WASHINGTON — Federal and state regulators need to coordinate better when it comes to tackling cybersecurity challenges in the financial sector, according a top Treasury Department official and other experts speaking Thursday at a panel on the issue.
Deputy Treasury Secretary Sarah Bloom Raskin said teams in various levels of government are coming together to share information and best practices, but she said state supervisors need to streamline their efforts.
Cybersecurity is "a silo-busting kind of activity," Raskin said. "What we're going to need to do is harness the findings" from various regulators and "figure out ways that we harmonize them. We don't want to see emerge the development of multiple sets of standards, multiple guidances."
Raskin made her remarks while moderating a panel on cybersecurity at the Women in Finance and Technology Symposium, which was organized by Treasury and the White House Council on Women and Girls.
Speaking on the panel, Ellen Richey, the vice chairman of risk and public policy at Visa, said that coordination among global policymakers was also necessary to avoid "a proliferation of standards."
"The government as a convener is important," she said.
Government officials noted that they are already working together in many respects. Several agencies have collaborated on "joint exercises" to test their responses to cybersecurity emergencies, said Treasury Secretary Jacob Lew.
In the event of a cyberattack, Treasury makes sure to "share that kind of information with our partners in the law enforcement and intelligence communities," said Leslie Ireland, the assistant secretary for intelligence and analysis.
State regulators have also taken an interest. The New York State Department of Financial Services has conducted several cybersecurity surveys with banks and insurance companies and shared its findings with other state regulators and the public at large, said Maria Filipakis, its executive deputy superintendent of capital markets.
Financial services companies should implement top-down policies to tighten their safeguards so that "cybersecurity is woven into the fabric of a firm," Filipakis said.
They also should conduct thorough reviews of their business partners, asking themselves, "Who are their third-party service providers, who are the contractors of these providers?" she said.
Raskin did seek to reassure the industry that the government is not imposing a zero-tolerance policy. It will take cost-benefit analyses into account when it comes to any new requirements.
"The question is not, how do we ... take the number of cyberthreats and actually break them down to zero," she said. "We're realistic."
Visa's Richey responded that the brunt of cybersecurity costs should not be borne only by the most vulnerable companies.
"I understand that you can't reduce the threat to zero, but I certainly hope that my colleagues in government are hoping to reduce it somewhat," she said. "It's the job of the private sector to raise the cost of" breaching a system's cyberdefenses. "The job of the public sector is to raise the risk" of being caught.
Government agencies also need to implement careful controls and increase awareness of cybersecurity risks that can now pop up outside of the "work desk," Ireland at the Treasury Department said. Even "Fitbits present a cyber challenge in today's world."
Once criminals have gained access to an individual's information, it becomes easier for them to breach an organization's defenses. "They're not hacking into your system anymore; they're going through the front door," Ireland said.
Richey suggested that government agencies could take example on Visa, which regularly sends bogus phishing emails to its employees to keep them aware of cyberthreats continually. "I actually refused to click on an email from Treasury," she said, "because I thought it was fake."