The US Senate’s Committee on Banking, Housing and Urban Affairs met on May 24 in open session to conduct a hearing entitled, “Cybersecurity: Risks to the Financial Services Industry and Its Preparedness.” Mike Crapo (R – ID) serves as the Committee’s Chairman.
Witnesses at the hearing included Bill Nelson, President and CEO, FS-ISAC, J. Michael Daniel, President and CEO, Cyber Threat Alliance, Phil Venables, Managing Director and Head of Operational Risk Management and Analysis, Goldman Sachs, Carl A Kessler III, Senior Vice President and Chief Information Officer, First Mutual Holding Company and Bob Sydow, Principal, Americas Cyber Leader, Ernst & Young LLP.
Sydow offered the Committee insights into the scope of the threat environment, the financial industry’s lack of preparation for attacks and potential remedial actions for organizations facing cyber risks. He has more than 34 years of experience working with Fortune 500 companies on all aspects of information security. This includes security strategy and transformation, data protection and privacy, identity and access management, cyber threat management and cyber economics. The EY global network features a Cybersecurity practice spanning 150 countries. It employs more than 7,000 practitioners.
A Matter of Trust
To understand the cyber risk facing financial services firms, it is first necessary to grasp the significance of trust in their business dealings. As Sydow put it, “Trust, after all, is the bedrock of financial services firms and audit firms like EY.” It’s a balancing act, however. He noted, “Building value successfully by using emerging technologies in the financial services sector demands a thoughtful balance. A focus on preventing cyber threats has, at times, delayed or impacted firms’ digital innovation efforts, which can be a challenge in such a highly competitive market.”
The financial services industry is not well prepared for cyber attacks. In this, the industry is not alone. Sydow cited the EY Global Information Security Survey (GISS), which investigates the most important cybersecurity issues facing organizations today. For example, he shared that 89% of respondents say their cybersecurity function does not fully meet their organization’s need; 75% of respondents rate the maturity of their program to identify new vulnerabilities affecting their technologies as very low to moderate; 35% describe their data protection policies as ad hoc or nonexistent; 12% have no breach detection program in place.
The Role of the Board in Fostering a Cyber-Minded Culture
EY works with boards to foster a cyber minded culture “We have found that directors serving on financial services boards receive a steady stream of news about cyber attacks, and most have received multiple briefings from their executive teams if not by federal national security officials. The primary challenge that directors and their firms grapple with is how to keep pace with fast-changing cyber risks in terms of the vulnerabilities or the new sources of risk that they create,” Sydow told the Committee. He then added, “Boards need to understand the maturity of their organizations’ approach relative to evolving industry and regulatory trends. Focusing on the chief information security officer’s (CISO’s) organization is necessary but no longer sufficient on its own.”
Sydow recommended that financial services form conduct a cyber risk maturity assessment—broad in nature, considering people, process and technology as well as existing and planned improvement or remediation activities. “Foundational elements need to be in place, such as a firm-wide, consistent view of what constitutes cyber risk and the current vulnerabilities and threats. In that context, the effectiveness of existing controls can be evaluated,” he said.
Specifically, it’s essential that boards measure and evaluate cyber risk. “Boards should insist on more credible cyber risk reporting, in the context of the approved cyber risk appetite,” Sydnow noted. “Boards should also determine how they evaluate the quality, accuracy and timeliness of cyber metrics. Too often, firms use key performance indicators for technology as proxies for real cyber risk reporting.”