Banks, Feds Seek Common GroundSubcommittee Hearing Offers Insights, but Rehashes the Obvious
International communication and public-private partnerships are the keys to cybersecurity in the financial space.
So says the Department of Homeland Security and the Financial Services - Information Sharing and Analysis Center.
Some institutions have concerns about the privacy implications of sharing information with the government or about brand damage that may result from reporting an incident.
On Tuesday, a House subcommittee focused on financial services heard testimony from cross-industry experts about the current cybersecurity landscape, highlighting threats especially to financial services.
William Nelson, president and CEO of the FS-ISAC, said cybersecurity is a concern, but the industry has made significant strides toward thwarting financial losses.
"The FS-ISAC is aware, through its information-sharing arrangements with both public and private-sector organizations, that criminal threats are targeting U.S. financial institutions, capital markets exchanges, clearing houses, payment processors, businesses and consumers," Nelson said. "However, research shows that losses due to cybercrime currently only account for a small percentage of the overall fraud losses incurred by financial institutions."
A recent survey conducted by the FS-ISAC revealed that financial losses associated with incidents of corporate account takeover were cut in half from 2009 to 2010. During the first six months of 2010, cyberattackers were only successful at completing fraudulent transactions 27 percent of the time, after taking over an account. In 2009, they were successful 63 percent of the time. [See ACH Fraud: The Impact on Banks.]
Granted, those numbers only reflect the first of 2010, but FS-ISAC says it expects percentages for the second six months to reflect the same trend. "Banks and customers are recognizing the situation sooner and are getting into response mode quicker, and so they're able to retrieve the funds before the transactions are irreversible," Errol Weiss, head of the FS-ISAC task force that orchestrated the survey, told BankInfoSecurity in August.
Going forward, Nelson told committee members this week, attention should be paid to communication.
"Law enforcement and a number of government agencies have taken a lead role, working with the FS-ISAC, its member organizations, payments processors and the financial-services sector as a whole to combat these types of attacks," he said.
Nelson also noted the Federal Financial Institutions Examination Council's updated authentication guidance, saying the "layered" security approaches recommended by the FFIEC reflect best practices financial services companies should embrace.
No one argued with that, especially the need for more open communication. In fact, Greg Schaffer, DHS Acting Deputy Under Security, said the DHS plans to work and communicate with financial institutions even more closely in the future, to the chagrin of some bankers. "Some institutions have concerns about the privacy implications of sharing information with the government or about brand damage that may result from reporting an incident," he said.
Those concerns aren't shared across the board. Greg Garcia, partnership executive for cybersecurity and identity management at Bank of America, says BofA is "bolstering" partnerships and collaboration. "We are sharing information and best practices so that we can collectively get smarter and better at protecting assets and critical information," he said.
But how much sharing and information collection is too much? And how much government involvement and oversight of consumer and commercial financial information is advisable?
The Financial Services Committee was wise to call a meeting to review how government and financial players plan to manage information security in the future. I just didn't see or hear anything really new revealed. We already know a.) cyberthreats are a problem, and b.) information sharing and analysis make a difference.
What are agencies and organizations going to do differently now to address these shared concerns? That's what most of us, I would venture to guess, would really like to know.