During the Cyber Resilience in a Changing World panel at Sibos in Geneva, Stephen Scharf, DTCC Managing Director and Chief Security Officer, and other cybersecurity thought leaders, discussed the evolution of cyber threats for financial institutions.
Afterwards, Scharf shared insights and key takeaways from the discussion in his podcast, published in DTCC Connection. Scharf noted that as cyber threats continue to evolve, so must the effort to maintain resilient cyber defenses.
“Cyber security is not the kind of activity that has an end state,” he said. “It is a perpetual state of improving, financing and countering existing cyber threats and preparing for future threats.”
The U.S. Commodity Futures Trading Commission (CFTC), New York State Department of Financial Services (NYDFS), Monetary Authority of Singapore (MAS), CMPI IOSCO and SWIFT have all recently come out with cyber security guidance.
“We applaud these groups for focusing on cyber security,” Scharf said. “However, at the same time, because everyone is focusing on this topic, it increases the need for harmonization on how the industry approaches cyber security. We need to be consistent around best and expected practices.”
Related: It Takes a Cyber Community to Prevent Online Attacks
Cyber Insurance Purchases on the Rise
An increasing awareness and appreciation of cyber risk, from the boardroom to the data center, is a key driver behind the rise in cyber insurance purchasing among financial institutions, according to an insurance industry survey.
Standalone cyber insurance purchases among Marsh financial institutions clients increased by 28% from 2014 to 2015, according to Benchmarking Trends: Operational Risks Drive Cyber Insurance Purchases, a report prepared by Marsh’s Cyber Practice. The growth continues a pattern of rising cyber insurance purchasing among March financial institution clients that saw an 18% increase in 2014 over 2013, and a 29% increase in 2013 over 2012.
While guidelines may differ, Scharf stressed that to achieve a high level of cyber security, it is essential for companies to leverage these proven best practices:
- Cybersecurity basics: While it can be tempting for companies to chase the latest cybersecurity solutions, even the most cutting-edge system will be of little use if the basics are not in place. We cannot overstate the benefits of robust implementation of "old-school" approaches, such as patch management, vulnerability management, separation of duties, identity management and access management.
- Information sharing about cyber threats: A robust set of internal controls is a critical component of a cyber security strategy, but current complexities no longer allow firms to attempt to independently protect against the myriad of existing threats. Thus, information sharing has become a powerful cybersecurity tool. By quickly sharing details of a cyberattack with the wider community, any one company has the potential to quickly render a new attack ineffective. Essentially, information sharing serves as a foundation for the cyber equivalent of "herd immunity," inoculating the wider cyber community against the most virulent threats at any given time.
- Monitoring network activity to identify anomalies: Network administrators have long recorded and analyzed daily system logs in order to identify anomalies that can arise from something as seemingly innocuous as opening a PDF file sent from an external network or clicking on a phishing link.