.jpg)
SIFMA president and CEO Kenneth E. Bentsen, Jr., today testified before the House Financial Services Subcommittee on Financial Institutions and Consumer Credit hearing entitled, “Protecting Critical Infrastructure: How the Financial Sector Addresses Cyber Threats.” Bentsen’s full written testimony can be found at the following link: http://www.sifma.org/issues/item.aspx?id=8589954744.
In his comments, Bentsen outlines SIFMA’s comprehensive, five-part effort to address cybersecurity threats and related risks to its membership of banks, broker-dealers and asset managers and the financial services industry at large, with the ultimate goal of enhancing protections for the capital markets and the millions of Americans who use financial services every day. Bentsen underscores that a robust partnership between the industry and government is the most effective way to mitigate threats, and that information sharing legislation is essential to strengthen this partnership.
Bentsen notes “a large-scale cyber attack is likely the most significant and systemic threat facing our economy today… SIFMA member firms have invested huge sums of capital into their cyber deterrence programs over the years and have enhanced their efforts to match the growing threat. From criminals seeking financial gain, to nation states committing corporate espionage, to cyber terrorists seeking to dislocate markets and destroy confidence, cyber threat actors are becoming more sophisticated, making cybersecurity an area of risk that must be actively managed by firms similar to all other areas of risk.”
Additional testimony excerpts regarding SIFMA’s effort to address five key aspects of cybersecurity are below:
Standards
“Effective cybersecurity regulatory guidance is critical for both the financial services sector and the other critical infrastructure sectors we rely on.”
“We have suggested, via our published Principles for Effective Cybersecurity Regulatory Guidance, that regulations be harmonized across agencies for greater effectiveness.”
“A standardized set of controls and a process for implementing and evaluating those controls by third parties would foster greater transparency and confidence in a critical component of our overall ecosystem.”
Improving Resiliency in the Markets
“SIFMA assembled a working group to develop a diagnostic on the U.S. equity and Treasury markets… At a high level, the most important cybersecurity issues identified by the working group were the need for destructive malware defense and analysis capabilities, the development of cybersecurity standards for third party providers and the need for improved incident response coordination.”
Incident Response
“Building off the after-action reports and lessons learned from the cyber exercise ‘Quantum Dawn 2’ and from our experience with Superstorm Sandy, SIFMA developed and documented the protocols and process to create an industry consensus recommendation to respond to a systemic incident within the Equity and Fixed Income markets.”
“This dialogue has evolved into a joint exercise program composed of quarterly table top exercises for both public and private sector firms and agencies to discuss the specific capabilities and response processes that would be executed in the event of a successful cyber attack against the financial industry.”
Insider Threat
“SIFMA developed a set of best practices... to assist firms in the development of their own insider threat mitigation programs. This best practices guide provides context, considerations, and a method for implementation of an insider threat program that aligns with the NIST Cybersecurity Framework to facilitate integration into firms’ cybersecurity programs and allow synergies to be leveraged as many risks overlap.”
Information Sharing
“SIFMA has funded a one year membership [with the Financial Services Information Sharing and Analysis Center, or FS-ISAC] for 181 SIFMA members in the small firm category in order to achieve a near 100% membership overlap.”
“We have also sought ways to increase the level of cyber defense and readiness for small firms, by publishing a cybersecurity guidebook informed by best practices at larger institutions and government partners centered on the NIST Cybersecurity Framework.”
“SIFMA and its members are leaders in both the development and support of Soltra Edge, a software solution from DTCC and FS-ISAC that is designed to facilitate the collection of cyber threat intelligence from various sources, convert it into an industry standard language and provide timely information on which users can decide to take action to better protect their company.”
“Overall, there has been a marked improvement in information sharing between the financial sector and Law Enforcement, the Departments of the Treasury, and the Department of Homeland Security. A few aspects of the industry-wide cybersecurity effort, however, would particularly benefit from greater U.S. government involvement.”
“There is a need for Congress to continue their productive engagement in this effort to improve our cybersecurity and the best place to focus is taking up and passing S. 754, the Cybersecurity Information Sharing Act (CISA) of 2014.”
Conclusion
“Neither the industry nor the government can prevent or prepare for cyber threats on their own. SIFMA believes that a dynamic and collaborative partnership between the industry and government is the most effective path forward to accomplishing this goal.”
Please visit www.sifma.org/cybersecurity for more information on SIFMA's efforts on behalf of the financial industry.
