L to R: Stephen Scharf (moderator), DTCC Managing Director and Chief Information Security Officer; Jerry Perullo, ICE/NYSE Chief Information Security Officer; John Rogers, BNP Paribas, Americas.
The growing sophistication of cyberattacks requires firms to take a holistic view of their business needs and operations while employing a variety of methods to prioritize types of cyberattacks. This and other key insights on cyber resilience were shared by a panel of experts at the recent 2019 DTCC Annual Client Risk Forum.
Stephen Scharf, DTCC Managing Director and Chief Security Officer, was joined by Jerry Perullo, Intercontinental Exchange (ICE) Chief Information Officer, and John Rogers, BNP Paribas Chief Information Security Officer (Americas), for a panel discussion on strategies for strengthening the financial industry’s resilience against an ever-evolving range of cyberattacks.
Theft-Based vs. Destruction-Based Cyber Attacks
Ten years ago, most cyber resilience programs were geared around criminals stealing or breaching data. Fast forward to the present, many cyberattacks are based on destroying an organization. The evolution from theft-based attacks to destruction-based attacks has led organizations to rethink their cybersecurity strategies.
Perullo explained that it is important for companies to look at their overall business and choose their battles, so that resilience can be built without inhibiting normal business activity. To this end, organizations rate different types of cyberattacks and prioritize accordingly.
“We risk-rate cyberattacks by taking into account our controls, incidents, observations, red teaming results and see where we land,” he said. “For financial market infrastructures (FMI), a destruction-based attack—or sabotage, as we label it—is the number one risk.”
Rogers agreed, reflecting on the severity of these attacks.
“Resilience is an important topic because we are now talking about cyberattacks that are extremely disruptive,” he said. “It’s no longer about stealing data—it’s about rendering an organization completely inoperable.”
To Disconnect or Not to Disconnect?
Addressing the topic of interconnectedness, Scharf mentioned the breakdown of trust in case of a cyber event occurring within an organization—should the rest of the industry disconnect as a defense strategy?
Perullo felt that a complete disconnect was unnecessary due to natural reconciliation processes already in place for human error or technological glitches. He also felt that disconnecting certain systems would have a negative impact, such as stopping payments.
“It’s really easy to say no to everything all the time,” he said. “As cyber risk professionals, we have to weigh out our options and look at what type of risk mitigation mechanisms are already in place.”
Calling it a “complex issue,” Scharf said a larger conversation is needed, especially with the prevalence of malware propagation, email compromises and other risks created by IT connectivity.
“We do need to collaborate across the industry and bring vendors and clients into the conversation,” he said. “It’s important everyone understands what needs to be done in case of a cyber event related to interconnectedness.”
Addressing the subject of government involvement in combating cyberattacks, Rogers noted government intervention should be minimal. Since the vast majority of cyber incidents are not nation state attacks, government involvement is not needed in most cases. Further, cyberattacks are not geographically isolated, so it would be difficult to decide which country’s government should get involved.
“The government’s mandate is national security,” he said. “If an organization that is systemically important for the financial markets encounters a severe cyberattack, then perhaps government should play a role. Beyond that, there is no need for government involvement.”
Cloud Adoption and Human Capital
Panelists had a generally positive outlook on cloud adoption, agreeing that the method of adoption was the most crucial element. While the cloud brings several benefits to the industry, it’s still a relatively nascent technology and there aren’t enough skilled practitioners to ensure proper implementation of the cloud across the industry. Panelists agreed that in all areas surrounding cybersecurity, there is no substitute for skilled and experienced technology professionals.