Cyberattacks on financial institutions are becoming more frequent and complex, threatening the safety and soundness of the global financial services industry. According to the 2022 DTCC Systemic Risk Forecast, more than half (59%) of respondents included cybersecurity as a top five risk, with 24% citing it as the biggest risk impacting the global financial system in 2022.
Related: How to address the evolving cyber threat environment
One of the ways firms can mitigate the impact of cyberattacks is through cyber advocacy efforts. DTCC Connection discussed this cybersecurity strategy with Kelly Feili, DTCC Director of External Engagements.
DC: “Cyber Advocacy” is a newer term. Can you give some context as to what it entails?
KF: At DTCC, cyber advocacy is supporting the ongoing development and implementation of our engagement strategy as it relates to cybersecurity, resilience and third-party risk management with trade associations, public sector partners and other relevant stakeholders. Cyber advocacy includes collaboration efforts within the financial services sector to:
- Promote and incorporate DTCC cyber advocacy into industry initiatives including best practices, new guidance and new rules
- Identify and develop potential solutions to cybersecurity challenges within the sector through trade and industry association working groups and committees
- Educate government and global regulatory authorities on cyber and resilience challenges within the sector
DC: The cyber landscape has evolved dramatically over the last three to five years. How has that impacted cyber advocacy over time?
KF: A few years ago, advocacy was viewed by most firms as an ad-hoc, part time effort. Increasingly, firms are recognizing the importance of industry collaboration efforts and creating dedicated roles for supporting external engagement work. Cyber adversaries are gaining sophistication and targeting third parties, creating the risk of a one-to-many compromise. Additionally, there is a shift in attention toward resilience, assuming a cyberattack will happen and seeking to limit the impact, rather than only focusing on preventing an attack. This shift towards a resilience-focused strategy has highlighted the need for industry collaboration, as it emphasizes that we are only as strong as our weakest link within the financial services sector.
DC: What are the different cyber advocacy programs and associations that DTCC is involved with?
KF: DTCC collaborates with a number of trade association and industry groups as part of our cyber advocacy work to support various initiatives. Each group has a slightly different focus however, the goals are similar in that they aim to bring financial services firms together to address common cyber-related concerns. A few of these groups include:
- Financial Services Sector Coordinating Council (FSSCC)
- Cyber Risk Institute (CRI), International Institute of Finance (IIF)
- Analysis and Resilience Center (ARC)
DTCC participates in a joint FSSCC-FBIIC (Financial and Banking Information Infrastructure Committee) working group that aims to address the financial services sector’s learnings following a recent supply chain attack. We also partner with CRI to promote the Financial Services Profile, which provides a unified approach for assessing cybersecurity risk and integrates widely used standards and supervisory expectations. The Profile is beneficial to the financial services sector to avoid questionnaire fatigue and allow for cyber resources to be deployed more effectively.
Across the globe, law makers, standard setting bodies and regulators have been updating their cyber-related guidance and requirements. DTCC works through the trade associations and industry groups to draft comments in response to consultation papers that introduce a new set of principles or rules to ensure DTCC’s and the sector’s perspective is incorporated into the final set of principles or rules.
It is imperative to form strong, on-going partnerships with consistent participation to protect firms and the sector.
DC: Why should firms participate in cyber advocacy programs?
KF: Cyberattacks are increasing in both sophistication and frequency, with many industry leaders believing an attack on one or more financial services firm is imminent. Recently SIFMA published a report, “Navigating Cyber 2022”, noting cybersecurity is no longer just a back office cost and cyber threats pose critical business risks including operational disruption, lawsuits and credit downgrades.
An effective cyber defense requires an industry-wide effort given the interconnectedness of financial services. Industry and trade associations collaborate with the sector to identify common top cyber-related concerns and develop activities to address those concerns. The sector has also started engaging more with the public sector to bring transparency to threat intelligence information and disclosure of cyber incidents, with the goal to enhance operational and cyber resilience.
It is imperative to form strong, on-going partnerships with consistent participation to protect firms and the sector. Additionally, voicing individual firms’ viewpoints during discussions with public sector partners will help shape practical principles and requirements.
DC: How can firms take a next step in their cybersecurity efforts to become better cyber advocates?
KF: There is no shortage of advocacy initiatives that seek to reduce the likelihood of a cyberattack causing a major impact to individual firms and the financial markets. Trade associations and industry groups help lead the way for identifying the common sector concerns and focus areas on an annual basis.
Firms should ensure their insights and opinions are incorporated into these common concerns and focus areas and that they are participating in initiatives, in a manner that is proportionate to their size. Creating partnerships throughout the sector will benefit firms in the event an internal or industry-wide cyber incident occurs.
For any firm that is interested in learning more about becoming a cyber advocate, feel free to contact me at [email protected].