SEC Chair: Cybersecurity Is No. 1 RiskMary Jo White Says Policies Not Tailored to Risks
Cybersecurity is the biggest risk facing the financial system, says Mary Jo White, chair of the U.S. Securities and Exchange Commission.
White made the assessment of the cyberthreats faced by Wall Street in her response to questions at the Reuters Financial Regulation Summit May 17, Reuters reports.
The SEC has found some major exchanges, dark pools - private forums for trading securities - and clearinghouses did not have cyber policies in place to match the sort of risks they faced, White said, according to the Reuters report.
"What we found, as a general matter so far, is a lot of preparedness, a lot of awareness but also their policies and procedures are not tailored to their particular risks," she said. "As we go out there now, we are pointing that out."
White told conference attendees that SEC examiners were proactive about doing sweeps of broker-dealers and investment advisers to assess their defenses against a cyberattack. "We can't do enough in this sector," she said, according to Reuters.
Banks internationally have been unnerved by the recent $81 million cyber theft from the Bangladesh central bank that was funneled through SWIFT, which handles the bulk of cross-border payments between banks (see Swift Warns Banks Coordinated Malware Attacks Underway).
'Historic Recognition of Risk'
Tom Kellermann, CEO of the investment firm Strategic Cyber Ventures, called White's comments "a historic recognition of the systemic risk facing Wall Street." Cybercriminals "are now organized and sophisticated" and are being driven by others that have deep knowledge of operations in the financial sector, he says.
The SEC chair's statements amount to "a wake up call," Kellerman says. Organizations in the financial sector typically spend about 8 percent of their IT budgets on cybersecurity, and that spending should be at least 20 percent, he contends. Plus, he argues that a portion of marketing budgets should also be allotted to cybersecurity for "brand protection" because marketing departments are using vulnerable mobile apps and web portals as part of their brand recognition efforts.
"Bank regulators have been stressing the critical nature of the cyber threat for some time now, and banks are paying attention," says Shirley Inscoe, senior analyst at the consultancy Aite Group. "The problem is that cyber threats can materialize from so many sources, it is very difficult to prepare adequately." Attacks can be directed against the bank itself, against a third-party vendor or even against a bank customer, resulting in millions of dollars stolen, she notes.
"While banks are continuing to try to thwart all direct hacking attempts, they are also focusing on developing strong business continuity plans to use if hackers are successful, as some will inevitably be," she adds. "They are also responsible for monitoring third-party risk and many are trying to educate their commercial and retail customers concerning cyber threats so they can better protect themselves as well."