Why Information Sharing Isn't Working

Pawlenty Calls for Congressional Action, Oversight of Retailers
Why Information Sharing Isn't Working
Tim Pawlenty
Tim Pawlenty, CEO of the Financial Services Roundtable, says the only way to ensure adequate cyberthreat information sharing is through federal legislation that would furnish liability protection and other incentives.

It's a touchy subject for banking institutions, which already feel overburdened by regulatory oversight. But during a financial services cybersecurity forum hosted June 24 in New York City by the roundtable and the consultancy Deloitte & Touche, Pawlenty questioned whether information sharing between the government and financial services was as robust as it should be.

"Cyber-attacks are waged by a range of attackers," Pawlenty says. "The House passed an information sharing bill in September. Now the Senate is looking at something similar." (See: Senate to Mull Cyberthreat Sharing Bill.)

Holding Retailers Accountable

Another big problem, Pawlenty explains during an exclusive interview with Information Security Media Group, is that not all parties connected to the financial infrastructure must meet the same security standards.

"It's a holistic system that's only as strong as its weakest link," Pawlenty says. "That's why it's really important for retailers to be involved."

From a regulatory oversight perspective, more needs to be done to ensure merchants are adhering to the same types of security mandates as other players, such as banks, he contends. "Retailers themselves are coming to the conclusion that they need some better protocols and standards," Pawlenty says. "At the very least, they need some real-time information sharing. And I think legislation will help."

Pawlenty points to the Target Corp. breach as an example of why merchants need more oversight and stronger threat-intelligence guidelines. "Target did not know it was hacked or breached until the Secret Service told them," he says.

Had Target had a more robust information sharing strategy in place, perhaps it would have learned of its breach sooner, Pawlenty says.

Retail Security Lags

The retail sector, though a significant part of the payments landscape, trails the financial services industry by 10 years on implementing cybersecurity strategies, Pawlenty argues.

"We are [working with the Federal Reserve] and other payments providers - like the clearinghouse [NACHA] - to ensure all of the stakeholders and those who should be partners are working together as much as possible, rather than pointing fingers," he explains (see Revamping the U.S. Payments System). "Look at some groups that have been set up to be a proper conduit for information sharing - like the FS-ISAC [Financial Services Information Sharing and Analysis Center]. ... That type of information sharing is going to have to migrate to other sectors."

During this interview, Pawlenty also discusses:

  • The role the Financial Services Roundtable is playing in building partnerships between retailers and banking institutions;
  • How action on Capitol Hill is expected to impact information sharing; and
  • Why C-suite buy-in regarding cyber-risk mitigation will get increased attention in the months to come.

Pawlenty, who heads the Financial Services Roundtable, a banking trade association based in Washington, is the former two-term governor of Minnesota. As chair of the Minnesota State Board of Investment, Pawlenty directed more than $60 billion in public and private investments during his tenure. He also served as chair of the National Governor's Association from 2007 until 2008 and chair of the Midwest Governor's Association from 2006 until 2007.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ffiec.bankinfosecurity.com, you agree to our use of cookies.