BankThink

Why Banks Need to Adopt a Common Cybersecurity Language

On May 6, 2010, the U.S. stock market plunged more than 1,000 points within minutes. Major equity indices in both the futures and securities markets lost 10% of their value before ultimately correcting to lose 3% by the end of the day. While regulators found a number of causes for the so-called Flash Crash, the events of that day were a startling reminder to the global financial industry about how quickly systems can fail in a world of fully automated trading networks.

If a cyberattack had been the reason for the Flash Crash, or even triggered Knight Capital Group’s $440 million trading glitch this summer, would the markets have righted themselves that day? Could we answer this question: Why was this not stopped earlier?

Today, with technology outpacing regulation and the banking industry's data and infrastructure constantly under threat of cyberattack, the time is right for Wall Street and its regulators to formulate a comprehensive, industrywide approach for measuring, monitoring and communicating threats. 

Establishing a common language will allow financial institutions to quickly identify, understand and share information about threats, plan for different scenarios and build the systems required to effectively defend their interests.

The reality of our cybersecurity environment is grim.  Firewalls and data encryption don't do enough to protect intellectual property, financial assets, operational systems and reputation. We are seeing an alarming increase in the number of cyberattacks from outside as well as inside organizations, and we know that greater public awareness of such incidents creates immediate and sometimes long-lasting negative business impacts.

Currently, at banks of all sizes, the discussion of cyber risk is happening at three levels: boards discuss threats in the context of risk management and corporate reporting, senior executives determine the resources needed to mitigate risk and protect the firm' s long-term performance and technical teams develop new processes and integrate solutions to solidify their security operations. These are worthwhile conversations and stakeholders outside of these organizations could find the outputs beneficial.

But, while internal cybersecurity frameworks exist, only a common language that encompasses technology and analytics, along with business processes, engineering and human capital development will provide the multidimensional approach needed to leverage the best in technology, people and processes.

It's time for financial institutions to work with the government to adopt the use of this common language. For guidance, they can look to other industries. For example, for over 50 years the National Security Telecommunications Advisory Committee has empowered major telecommunications companies, network service providers and finance and aerospace companies to share information on threats to the national telecommunications infrastructure.  Today, the telecommunications industry systems continue to run even in challenging times.

While a common language makes sense, financial institutions have sidestepped coordination and collaboration. In good times, significant changes to the status quo put time and reputation at risk. And, in bad times, no one has the opportunity to take what some might consider a leap of faith.  We could also lay blame with Congress' inability to pass the Cybersecurity Act of 2012 and organizations' unwillingness to make any significant changes until there is more certainty coming from Capitol Hill. 

If we allow delays to continue, the result could be far more catastrophic than the Flash Crash, where securities exchanges canceled hundreds of thousands of trades at unexpectedly low prices.

Firms will quickly fall prey to cyberespionage and attacks if they continue to use the old functional-control model. Wall Street is continuously bombarded by cyberaggressors attempting to steal or disrupt merger plans, personal financial data or even the technology that keeps the New York Stock Exchange, Nasdaq and brokerage firms running. 

The banking industry is too interconnected, too global and too prone to systemic risk to wait until the next crisis forces its hand. Taking action now will prevent the inevitable erosion of customer trust and confidence, degradation of brand reputation, loss in shareholder value, operational disruptions and aggressive regulatory intervention that will likely result from a major cyberattack. Comprehensive cybersecurity – together with a common language – should be a defense rooted a belief that we are all in this together.

Bill Wansley is senior vice president of strategy and technology at the consulting firm Booz Allen Hamilton. 

For reprint and licensing requests for this article, click here.
Bank technology Law and regulation
MORE FROM AMERICAN BANKER