Panel cites information sharing and the need for regulatory alignment as key priorities
Michael Bodson, DTCC President & CEO
What should be the priorities when it comes to protecting critical infrastructures, like the financial services sector, from cyber threats?
Michael Bodson, DTCC President and CEO, was among a panel of experts who addressed that question during the “Designing for Cyber-Resilience” panel at the World Economic Forum in Davos, Switzerland last month.
During his comments, Bodson said cyber attacks are always top of mind for him, adding that it is the risk most likely to keep him awake at night. “A cyber attack is the greatest threat facing the industry today,” he said. “Because of the interdependencies of the financial marketplace, an attack on any financial institution could potentially have a systemic effect resulting in a disruption to the global banking system.”
That concern is well founded when looking at a recent report from Verizon, The 2015 Data Breach Investigations Report, which found the financial services sector remains one of the most heavily targeted industries globally for cyber attacks, with roughly one-third of cyber attacks affect financial organizations.
“A key to winning the cyber war is automation and information sharing – a community defense model,” Bodson said. “We have to make it more expensive to launch attacks by limiting the cyber-criminals ability to re-use a particular virus or strategy.”
DTCC’s joint venture with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and industry volunteers produced Soltra in late 2014. Its first product, Soltra EdgeTM, consumes large volumes of complex intelligence across industries and then standardizes, prioritizes and routes it to clients in real-time.
“Automation has enabled the industry to reduce the threat indicator analysis lifecycle and immediately shut off an attack,” Bodson said. “That gives criminals much less time to inflict damage.“
The panel also discussed how to work within the “patchwork of regulations” created to protect critical infrastructures. Bodson lamented that regulatory requirements related to protecting against cyber attack are problematic for two reasons: First, they are intended to solve yesterday’s challenges, and second, they are not harmonized globally.
“Many regulators follow an old checklist of requirements when performing an examination,” he said, “This forces financial institutions to put time and resources into ensuring compliance instead of protecting against current or new types of attacks.”
As an example, Bodson cited the CPMI-IOSCO consultative paper from November 2015 focused on Guidance on Cyber Resilience for Financial Market Infrastructures, which calls for full recovery from a cyber event within in two hours.
“When you are under a cyber attack, one of the worst things you can do is turn on machines too quickly,” Bodson said. “Yes, we must meet regulatory obligations, but at what price? By turning on the systems too quickly, you could promulgate that virus throughout the system.”