Stephen Scharf, DTCC Managing Director and Chief Security Officer
While all industries face the growing threat of cyber attack, the issue is particularly acute for the financial industry due to the interconnected nature of global markets and the potential for a cyber attack to spread quickly through the global financial marketplace.
According to DTCC’s most recent Systemic Risk Barometer, which measures and tracks risk trends among financial institutions globally, 22% of respondents cited cyber risk as the single biggest threat to the financial services industry. More than half of respondents (56%) rated cyber risk a “Top Five” concern.
In 2016, banks around the world disclosed losses in the millions from cyber heists. According to one recent study1, the average annualized cost of cyber crimes for companies in financial services was $16.5 million – the highest among the 17 industries analyzed in the study.
As the industry continues to adopt FinTech innovations, like blockchain and cloud solutions, firms must continually assess their cyber defenses to ensure they are adequate to counter existing and future threats, said Stephen Scharf, DTCC Managing Director and Chief Security Officer.
Threat Sharing Gains Momentum
Earlier this year, the CEOs of eight banks – Bank of America, BNY Mellon, Citigroup, Goldman Sachs, JPMorgan Chase, Morgan Stanley, State Street and Wells Fargo – formed the Financial Services Analysis and Resiliency Center (FSARC), a new, not-for-profit organization dedicated to identifying, analyzing, assessing and coordinating activities to mitigate the threats and risks of cyber attacks.
“Cyber threat information sharing is a cornerstone of a resilient cyber defense program,” Scharf said. “What one firm learns from its peers can be used to strengthen its defenses before an attack hits.”
The passing of the Cybersecurity Information Sharing Act has removed many of the roadblocks to sharing of threat or cyber security information between the U.S. government and private sector. The law “requires the Director of National Intelligence and the Departments of Homeland Security (DHS), Defense, and Justice to develop procedures to share cybersecurity threat information with private entities, nonfederal government agencies, state, tribal, and local governments, the public, and entities under threats.”
"Cyber threat information sharing is a cornerstone of a resilient cyber defense program."
Regulators Weigh In
The industry has seen an increased regulatory focus with regards to cyber. There have been a number of new and emerging regulatory requirements released by the New York State Department of Financial Services (NYDFS), the Federal Reserve and the Federal Deposit Insurance Corporation (FDIC), among others.
The key now, Scharf said, is to harmonize those rules so the industry has a common framework to work under. “There is a cost associated with mapping to different regulatory frameworks,” Scharf said. “A lack of harmonization results in firms having to allocate resources to pull together these dissimilar requirements. Further, it takes resources away from areas that could be used to strengthen the technology environment.
Many financial firms continue to be challenged with meeting the demands and costs of complying with new regulations resulting from the financial crisis of 2008. A recent report by Oliver Wyman estimates that between 2.5% and 3.5% of North American, European and Australian financial institutions’ total costs come from meeting new regulatory guidelines. That equates to $0.7-1.5 billion in compliance costs per annum for the coming 2 to 3 years for large financial firms. Those numbers would likely increase further if and when new cyber rules are implemented.
The Next Challenge
There is great promise for blockchain technology with many practical and collaborative business applications well underway. Along with the task of integrating blockchain in operations, there is a security element to blockchain that has to be done correctly. “As with any new technology, the cyber security element of blockchain is still in development,” Scharf said.
Scharf notes the potential targeting of the end points of the blockchain network as a risk factor that must be closely monitored. “How do we help ensure those end points are properly protected? We need to bring forward lessons learned from existing distributed ledger deployments. Specifically we know that most successful attacks against the Bitcoin networks have been against the digital wallets.”
“DTCC embraces the promise that FinTech innovations hold to further mitigate risk and reduce post-trade costs,” Scharf said. “However, as with any new and exciting technology advancements, you have to ensure that those innovations do not jeopardize the safety and security of the current global financial marketplace.”
1The 2016 Cost of Cyber Crime Study & the Risk of Business Innovation Ponemon Institute© Research Report, sponsored by Hewlett Packard Enterprise and conducted by Ponemon Institute.