Over-Assessing Cybersecurity?How Regulatory Oversight Could Hurt Info Sharing Among Banks
For months now we've been talking about why information sharing is so critical to cybersecurity, stressing the need for improvement in the retail sector in particular.
Merchants could learn some valuable lessons from banking institutions, which have made great strides in information sharing, thanks to al-Qassam Cyber Fighters. This self-proclaimed hacktivist group, which has been broadly assumed to have ties to the Iranian government, proved in 2012 and 2013 just how lacking information sharing was in the financial services sector.
Increased oversight from regulators could prove counter-productive, especially if measuring information sharing becomes part of an examination process.
Through a series of distributed-denial-of-service attacks waged against most of America's leading banks, al-Qassam showed it could catch banks by surprise.
While the banking industry wasn't prepared then, it quickly learned to pool cyber-intelligence resources and promptly share information. This sharing has allowed some of the country's leading banks to help each other, as well as smaller institutions. They've overcome fear of inadvertent compromise of their competitive edges.
In the end, the U.S. financial sector strengthened its position and set an example for how information sharing can work to enhance cybersecurity.
Breaking Ground in Cyber Intelligence
These efforts were groundbreaking, as former Federal Bureau of Investigation Director Robert Mueller noted this week during a financial services cybersecurity forum in New York City.
Now that same kind of information sharing needs to trickle out to other industries, says Phyllis Schneck, deputy undersecretary for cybersecurity and communications within the National Protection and Programs Directorate at the Department of Homeland Security. During a panel discussion that followed Mueller's presentation at the forum, co-hosted by the Financial Services Roundtable and Deloitte & Touche, she said: "If you look into the future of where we need to be, we need to take what you've done out to other sectors."
Too Much Regulation?
Since the DDoS attacks, information sharing has become the new norm for banks and credit unions. But many bankers now fear heightened regulatory oversight could cripple the process - making information sharing more about "checkbox" compliance than threat mitigation.
Rather than increasing oversight of banks and credit unions, bankers say the government should be taking steps to ensure retailers and others impacting the financial infrastructure are required to meet higher information sharing and security standards.
In spite of the banking industry's information sharing successes, regulators have made it clear they want to ensure all institutions, large and small, are taking threat intelligence seriously. It's a valid concern. Many smaller institutions admit they struggle to keep up with emerging threats. But is more regulatory oversight the answer?
The Federal Financial Institutions Examination Coucil announced this week that it has started its cybersecurity assessment pilot program, which will examine more than 500 community banking institutions (see FFIEC Cyber Assessments: What to Expect). The pilot program aims to help smaller banking institutions address potential security gaps.
Regulators, such as the Office of the Comptroller of the Currency, have said the new risk assessment strategy could, in part, test how well banks and credit unions perform in the area of cyber-intelligence gathering and sharing.
But increased oversight from regulators could prove counter-productive, especially if measuring information sharing becomes part of an examination process.
As Mark Clancy, managing director of technology risk management for The Depository Trust and Clearing Corp., which provides clearing and settlement services, pointed out at the forum: "Assessing every risk of every institution you work with is not productive."
Rather than focusing so much attention on assessing risks from a compliance perspective, regulators need to spend more time educating themselves about the types of attacks that are being waged against financial services companies, he suggests.
"We need regulators to be more cognizant of the threats, and for them to come up with more feasible ways to define or differentiate between what is compliance-driven and what is productive," Clancy said.
Information is shared in many different ways, and if regulators are examining how banking institutions meet or comply with specific information sharing standards, it could hurt, not help, the flow of cyber-intelligence.