The best incentive banks have to strengthen their cyber defenses? To preserve customer trust.
That's the message the financial industry sent in comments filed Monday with the Obama administration, which has asked the public to weigh in on what inducements might spur companies to adopt a cybersecurity framework being proposed by the White House.
"Financial services is built upon trust with our clients, trust between our firms and the trust to ensure the proper functioning of markets, the execution of transactions and the protection of information," Charles Blauner, who chairs the Financial Services Sector Coordinating Council, or FSSCC, wrote to the National Telecommunications and Information Administration. "It is the cornerstone of everything we do."
Incentives also should be sufficiently significant to influence private investment, to reduce companies' compliance costs and to minimize the risk of legal action, according to JPMorgan Chase (JPM), Bank of America (BAC), Citigroup (NYSE:C), Wells Fargo (WFC), Goldman Sachs (GS), Morgan Stanley (MS), MasterCard (MA), Visa (NYSE:V), PayPal, Fannie Mae, Freddie Mac, the American Bankers Association, the National Association of Federal Credit Unions and roughly 41 other companies, exchanges and trade groups that make up the council's membership.
An executive order issued in February by the White House gives the government eight months to map out preliminary guidelines for protecting financial networks, energy grids and other critical infrastructure from cyberattack. As part of the push, the Commerce Department in March asked the public to comment on ways to help to promote the adoption of efforts to address cybersecurity vulnerabilities.
The department asked about the adequacy of current incentives, whether industries lacked sufficient incentives to invest in cybersecurity, how companies assess costs and benefits of reinforcing cyber defenses, and the best ways to encourage businesses to invest in strengthening their defenses.
Financial firms will struggle to articulate a series of incentives until they know what requirements, if any, may be added to those already in place, according to the FSSCC.
However, whatever framework emerges should draw fully on federal law enforcement agencies to help defend against and deter cyberattacks, the group said. Spending by financial firms each year would jump by a factor of 13, to an average of $292.4 million per company, to fend of 95% of serious cyberattacks, according to a study last year by the Ponemon Institute and Bloomberg the FSSCC cited. "Clearly this is unsustainable and uneconomical no matter what incentives are proposed," Blauner wrote.
Regulators also should modify rules the companies say impede efforts among private-sector firms and the government to share information in real time. The government also must step up the prosecution of cyber thieves at both the federal and state levels, according to the FSSCC.
"There is an expectation that individuals, organizations or countries that engage in cyberattacks will not be caught and hence can continually attempt to breach the protections that firms put in their way until they are eventually successful in their attacks," Blauner wrote. "In contrast, when an individual robs a bank, the expectation is that he or she will be caught and brought to justice, which is based less on the substantial precautions that banks undertake than upon the response of the local, state and federal government to enforce effective laws."
The FSSCC detailed a dozen specific measures that could spur adoption of a cybersecurity framework by members. The incentives include federal grants to the Financial Services — Information Sharing and Analysis Center, an industry group, to encourage information sharing, along with grants to stimulate development of new technology.
Be the first to comment on this post using the section below.