. Russian government hackers
also attacked the World Anti-Doping Agency, the power grid in
Ukraine and the French electorate with another document dump.
How significant is the threat to private businesses--from
hostile foreign governments or terrorist organizations?
A.9. The threat to the private sector from attacks waged by
hostile foreign actors is extremely significant. There have
been a number of public reports of instances where these actors
have demonstrated the ability and intent to maliciously attack
private companies with the goal of stealing intellectual
property, disrupting operations (e.g., via ransomware attacks),
conducting industrial espionage and other nefarious purposes.
These attacks directly affect specific companies and have a
ripple effect on the U.S. economy as a whole, potentially
undermining the public's trust and the backbone of our economy.
Q.10. Some of the lessons from that attack was documenting IT
processes, restricting access to IT processes, and keeping
communications separate from incident responses.
What should businesses do now to prepare for a possible
attack in the future?
A.10. A growing number of companies experience cyber events as
part of the routine course of business and are well versed in
responding. Incident management, continuity and crisis
management programs can support how a company responds to an
event. For significant cyber events, many of EY's clients are
focused on the following areas:
1. LCommunications and disclosures: timely and accurate
reporting, notification and disclosure is an
increasingly critical concern following a cyber breach
as it must be factual and meet requirements under
Federal and State law as well as other regulatory
requirements and guidelines, including the most recent
SEC guidance updates and, where applicable, various
foreign requirements such as the new European Union
(EU) General Data Protection Regulation (GDPR).
2. LSimulation exercises: firms have been practicing
technical ``war games'' and conducting trainings to
prepare technical resources for an event. EY is seeing
a trend where firms are extending these exercises
further to include executive management and in some
cases members of the board to practice and refine
response mechanisms.
3. LIndustry efforts: financial services firms are engaging
in various industry exercises, collaboration efforts
and information sharing programs to help address the
potential client impacts as well as possible systemic
impacts that could occur.
However, it should be noted that there is no silver bullet. No
organization, large or small--public or private--is immune to
the cyber threat. As noted in the prepared remarks delivered to
the Senate Banking Committee, EY's clients face three
significant challenges:
1. LEmerging interconnected technologies drive fundamental
transformations and create complex third-party
ecosystems
2. LThe volume, velocity and precision of attacks
3. LA shortage of cybersecurity resources and skilled
professionals
EY works with clients across all sectors, and many should
be commended for their efforts. Financial services firms,
especially the largest banks, are considered best-in-class not
only in terms of organization and investment, but also for
leading engagement with stakeholders across the ecosystem. The
industry is not without challenges, and there is variation
among firms. For example, while the largest banks have
considerable resources dedicated to cybersecurity risk
management, smaller entities often struggle with costs and
access to a competitive talent pool. That is not to say these
organizations are not committed to cyber risk management or do
not take the issue seriously. Cyber breaches and associated
losses are not good for business, and when a company's business
model depends on customer trust, a cyber event can cause long-
term damage to brand and reputation.
Large banks are accustomed to higher levels of regulatory
scrutiny, and their third-party risk management programs tend
to be more mature and robust--but challenges remain. Today,
financial institutions deal with third-, fourth- and fifth-
party risk. In addition to vendor risk, most institutions
struggle to secure resources and talent. Experienced cyber
professionals are in high demand. Often, small financial
services institutions rely on third-party providers to meet
those needs. There is no one-size-fits-all solution, but there
are three areas where EY believes risk can be mitigated:
corporate governance and risk management, the American
Institute of Certified Public Accountants' (AICPA)
Cybersecurity Risk Management Reporting Framework and policy
solutions.
Ultimately, the board is responsible for governing a
company's risk appetite and providing a credible challenge to
management. By doing so, boards help protect investors and
enhance the company's value and performance. Banks use a
``three-lines-of-defense'' risk management model (described
later in this document). The larger ones are adopting this
model for cyber. EY considers this a leading practice.
Increasingly, regulators, investors and others want financial
institutions to build cyber resiliency strategies into the
three lines of defense.
Another challenge is understanding and communicating about
a cyber program's efficacy. While the National Institute of
Standards and Technology (NIST) and others have developed
implementation guidance, there had been no means to evaluate
and report on program effectiveness. The distinction is subtle,
but significant. In response, the AICPA recently developed the
Cybersecurity Risk Management Evaluation and Reporting
Framework. This is voluntary and can provide stakeholders with
reasonable assurance that the identification, mitigation and
response controls are in place and operating effectively.
No framework can guarantee against a breach, but the AICPA
Framework can offer an independent validated understanding of a
company's cybersecurity systems, processes and controls. While
the AICPA's model is relatively new, voluntary market adoption
appears to be gaining momentum. Unfortunately, there is no
single legislative, regulatory or market solution that can
guarantee against a cyber event. Bad actors are not constrained
by regulatory, liability or jurisdictional issues, let alone
ethics.
Policymakers and the business community should work
together to foster collaboration and improve intelligence
sharing. The private sector needs flexible and harmonized
policy solutions that recognize the dynamic challenge of
cybersecurity and clarify conflicting directives. There needs
to be a balance between the need for compliance with the need
to manage cyber risk and protect consumers.
EY believes companies that engage in good faith efforts,
establish enterprise-wide cyber risk management frameworks and
adopt leading practices should be recognized, especially
relative to liability and penalty measures.
Finally, EY encourages Congress to support modernization of
the Government's cyber posture, to focus on developing
solutions to to address cyber workforce shortages, and to
educate the public and help the country as a whole improve its
cyber hygiene.
Additional Material Supplied for the Record
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
| MEMBERNAME | BIOGUIDEID | GPOID | CHAMBER | PARTY | ROLE | STATE | CONGRESS | AUTHORITYID |
|---|---|---|---|---|---|---|---|---|
| Shelby, Richard C. | S000320 | 8277 | S | R | COMMMEMBER | AL | 115 | 1049 |
| Brown, Sherrod | B000944 | 8309 | S | D | COMMMEMBER | OH | 115 | 136 |
| Moran, Jerry | M000934 | 8307 | S | R | COMMMEMBER | KS | 115 | 1507 |
| Toomey, Pat | T000461 | S | R | COMMMEMBER | PA | 115 | 1594 | |
| Van Hollen, Chris | V000128 | 7983 | S | D | COMMMEMBER | MD | 115 | 1729 |
| Corker, Bob | C001071 | 8294 | S | R | COMMMEMBER | TN | 115 | 1825 |
| Tester, Jon | T000464 | 8258 | S | D | COMMMEMBER | MT | 115 | 1829 |
| Donnelly, Joe | D000607 | 7941 | S | D | COMMMEMBER | IN | 115 | 1850 |
| Heller, Dean | H001041 | 8060 | S | R | COMMMEMBER | NV | 115 | 1863 |
| Warner, Mark R. | W000805 | 8269 | S | D | COMMMEMBER | VA | 115 | 1897 |
| Scott, Tim | S001184 | 8141 | S | R | COMMMEMBER | SC | 115 | 2056 |
| Cotton, Tom | C001095 | S | R | COMMMEMBER | AR | 115 | 2098 | |
| Schatz, Brian | S001194 | S | D | COMMMEMBER | HI | 115 | 2173 | |
| Heitkamp, Heidi | H001069 | S | D | COMMMEMBER | ND | 115 | 2174 | |
| Warren, Elizabeth | W000817 | S | D | COMMMEMBER | MA | 115 | 2182 | |
| Perdue, David | P000612 | S | R | COMMMEMBER | GA | 115 | 2286 | |
| Rounds, Mike | R000605 | S | R | COMMMEMBER | SD | 115 | 2288 | |
| Sasse, Ben | S001197 | S | R | COMMMEMBER | NE | 115 | 2289 | |
| Tillis, Thom | T000476 | S | R | COMMMEMBER | NC | 115 | 2291 | |
| Cortez Masto, Catherine | C001113 | S | D | COMMMEMBER | NV | 115 | 2299 | |
| Kennedy, John | K000393 | S | R | COMMMEMBER | LA | 115 | 2303 | |
| Jones, Doug | J000300 | S | D | COMMMEMBER | AL | 115 | 2364 | |
| Crapo, Mike | C000880 | 8289 | S | R | COMMMEMBER | ID | 115 | 250 |
| Menendez, Robert | M000639 | 8239 | S | D | COMMMEMBER | NJ | 115 | 791 |
| Reed, Jack | R000122 | 8272 | S | D | COMMMEMBER | RI | 115 | 949 |
Disclaimer:
Please refer to the About page for more information.