Protecting Financial Cyberspace

Good morning. Thank you Steve, for that kind introduction, and thank you to the Public Company Accounting Oversight Board for inviting me to speak at your tenth International Institute on Audit Regulation. The PCAOB has been instrumental in protecting investors by enhancing audit quality, and is a shining example of the benefits of audit regulation. I am pleased to be here with you [December 14, 2016] to describe what we have been doing in the financial sector to deal with a significant threat to financial stability—and that is the threat from cyber incidents.

The Institute’s annual forum is perfect for this discussion. You just completed a panel on the impact of technology, data analytics, and continuous monitoring on audits of the future. Later today another panel will continue the discussion of cybersecurity. I hope to add to your agenda by describing how to protect the international financial system in cyberspace. And that is: Combining peacetime norms with a shared risk-based approach to cyber defenses, which includes—as probably most relevant to this group—a consistent and credible assurance process. Together cyber norms and defenses have the potential to move the needle on cybersecurity and resiliency for the financial sector and beyond.

Nature and Scope of the Threat

The fact of the matter is that cybersecurity incidents are growing exponentially and the consequences are costly. In terms of the effects of incidents over the last several years, they have included the theft of credit and debit card accounts—through retailers like Target and Home Depot. Other incidents in the U.S. have included the exposure of sensitive information on hundreds of millions of individuals who kept information at banks like JP Morgan Chase, health insurers like Anthem and Premera Blue Cross, and government agencies like the U.S. Office of Personnel Management. Information stolen has ranged from street and email addresses to medical identification and social security numbers, and fingerprints and detailed biographical data. In fact, we later learned that an international crime syndicate allegedly used information stolen from these and other intrusions to manipulate the prices of U.S. stocks.

We have also seen cyberattacks destroy company systems and wipe out data, at Sony Pictures, and we have seen power blackouts triggered through digital means, which last year plunged just under a quarter of a million Ukrainians into darkness for several hours.

But as serious as these incidents are individually and collectively, none effectively illustrates the potential catastrophic consequences that cyber incidents can have when they transcend individual institutions, and affect our markets and financial systems. This is the focus of the U.S. Treasury Department in particular. For a glimpse of this type of risk, I’ll turn to Mr. Robot, a popular U.S. television series.

For those of you who have not seen the show, Mr. Robot portrays a group of hacktivists operating out of a funhouse in Coney Island, New York. At the end of the first season, the hacktivists carry out a massive attack against a large, multinational corporation called E Corp. E Corp dominates commercial banking worldwide. Through a variety of tactics and techniques—from manipulating employees through social engineering to deploying a zero-day exploit—the hackers break through E Corp.’s cyber defenses, encrypt all the company’s data, and destroy separately stored back-up copies of the data. The goal of this destructive attack: to wipe out $400 billion of debt owed to E Corp., everything from student loans to mortgages. The next day, the global financial system freezes, stock markets plunge, credit card networks halt, ATM withdrawals are capped.

Surely this can’t happen! This is Hollywood, not something based on reality. Are scenarios in which the financial system’s plumbing gets clogged or break down implausible? What did the financial crisis teach us about the transmission of contagion? It taught us, among other things, that when the financial system shuts down, liquidity is lost; that illiquidity brings losses to counterparties, which brings losses to the counterparties of the counterparties; that these losses create losses of confidence; and that when confidence is lost, it is hard to revive.

Let’s consider the dependence of the financial system on computers, communication networks, and the Internet. For much of its history, time and geographical space has bound the financial system. Physically moving money was time consuming and cumbersome. In the late 1800s, cash had to be physically moved to the point of the transaction, often by train or by horse, and a bank would have to wait to receive cash before it could use that capital to, for example, make a new loan.

But over time, technology diminished the boundaries of time and space. By the 1900s, the Federal Reserve had established book-entry transfers and its Fedwire system, which originally sent messages over telegraph lines using Morse code. As the twentieth century progressed, computers and communications networks were created, became interconnected, and then ubiquitous as the cost of both fell. Computers, interbank networks, and the Internet together increased the speed and geographical reach of financial services.

As we shifted from stagecoaches and train cars filled with bills to Internet routers transmitting electronic data, our dependence on these transportation modes shifted as well. But the need for confidence in our financial infrastructure remained. Centuries ago, consumers had to place their trust in the horses and steam engines—that the horse was healthy, that the train tracks were unimpeded, and that the physical movement of cash would not be interrupted by bandits. Today, individuals must place their trust in the Internet and its related systems, that they are secure and reliable and protected from illicit intrusions. These are the new systems we depend on. 

Payment and Settlement Systems: A Key Part of the Financial System

Consider for a moment an international financial institution that operates commercial and investment banking subsidiaries in the United States and abroad. Each day at pre-determined times, that institution must transfer U.S. dollars and other currencies into various payment and settlement systems on behalf of its customers and clients, including depositors, businesses, and other financial institutions.

As the circulatory system for domestic and international economic activity, these payment and settlement systems provide the mechanisms through which funds and related information flow, which are essential to the daily operations of businesses and governments, and the lives of individuals. A blockage in one of those systems means that funds and data that need to move from point A to point B cannot do so. The longer and more pervasive the blockage, the worse the incident, the more damage done, some damage of which may trigger severe, long-lasting problems.

A major payments outage that extends beyond 24 hours to a few days or weeks could degrade the operation of the U.S. financial system and beyond, with only the most critical payments likely being made through manual and other workarounds. As a result, in addition to failing to fund many institutions and counterparties, workers might not receive their electronic paychecks, small businesses’ credit lines might freeze, and sales of residential homes could be put on hold.

So how do we protect financial systems in cyberspace?: One way forward combines the development of widely agreed-upon peacetime norms by countries, with cyber defenses based on a common risk-based approach, with a robust assurance protocol.

Peacetime Cyber Norms

I’ll start with the need for peacetime cyber norms: The Internet is human-made and has no geographical boundaries. It was created and has evolved with interoperability and efficiency in mind—not security. As a result, nation-states and private parties move easily through cyberspace. Movement is unfettered. But with unfettered access, bad actors can use the Internet to cause harm.

The Internet today in some ways resembles America’s Wild West past, where out of necessity individuals, towns, and other groups of people were forced to look out for themselves in the then new, lawless territory. This is why ongoing global discussions on cyber norms are so important. Norms can make the technological frontier more secure for us all; they can create some “rules of the road.” We know from the modern history of other major technological events that it takes time for consensus to develop on rules of the road. Remember, it took decades to advance international cooperation on controlling nuclear weapons. Today’s global discourse on appropriate behavior in cyberspace in many ways presents a similar inflection point to the early discussions to limit nuclear weapons. [1]

Once norms take hold, they provide a powerful force. If fully embedded into our collective thinking about how the world works they can make it hard to imagine operating in any other way.

Several examples of efforts to create consensus around cyber norms exist. For example, last year in Turkey, and reaffirmed this year in China, the leaders of the Group of Twenty economies affirmed that international law applies to nation-state conduct in cyberspace and agreed that countries should not use their cyber capabilities to steal trade secrets and other intellectual property to provide a competitive advantage to their commercial sectors. [2]

Other proposed cyber norms include, for example: Countries should not intentionally damage the critical infrastructure of another state or impair the use of critical infrastructure that provides services to the public. Countries should not impair national computer response teams from other nations when those teams are responding to cyber incidents. And countries should cooperate with requests from other nations to investigate cybercrimes and mitigate malicious cyber activity emanating from their territory. [3]

Self-Defense and Self-Help

Proposed norms are a long-term play. In the short term, as the scale and sophistication of incidents and attacks continue, a parallel strategy is necessary. It is a parallel strategy that is capable of success because it relies on the fact that more than 80 percent of cyber incidents can be prevented. [4]

G-7 Fundamental Elements of Cybersecurity for the Financial Sector

This past October, the G-7 finance ministers and central bank governors endorsed and published the G-7 Fundamental Elements of Cybersecurity for the Financial Sector. [5] These fundamental elements are the basis for a common risk-based approach to cybersecurity for the global financial sector. They are designed to be universally applicable, process oriented, and dynamic.

The elements apply across the financial sector to entities of all types and sizes—from depository institutions, exchanges and payment systems, to fintech companies and third-party service providers. They are designed to be tailored and proportionate to the particular characteristics of each entity as well as the specific cyber risks that entity faces. [6]

Through outreach with the financial sector, we learned that boards of directors and senior management are only beginning to step up their oversight of their organization’s cybersecurity programs. A recent survey of U.S. banks found that the majority of them only began board-level reporting of cyber risks in the past three years. [7] So we wanted to help leaders drive efforts to fortify their entities’ cybersecurity and resiliency. As such, the elements call on entities to establish cybersecurity strategies and operating frameworks tailored to their specific cyber risks, and to assign roles and responsibilities for personnel in charge of implementing, managing, and overseeing those strategies and frameworks.

The elements also elevate governance by emphasizing the importance of executive management and corporate boards in setting the cyber risk tolerance for their organizations and overseeing the effectiveness of cybersecurity programs in managing that risk within established tolerances. Cast through the lens of governance and the fiduciary duty of care, the elements empower boards of directors and senior leadership to: ask the right questions, hold their teams accountable, and consider the relevant trade-offs before making decisions about their organizations’ cybersecurity strategy.

In the face of a sophisticated cyberattack, a resilient financial system must be able to recover quickly, even if certain functions or activities remain off-line or operate in a degraded state. Achieving resilience depends on private entities and public authorities working together towards a common objective of maintaining financial stability and instilling buoyancy in the system. In that regard, the elements outline procedures for responding to, and recovering from, cyber incidents. These procedures recognize the important but distinct role to be played by the private sector and public authorities, including regulators and law enforcement. The elements also highlight the necessity of continuously sharing information on cyber threats, vulnerabilities, and responses before and after incidents.

An entity’s—indeed a country’s—approach to cybersecurity must evolve and mature. Indeed, it never ends. Achieving resilience depends on entities continuously learning from their own experiences from that of their peers and other entities as well as from other critical sectors. The last fundamental element, therefore, focuses on the need for constant reassessment and to identify and remediate gaps. This type of continuous learning builds in a dynamic feedback loop where entities systematically re-evaluate their cybersecurity strategies and frameworks based on lessons learned as their operational, control, and threat environments evolve.

Self-Assurance

But when all is said and done, there is still a missing component: self-assurance. Without some way to appropriately assure the effectiveness of the design and implementation of the risk-based approach to self-defense and self-help contemplated by the G-7 fundamental elements, we risk illusory results. Why is assurance so important?

We need to arm corporate boards—especially those who are not technologists or cybersecurity experts—with a mechanism to thoughtfully assess management’s assertions about the design and effectiveness of their organizations’ cyber defenses. We also need to equip those same leaders so that they can evaluate the completeness and accuracy of their managements’ description of their cybersecurity programs. Those leaders should also have a means to credibly and understandably communicate related findings to key stakeholders: like investors, counterparties, customers, regulators, and the public, as appropriate.

And while recognizing that the G-7 fundamental elements call for cyber defenses that are tailored and proportionate to each entity’s particular characteristics and cyber risks, to be most powerful any assurance methodology should strive for comparability. Why? Consistency in the assurance process allows for measuring progress and driving accountability; it also informs comparisons with peer institutions in the financial sector and potentially across sectors. Comparability also permits market forces to discipline institutions whose defenses are not up to par.

These are still the early days in developing assurance processes around cybersecurity. Key questions include: what is the optimal approach to cybersecurity assurance and what are the expected levels of assurance? Questions also include: what are the respective roles of the institutions themselves—through their own information security, compliance, internal audit, and risk functions—as well as independent third parties like auditors?

As you know, public company auditors today play an important, but limited, role regarding cybersecurity. Auditors focus their attention on the use of IT to prepare financial statements and automated controls around financial reporting, such as controls around the reliability of underlying data and reports. [8] This approach is appropriate to address financial reporting risk but it does not address a company’s overall business or operating risk.

Unless retained as part of a consulting engagement, an auditor does not more broadly evaluate a company’s overall cybersecurity risk management program. For example, auditors do not evaluate whether a company has appropriately identified the functions, activities, products, and services—including interconnections, dependencies, and third parties—that present it with cyber risk. Likewise, an auditor does not assess whether a company has identified and implemented controls—including systems, policies, procedures, and training—to protect against and manage identified cyber risks within the tolerance set by the board.

In the United States, one effort underway to help address this gap comes from the American Institute of Certified Public Accountants (AICPA). The AICPA proposed this past summer a new cybersecurity assurance engagement. The comment period ended last week, so we will have to see how this type of engagement evolves. But as initially envisioned the engagement would have three parts. First, management would provide a narrative description of the company’s cybersecurity risk management program and the ways in which the company identifies, controls, and reduces its cyber risks. Management would then attest to whether the controls implemented are suitably designed and operate effectively. Finally, the auditor would opine on the accuracy and completeness of management’s description as well as whether the cybersecurity controls are suitably designed and operate effectively in achieving the company’s cybersecurity objectives. [9]

Imagine a world in which all types of entities could convey the effectiveness of their cybersecurity risk management in a standardized, non-technical way, appropriate to each entity’s size and other business characteristics. Think about the power of such assurance. Boards, shareholders, customers, counterparties, and regulators could gauge the relative effectiveness of organizations’ cybersecurity and resiliency.

If done right—with independence, objectivity, appropriate expertise and professional skepticism—such an assurance process would be a vehicle by which greater cybersecurity and resilience could be achieved. Given the importance of getting it right, I urge you as audit regulators to carefully consider and monitor the development of cybersecurity assurance services.

Conclusion

The goal is to enhance the security and safety of our financial transmission mechanisms—giving attention and care and investment to our financial networks, as if they were still horses and railcars carrying money from place to place so that it can be loaned productively and quickly.

At their core, the G-7 fundamental elements provide a bridge between our present reality of relative insecurity and this future, far more trustworthy cyberspace. The international community agreeing on key cyber norms to protect critical infrastructure like the financial system is one part of this transition. A robust assurance process is another.

To reach this more secure future state, we need to be dedicated and methodical. From investing in the creation of more trustworthy systems to rapidly sharing actionable, reliable cyber threat information, the largest financial institutions have a duty to contribute to the collective security of the international financial system. Small financial sector companies play an important role too—their networks and systems can serve as entry points for malicious cyber activity that undermine the public’s trust. And of course, governments—from finance ministries, central banks, and regulators like yourselves, to law enforcement, and security agencies—have obligations to help protect their nation’s territory, critical infrastructure, and citizenry.

We may not be in a cyber utopia, but we are not in the dystopia portrayed by Mr. Robot either. A shared lexicon and mutual understanding of cyber risks in the financial sector across countries is emerging, as is a common risk-based approach to cyber defense. With imagination and resolve, it is within the realm of collective human effort to enhance the safety and security of our financial transmission mechanisms, our financial system, and our virtual financial lives.