In this Q&A Stephen Scharf, Chief Security Officer, and David LaFalce, Executive Director and Global Head Business Continuity & Crisis Management, The Depository Trust & Clearing Corporation (DTCC), discuss how the industry can mitigate against large-scale cyber-attacks.
For the financial services industry, it’s not a matter of if, but when, a large-scale cyber-attack will occur.
The complexity of the financial services industry - the interconnectedness of individual players and the introduction of new and innovative technologies - heightens the risk of the industry becoming victim to attack.
Nearly one in four cyber breaches in 2017 affected a financial services organisation, according to the Verizon 2017 Data Breach Investigations report, making the sector the number one target for cyber-attacks. Perhaps even more troubling is the rate of successful breaches in the financial services sector alone: from 40 per firm in 2012 to 125 breaches in 2017, an increase of 200% in just five years.
These breaches are also getting costlier. According to Accenture’s Cost of Cyber Crime Study (2017), the average total cost of a cyber-attack reached nearly $18.3 million per firm, an increase of $7.32 million since 2014.
Below, Stephen and David discuss the recently published DTCC and Oliver Wyman joint white paper entitled 'Large-scale cyber-attacks on the financial system' which highlights the key initiatives that are essential to mitigating the systemic consequences of a large-scale attack. They discuss how the industry can advance the concepts contained within the white paper into reality.
What considerations must be made to mitigate the systemic consequences of a large-scale cyber-attack?
David LaFalce: The industry currently lacks standards around key considerations. Most important is a well-coordinated cross-industry effort that allows for a collective response and recovery plan. Individual entities know they must follow recovery protocols for their most critical services before they can resume operations after an impact. However, when a sector outage spans across multiple firms, there may be a different order of operations to follow; firms need to be flexible. In addition, there needs to be a definition of when an entity is considered safe to rejoin the ecosystem: something which is being worked on with SIFMA, the industry trade group of the U.S. securities industry.
How would a cross-industry approach help mitigate the impact of a large-scale cyber-attack?
Stephen Scharf: A cross-industry approach would identify collective actions to be taken upon the detection of a large-scale cyber-attack. This would be based on a set of standardised criteria that is tailored to specific cyber-attack scenarios.
There are four key benefits to this approach. First, it improves resilience of the overall financial system by ensuring firms are held up to a minimum set of acceptable standards which minimises the threat of contagion. Second, it creates clearly defined and readily available protocols that increases reaction speeds to cyber-attacks. Third, it increases customer/investor confidence which is driven by the knowledge that the industry is following a set of commonly agreed set of standards. And lastly, this approach increases transparency and confidence between institutions.
Industry coordination is critical to responding to, and recovering from, a cyber-attack. Can you give us an example of that industry coordination?
Stephen: First, let me say I agree with your opening statement about the importance of industry coordination. A prime example of industry coordination is contingent service arrangements or interoperability. Given the complexity and broad scope of potential impacts of large-scale cyber-attacks, such as the outage of key players or compromise of backups, no single entity has all the required capabilities and capacities to address all possible attack vectors and vulnerabilities. Regardless of the level of preparedness, there may be situations where a key payment, clearing, or settlement provider, is unable to fulfill its services for an extended period of time.
The DTCC-OW cyber white paper calls for further consideration of contingent service arrangements. How do you envision such arrangements working?
David: There isn’t a one-size fits-all approach for contingent service arrangements. To that end, we see three potential operating models for the development of arrangements. The first model is interoperability: if one exchange is down, the others can provide the platform for the majority of the 'symbols'. In the second version, there would be arrangements between existing institutions to provide mutual assistance in support of critical activities during the time of need. Lastly, we could create an industry utility designed to perform services to several financial institutions, for example, the Sheltered Harbor effort.
Regardless of the model, these arrangements offer a number of key benefits: increasing the resilience of the financial services sector, and reducing instability and economic gridlock during a large-scale cyber-attack. In addition, it minimises the potential for contagion by reducing the likelihood of a critical player rejoining the financial system prematurely, due to the absence of a substitute service provider. We can’t discount another great benefit of the contingent service arrangements: an increase in customer and investor confidence. This confidence is driven by the knowledge that the industry has implemented multiple layers of protection to ensure continuity of critical industry activities.
What are the next steps?
Stephen: I hope our white paper will act as a rallying cry. It’s time for the industry to work together and turn these concepts into realities. Some efforts are already underway, but for those that are not, the industry must assign ownership and responsibilities for these initiatives. The appropriate industry stakeholders must mobilise and detail each initiative, including scope, ownership structure, execution model, and enforcement mechanism.
They need to develop a structured implementation plan and implement the initiatives. That said, the industry cannot go it alone. The public sector needs to step in when legislative support is necessary to implement industry-wide and cross-border efforts: providing incentives and helping to resolve roadblocks from misaligned legislative frameworks.
We have meetings scheduled with different individual groups, such as FSARC and SIFMA, and we are leveraging the DTCC membership to establish a common understanding on what needs prioritising. We are also working to further refine our internal practices around preparing for and combatting cyber-attacks.