The best incentive banks have to strengthen their cyber defenses? To preserve customer trust.
That's the message the financial industry sent in comments filed Monday with the Obama administration, which has asked the public to weigh in on what inducements might spur companies to adopt a cybersecurity framework being proposed by the White House.
"Financial services is built upon trust with our clients, trust between our firms and the trust to ensure the proper functioning of markets, the execution of transactions and the protection of information," Charles Blauner, who chairs the Financial Services Sector Coordinating Council, or FSSCC, wrote to the National Telecommunications and Information Administration. "It is the cornerstone of everything we do."
Incentives also should be sufficiently significant to influence private investment, to reduce companies' compliance costs and to minimize the risk of legal action, according to JPMorgan Chase (JPM), Bank of America (BAC), Citigroup (NYSE:C), Wells Fargo (WFC), Goldman Sachs (GS), Morgan Stanley (MS), MasterCard (MA), Visa (NYSE:V), PayPal, Fannie Mae, Freddie Mac, the American Bankers Association, the National Association of Federal Credit Unions and roughly 41 other companies, exchanges and trade groups that make up the council's membership.
An executive order issued in February by the White House gives the government eight months to map out preliminary guidelines for protecting financial networks, energy grids and other critical infrastructure from cyberattack. As part of the push, the Commerce Department in March asked the public to comment on ways to help to promote the adoption of efforts to address cybersecurity vulnerabilities.
The department asked about the adequacy of current incentives, whether industries lacked sufficient incentives to invest in cybersecurity, how companies assess costs and benefits of reinforcing cyber defenses, and the best ways to encourage businesses to invest in strengthening their defenses.
Financial firms will struggle to articulate a series of incentives until they know what requirements, if any, may be added to those already in place, according to the FSSCC.
However, whatever framework emerges should draw fully on federal law enforcement agencies to help defend against and deter cyberattacks, the group said. Spending by financial firms each year would jump by a factor of 13, to an average of $292.4 million per company, to fend of 95% of serious cyberattacks, according to a study last year by the Ponemon Institute and Bloomberg the FSSCC cited. "Clearly this is unsustainable and uneconomical no matter what incentives are proposed," Blauner wrote.
Regulators also should modify rules the companies say impede efforts among private-sector firms and the government to share information in real time. The government also must step up the prosecution of cyber thieves at both the federal and state levels, according to the FSSCC.
"There is an expectation that individuals, organizations or countries that engage in cyberattacks will not be caught and hence can continually attempt to breach the protections that firms put in their way until they are eventually successful in their attacks," Blauner wrote. "In contrast, when an individual robs a bank, the expectation is that he or she will be caught and brought to justice, which is based less on the substantial precautions that banks undertake than upon the response of the local, state and federal government to enforce effective laws."
The FSSCC detailed a dozen specific measures that could spur adoption of a cybersecurity framework by members. The incentives include federal grants to the Financial Services — Information Sharing and Analysis Center, an industry group, to encourage information sharing, along with grants to stimulate development of new technology.
Companies that perform well on audits of their cyber defenses by one regulator also should receive a reprieve from similar reviews by other regulators, according to the group, which also called for the government to work with other countries to harmonize rules that govern cybersecurity globally.
The administration also should push for laws that increase penalties for cybercrime, promote partnerships among law enforcement organizations worldwide, and create "some level of deterrent at the national level that will focus on nation states and sophisticated actors that have large-scale capabilities to disrupt and destroy," Blauner wrote.
Companies also should be able to deduct the entire cost of computing hardware and software, from taxable income, and qualify for tax credits or other financial incentives for adopting the framework, according to the FSSCC.
Financial firms also would be more likely to adopt the framework if the government were to shield them from liability for sharing information with one another, immunize them from the provisions of the Freedom of Information Act for information they hand over to the federal government, shield companies from lawsuits by the Federal Trade Commission or state attorneys general for alleged breaches of information security that flow from companies adoption of the framework and from liability for harm that may arise from the adoption of cutting-edge technology, the companies said.
Telecommunications and technology companies also should be required to filter Internet traffic thought to be harmful and to install capabilities to screen threats from the networks that connect financial firms, the group says. "If we are to stand a change of defending critical infrastructure within the financial sector we need incentives that will motivate these two partner sectors to increase the protections embedded in their networks," Blauner wrote.