Recently, SEC Commissioner Luis Aguilar stated that a major cyber-attack is "inevitable". His sense of urgency was underscored with a full-day roundtable on cyber-threats hosted by the SEC on March 26th. Notably, all the SEC Commissioners attended the roundtable.
With regulators making such a pointed statement, each financial services participant should ask, “Are we prepared for the inevitable?
For those who cannot provide an unqualified "yes" (and who really can do that?), now is the time to take active steps to boost your game. One key take-away from the SEC roundtable was that regulators will be looking to senior management to provide firm-wide leadership. A recent framework circulated by the US government provides some guidance about how to go about this. A white paper developed by the active-threat protection firm eSentire, provides background on developments in the world of cyber-crime and specific steps that senior management, compliance and IT professionals might take to minimize cybersecurity risks.
At a time when the types of attacks and their volume may be unclear, one thing is clear. This is yet another area that requires a risk-assessment, coupled with a firm-wide governance approach. As regulators begin to ask how breaches are escalated, senior managers must determine how they would know if a breach occurred. (Many breaches are not detected for significant periods of time.) As a firm learns about the existence of a breach (and more likely multiple breaches), it must consider how to respond. Any answer requires consideration from multiple, inter-disciplinary viewpoints—not simply from the perspective of recovering network capabilities.
Factors to consider include the need to keep clients, regulators and other stakeholders informed; the extent to which the firm will voluntarily assist enforcement personnel in any investigation, and consideration of whether any disclosure or reporting is mandated. Firms will also need to switch the way they think about cyber-risks: moving from a mentality which focuses on “how to keep the bad guys out” to one with an emphasis on how to prevent them from moving assets out of the firm once they are already inside.
Watch for acceptable standards to morph rapidly as the cyber-crime area is tackled in the coming months.