On July 16, 2014, U.S. Treasury Secretary Jacob J. Lew delivered the keynote speech at the Delivering Alpha conference, a gathering of hedge fund industry participants.1 Secretary Lew used this event to issue strongly-worded remarks on the serious nature of cyber-incursions, in particular the frequency, intensity, and sophistication of malicious acts perpetrated by state and non-state actors.
Cybersecurity has been a high-visibility issue this year, prompting many officials and regulators to discuss the importance of securing the information technology environments of financial institutions. What is noteworthy about Secretary Lew’s remarks is the frank assessment that cybersecurity in the financial sector is inadequate. Indeed, Secretary Lew stated, “Far too many hedge funds, asset managers, insurance providers, exchanges, financial market utilities, and banks should and could be doing more.” Secretary Lew noted the “catastrophic damage” and “massive harm” posed by cyber-incidents, including the theft of commercially valuable trade secrets, the loss in confidence following a successful attack on the financial system, and the injury to millions of individuals when credit card data is stolen. The Secretary’s candid appraisal and forceful language reflect the seriousness with which senior government officials are taking cybersecurity.
Secretary Lew echoed regulators, including the U.S. Securities and Exchange Commission (“SEC”) and FINRA, in warning financial institutions about the cybersecurity risks associated with vendors, suppliers, and contractors. Secretary Lew also noted that the financial markets depend on an array of other industries to function, such as energy, telecommunications, and transportation, which are themselves vulnerable to cyber-threats. Using Hurricane Sandy as an example, Secretary Lew also noted that cyber-risks include the threat of physical damage to critical infrastructure and the ability of third party service providers to protect the integrity of their own equipment.
In February 2014, the National Institute of Standards and Technology (“NIST”) issued a Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”). Although the Framework is purely voluntary, Secretary Lew advocated its adoption by financial services firms, and urged firms to encourage their vendors and service providers to adopt the Framework as well. Secretary Lew also encouraged firms to share information about cyber-incidents with the government and with other firms. Secretary Lew noted that the federal government is working to make classified threat information available to firms. He also noted that the Department of Treasury has established a unit known as the Financial Sector Cyber Intelligence Group for the purpose of information sharing and analysis.
Secretary Lew noted that cybersecurity cannot be delegated to information technology and security departments, and he called upon boards of directors and executive officers to become more active in their organization’s cyber-risk management. Among the cybersecurity responsibilities of directors and offices, Secretary Lew highlighted understanding cybersecurity defenses, knowing about incident response plans, and understanding the organization’s threat environment and responses.
Secretary Lew used his speech to announce a new cybersecurity initiative that will bring together officials from the Departments of Treasury, Energy, and Homeland Security for the purpose of improving the federal government’s cybersecurity efforts across sectors. In addition, Deputy Secretary Sarah Bloom Raskin has been tasked to coordinate with federal and state financial regulatory agencies on reducing cyber-risks to the financial system. Secretary Lew also endorsed the passage of cybersecurity legislation that would permit greater information sharing by establishing clearer rules for collaboration among private sector entities, including liability protection, while respecting individual privacy and civil liberties.
Secretary Lew’s remarks should further encourage financial services clients to review their cybersecurity posture. In particular, firms should consider whether their existing policies and procedures are adequate and incorporate best practices. As a part of this process, firms can compare their own cybersecurity policies and procedures against the information requests appended to the April 15, 2014 Risk Alert issued by SEC’s Office of Compliance Inspections and Examinations (“OCIE”).2 For more information see Five Takeaways About Cybersecurity From the OCIE Cybersecurity Risk Alert. Firms are also encouraged to review the NIST Framework, which has been designed to complement existing cybersecurity programs. Firms may find the Framework helpful in identifying opportunities for improving their cybersecurity program.
Directors and officers should be actively involved in their organization’s cybersecurity efforts, including the design and oversight of the organization’s cybersecurity policies. Directors and officers should routinely receive aggregate information regarding cyber-incursions, and should receive more detailed reports in circumstances in which customer data or commercially valuable intellectual property is misappropriated. Directors and officers should also remain abreast of important developments in the law and technology affecting cybersecurity.
Finally, firms should think about gathering and sharing cyber-threat information. Firms with the resources to do so should consider joining the Financial Services Information Sharing and Analysis Center (“FS-ISAC”). All firms should be on alert for information about the methods of malicious actors and newly identified vulnerabilities in computer networks and systems that they can use to protect themselves from cyber-incursions.