-
Efforts to bolster the nation's cybersecurity will hinge on the willingness of financial firms, utility operators and other owners of critical infrastructure to share information about threats.
April 3 -
The nation's biggest banks have a message for the government on efforts to bolster cybersecurity protections: We're already facing plenty of standards.
April 11 -
The White House issued an executive order on Tuesday that aims to strengthen protection of the nation's critical infrastructure against cyberattack.
February 12
The best incentive banks have to strengthen their cyber defenses? To preserve customer trust.
That's the message the financial industry sent in
"Financial services is built upon trust with our clients, trust between our firms and the trust to ensure the proper functioning of markets, the execution of transactions and the protection of information," Charles Blauner, who chairs the Financial Services Sector Coordinating Council, or FSSCC, wrote to the National Telecommunications and Information Administration. "It is the cornerstone of everything we do."
Incentives also should be sufficiently significant to influence private investment, to reduce companies' compliance costs and to minimize the risk of legal action, according to JPMorgan Chase (JPM), Bank of America (BAC), Citigroup (NYSE:C), Wells Fargo (WFC), Goldman Sachs (GS), Morgan Stanley (MS), MasterCard (MA), Visa (NYSE:V), PayPal, Fannie Mae, Freddie Mac, the American Bankers Association, the National Association of Federal Credit Unions and roughly 41 other companies, exchanges and trade groups that make up the council's membership.
An
The department asked about the adequacy of current incentives, whether industries lacked sufficient incentives to invest in cybersecurity, how companies assess costs and benefits of reinforcing cyber defenses, and the best ways to encourage businesses to invest in strengthening their defenses.
Financial firms will struggle to articulate a series of incentives until they know what requirements, if any, may be added to those already in place, according to the FSSCC.
However, whatever framework emerges should draw fully on federal law enforcement agencies to help defend against and deter cyberattacks, the group said. Spending by financial firms each year would jump by a factor of 13, to an average of $292.4 million per company, to fend of 95% of serious cyberattacks, according to a study last year by the Ponemon Institute and Bloomberg the FSSCC cited. "Clearly this is unsustainable and uneconomical no matter what incentives are proposed," Blauner wrote.
Regulators also should modify rules the companies say impede efforts among private-sector firms and the government to share information in real time. The government also must step up the prosecution of cyber thieves at both the federal and state levels, according to the FSSCC.
"There is an expectation that individuals, organizations or countries that engage in cyberattacks will not be caught and hence can continually attempt to breach the protections that firms put in their way until they are eventually successful in their attacks," Blauner wrote. "In contrast, when an individual robs a bank, the expectation is that he or she will be caught and brought to justice, which is based less on the substantial precautions that banks undertake than upon the response of the local, state and federal government to enforce effective laws."
The FSSCC detailed a dozen specific measures that could spur adoption of a cybersecurity framework by members. The incentives include federal grants to the Financial Services — Information Sharing and Analysis Center, an industry group, to encourage information sharing, along with grants to stimulate development of new technology.
Companies that perform well on audits of their cyber defenses by one regulator also should receive a reprieve from similar reviews by other regulators, according to the group, which also called for the government to work with other countries to harmonize rules that govern cybersecurity globally.
The administration also should push for laws that increase penalties for cybercrime, promote partnerships among law enforcement organizations worldwide, and create "some level of deterrent at the national level that will focus on nation states and sophisticated actors that have large-scale capabilities to disrupt and destroy," Blauner wrote.
Companies also should be able to deduct the entire cost of computing hardware and software, from taxable income, and qualify for tax credits or other financial incentives for adopting the framework, according to the FSSCC.
Financial firms also would be more likely to adopt the framework if the government were to shield them from liability for sharing information with one another, immunize them from the provisions of the Freedom of Information Act for information they hand over to the federal government, shield companies from lawsuits by the Federal Trade Commission or state attorneys general for alleged breaches of information security that flow from companies adoption of the framework and from liability for harm that may arise from the adoption of cutting-edge technology, the companies said.
Telecommunications and technology companies also should be required to filter Internet traffic thought to be harmful and to install capabilities to screen threats from the networks that connect financial firms, the group says. "If we are to stand a change of defending critical infrastructure within the financial sector we need incentives that will motivate these two partner sectors to increase the protections embedded in their networks," Blauner wrote.