When can an organization rest assured that it's done enough to secure itself and its customers or constituents against cyberattacks? It's a question bank chief executives and boards ask themselves when wire-transfer fraud occurs, when new malware strains like Svpeng emerge, when denial-of-service attacks take place, and when data breaches happen. The question cropped up again and again at a cybersecurity event in New York on Tuesday.
"In a world where the leading experts in this space say almost anything can be hacked, regardless of how careful you are — how much is enough? And what is the right configuration of enough, technologically and financially?" Tim Pawlenty, the CEO of the Financial Services Roundtable, said at the event, which was hosted by Deloitte.
It's hard to know for sure because no defenses are entirely foolproof. But experts say that if they can't secure everything, banks need to at least identify the most critical assets and do everything in their power to secure them. Upper management also has to be engaged and provide direct oversight of cybersecurity strategy, according to Robert Mueller, a former director of the FBI under Presidents George W. Bush and Barack Obama.
Mueller, one of the speakers at the event, said one mistake he made when running the bureau was delegating important information technology functions to third-party vendors or consultants.
"On September 11,  our technology was antiquated to say the least," he said. "Much of it dated back to the 60s and 70s." Mueller ordered the development of a new case management system, but he said the project took longer and cost more than expected because he delegated too much responsibility to a third-party vendor.
"That was a mistake," he said. "I did not ask the hard questions I should have made sure it was on track." The contractor was replaced and the project eventually completed.
Private-sector CEOs dealing with cybersecurity technology make this same mistake, he said. "Delegating can do so much reputational damage to your organization," Mueller said. "[Cybersecurity] is not something CEOs and boards can delegate, they have to drill down and make sure they make the [chief information security officers] and IT managers explain in good English to the point where they are satisfied that they know what is happening."
Another lesson learned from this incident, Mueller said, was the need for patience. "One problem I had with IT was being impatient to get it on board and pushing through certain guideposts to make sure we were on track."
Mark Clancy, managing director of technology risk management at the Depository Trust & Clearing Corporation, a bank-owned financial services company that provides clearing and settlement services to the financial markets, raised his own security question. "What level of resiliency do we need to build to?" he asked. In the physical world, financial institutions build their infrastructure to be resilient enough to withstand a car bomb attack, he noted.
"Where do we set the expectation of resiliency in cyberspace?" he asked. "Are these Wiper attacks" — the nickname for a series of malware attacks carried out on computers in South Korea last year — "the equivalent of car bombs and we must have resilience for them?"
Mueller replied that banks need to identify their crown jewels and do everything they can to protect those critical assets. "If you're going to protect everything — the network, the broad, outer ring — how much money are you going to put in this?" he said. He added that he doesn't think this is a discussion all CISOs, CEOs and boards are having and that most are instead focused on looking for signs of a data breach.
Mary Galligan, director at Deloitte, agreed companies must figure out what their most critical assets are and do everything they can to protect them.
"What can I afford to [have affected by a denial of service attack]? What can I afford to have stolen, and what is it I cannot, no matter what, afford to have destroyed?" she said. An organization might decide it can live with a DDoS attack on its customer-facing website, which would prevent people from seeing the latest information about the company.
"Companies have to be completely resilient where if something were destroyed, that would be the crux of the business," she said. "The CEO is deciding what he can let walk out the door."