BITS: How to Prepare for CyberthreatsPaul Smocer on Lessons for Banks from FSOC, NIST Framework
Cyber-attacks waged against the financial infrastructure are increasingly concerning, as the Financial Stability Oversight Council notes in its 2014 annual report (see FSOC: A Call For Cybersecurity Action).
"We have seen the nature of the threats growing ... in the hacktivism world and the nation-state world," says Smocer, president of BITS, the technology policy division of the Financial Services Roundtable.
Now, the FSOC, which is chaired by the Secretary of the Treasury, is calling upon banking regulators to address those threats through enhanced risk assessments of cyber-security at financial institutions as well as improved domestic and international information-sharing, Smocer notes during this interview with Information Security Media Group.
"The Treasury is doing a lot of work to ensure that there are no impediments to the flow of information," he says. "We're starting to see the agencies do as much as they can to ensure there is a real-time exchange of information."
Prepping for Assessments
As banking institutions prepare for new cyber-risk assessments to be conducted by the Federal Financial Institutions Examination Council, Smocer says they can turn to several resources for guidance (see FFIEC Cyber Assessments: What to Expect).
Banks and credit unions should ensure they are conforming to standards outlined in existing FFIEC handbooks for IT security and vendor management, he says. They also should turn to the National Institute of Standards and Technology's cybersecurity framework (see How Will NIST Framework Affect Banks?).
The NIST framework addresses why cybersecurity is a C-level issue and stresses why cybersecurity direction within an organization needs to come from the top, Smocer says.
Expanded Assessments of Third Parties
Cyber-attacks waged against service providers and third-parties, including the recent attacks against major retailers, such as Target Corp., have raised new concerns about the security of the financial ecosystem, Smocer says.
As a result, regulators could expand their view of what constitutes financial services, he says. And that could mean more regulatory scrutiny of retailers and non-traditional payments providers, Smocer adds.
"The FSOC [in its report] ... is recognizing that there are some non-financial players that are beginning to grow and become part of the payments ecosystem," he says. "There are new players in this space and those new players need to be secure. ... The FSOC recognizes that this area of risk continues to evolve and that we need to pay more attention to it as we move forward."
Some of the larger core-banking service providers should expect more regulatory oversight, as their cybersecurity practices impact a wider cross-section of the industry, Smocer adds.
During this interview, Smocer also discusses:
- Growing concern about nation-state attacks against critical-infrastructure sectors, such as financial services;
- How regulators are pushing for more real-time threat information sharing; and
- How more government oversight of cybersecurity is expected to impact banks and credit unions.
At BITS, Smocer leads initiatives to enhance e-mail security and advance practices for identifying and validating online customers. BITS is the technology policy division of The Financial Services Roundtable, which was established to protect and promote the economic vitality and integrity of the United States financial system. Smocer joined the Roundtable in February 2008 as vice president of security. Before BITS, he focused on technology risk management at BNY Mellon and led information security at the former Mellon Financial Corp.