"Keep Calm and Carry On": The Role of Regulators in Cybersecurity and Resiliency
I. Introduction
Good morning. Thank you to Harvard Law School's Program on International Financial Systems for inviting me to speak at this symposium on "Technology and Capital Market Regulation."
It is wonderful to be here in Tokyo on a beautiful autumn day at the Financial Services Agency among so many distinguished financial and securities regulators.
I feel at home among you. I have spent over half of my career as a regulator, in different roles, with different responsibilities. I was an enforcement attorney at the U.S. Securities and Exchange Commission. I served as the chief regulatory officer at a U.S. securities exchange and was a director and chair of the regulatory oversight committee for another exchange.
In my current role, I am a board member at the U.S. Public Company Accounting Oversight Board (PCAOB), where our mandate is to oversee the work of auditors of public companies.[1] I understand firsthand the important work each of you do every day, not only for your countries but for the international financial system. Thank you.
Today, I'd like to share my views on a topic that intertwines both technology and capital market regulation: cybersecurity, resiliency, and the role of financial regulators.
We all may be financial regulators, but we are not monolithic. We have distinct jurisdictions, legal regimes, regulatory authorities, and tools to fulfill our missions. How we oversee information technology (IT), security and business continuity, and the protection of customer data at the entities we regulate, varies as well.
In the United States, banking regulators and supervisors are called on to protect depositors' funds by focusing on the safety and soundness of the depository institutions and the stability of the financial system. U.S. securities regulators, in turn, are called on to protect investors, maintain market integrity, and facilitate capital formation.
And, as a regulator of auditors, the PCAOB is called on to protect investors and the public interest through the preparation of informative, accurate, and independent audit reports. Despite these differences, as financial regulators we all share the same fundamental calling – to protect the public and the public interest.
As a result of that calling, we as financial regulators must use the tools we have to try to ensure that the entities we regulate have the technology, processes, and other controls to prevent – or at least lessen – the risk of loss from cyber-incidents. We should also press the entities we regulate to prepare for the likelihood of significant cyber-incidents.
I have some suggestions for how we should use our levers. First, though, let's look at the nature of cyber threats and a framework for effective responses.
II. Nature of Cyber Threats
The internet – cyberspace – provides unprecedented opportunities for individuals and organizations to connect to each other and the world. This affects our capital markets, financial systems, and more broadly, each of our economies.
We communicate through the internet. We engage in commerce using the internet. Financial sector organizations of all types operate on the internet – from banks, insurers, broker-dealers, and investment advisers to financial market utilities like exchanges, payment systems, and clearing houses.
Everyday objects – so-called "Internet of Things" devices – are now all connected to the internet as well. Personal computers, smartphones, cars, wearable gadgets, thermostats, and even medical devices such as cardiac monitors and pacemakers – to name a few – all send and receive vast amounts of personal and other data largely unfettered by country borders.
To fully appreciate the unprecedented reach of the internet, think about this: By next year, internet-connected devices are expected to number almost 31 billion.[2] This translates into nearly four devices for every man, woman, and child on this planet.
But with this extraordinary access and interconnection comes significant risks. Threat actors sitting anywhere around the globe – hacktivists, criminals, and rogue nation states – can engage in damaging mischief, criminal activity, and geopolitical disruption using the internet. These actors can undermine confidence in the institutions that form our domestic and international financial systems – institutions likely supervised by the regulators in this room.
Almost daily we hear about cyber-incidents. Last year, Marriott hotels announced that its Starwood guest database was breached. The information accessed included payment details as well as customer names, email addresses, and telephone and passport numbers.
Marriott initially received an alert of an attempted breach from an internal security tool. The ensuing investigation suggested that the unauthorized access had occurred as much as four years earlier. This incident alone compromised the personal information of an estimated half billion people.[3]
In the past, cyber-incidents in the hospitality industry, similar to what occurred at Marriott, likely only triggered personal – rather than professional – concern for those in this room who may have stayed at the affected hotel chain. But that has changed now. As financial regulators, we now know that these types of incidents may eventually affect the institutions we regulate. Armed with stolen personal information, criminals target individuals and attempt to trick them into divulging account credentials and other sensitive information related to themselves and their employers. [4]
Case in point: The series of cyber-enabled thefts using the international payment messaging system operated by the Society for Worldwide Interbank Financial Telecommunication (or SWIFT). The most notorious of these incidents was the attempted theft of $1 billion from the central bank of Bangladesh in 2016. Despite being stopped midway through the heist, the criminals ultimately walked away with $81 million, most of which has never been recovered.[5]
SWIFT is the hub for the majority of the world's banking activities. It connects 11,000 financial institutions, including central banks, in more than 200 countries. While not used to transmit funds, SWIFT is integral to the international financial system because institutions use its system to send and receive details of money transfers. Last year alone, SWIFT transmitted messages related to more than 3.8 billion payment orders.[6]
How did the cyber-robbery work? The hackers infiltrated the Bangladesh Bank's systems apparently by sending targeted (or phishing) emails to bank employees. Once inside the bank's systems, the attackers installed malicious software (known as malware) to monitor the bank's activities, spending months learning about the bank's daily operations. They harvested employee passwords and worked their way to the bank's crown jewel: the SWIFT server. Despite warnings from SWIFT, the bank had not segregated its SWIFT server from the rest of its computer networks, thus making it accessible to the thieves.
In addition to obtaining credentials to access the SWIFT network, the attackers watched for an opportune time to strike – when account balances were high and the bank was on holiday. Then, to delay discovery, the attackers launched software to disable key controls. This malware intercepted and altered confirmations sent from SWIFT. The result? The hackers had more time to transfer the stolen funds through a complex web of accounts across the globe, thereby decreasing the likelihood of apprehension or recovery of the money.[7]
III. A Framework for Effective Responses
Given the scope, scale, and evolving sophistication of cyber threats, what do we as regulators do to foster effective responses by the entities we oversee? What levers do we have? First, we can use our positions and podiums to share information about how to develop a framework for response to significant cyber-events.
Everyone needs to understand how important this is. How doable it is. And the value of working together for the same goal. Initially, it's a question of mindset; how to change the way we think about effective responses.
In that regard, I'm reminded of a cybersecurity roundtable I attended this summer, sponsored by the Carnegie Endowment for International Peace. The event was held at an Elizabethan country estate, Wiston House, on the south coast of England, about 90 minutes from central London.[8] Imagine "Downton Abbey," but slightly less grand.
Even today, walking through the manor house, you can feel the history. During World War II, the British Army used the estate's grounds to prepare for the Normandy landings. The British prepared in other ways as well.
Just after the outbreak of the war, Britain began to ready its citizens for the trying times that likely lay ahead. While working with the allies to defeat Germany, the government designed a series of slogans for posters to bolster public morale and resolve in the face of widely predicted air strikes.
The first two posters hung across Britain on notice boards, transportation hubs, and in shop windows. A green poster urged "Freedom Is in Peril. Defend It With All Your Might." A blue poster declared "Your Courage, Your Cheerfulness, Your Resolution Will Bring Us Victory." Only if Germany invaded Britain, would the last red poster be used. It said simply "Keep Calm and Carry On."
IV. The Levers of Financial Regulators
Taking a page from Britain's playbook, we must use our tools as regulators to push entities to resolve to defend themselves against cyber-events. We must also press those entities to be resilient so that they can recover quickly in the face of significant cyber-events. But resiliency only comes from careful planning.
What levers do we each have? The specifics will depend on each of our respective legal regimes and regulatory authorities, and the measures through which we fulfill our missions.
For example, under PCAOB auditing standards, auditors of public company financial statements play an important but limited role related to cybersecurity. Auditors are required to assess the use of IT to prepare financial statements and the automated controls associated with financial reporting, such as controls around the reliability of underlying data and reports. This addresses financial reporting risk for public companies. As part of their risk assessment and audit planning, pursuant to PCAOB standards, I have called on auditors to broadly consider cybersecurity risks that could have a material effect on companies' financial statements.[9] PCAOB standards do not, however, require auditors to assess companies' overall business or operating risks as they relate to cybersecurity.[10]
PCAOB standards also do not specifically address the cybersecurity of auditors themselves or even explicitly require auditors to maintain the security of their clients' information or systems.[11] Our standards do, however, require audit professionals to exercise their skill with "reasonable care and diligence."[12]
Whether reasonable care and diligence encompasses protecting confidential client information and systems from compromise has not been tested. We also have not applied our standards to any cyber-incident that may have occurred at an auditor registered with us. If a significant cyber-incident did occur at a registered audit firm, and sensitive client information or systems were compromised, I certainly would press for a careful assessment of whether our standards or rules had been violated, including whether the auditor had acted with reasonable care and diligence.
In the meantime, I'm asking questions about what more audit firms should or could be doing around cybersecurity to secure their clients' data and systems. The good news is that many auditors, at least at the largest firms, have not turned a blind eye. They recognize cybersecurity as a threat and are acutely aware of the reputational harm that could ensue if they experienced a significant cyber-event.
As a result, some auditors are addressing cybersecurity concerns as part of their systems of quality control.[13] This includes designing and implementing cybersecurity strategies and control frameworks tailored to the audit firm's specific risks. It also includes monitoring to ensure that those strategies and controls are being adhered to and enhanced when the environment changes. Some auditors are even sharing the contours of their approaches with existing and potential clients.
Regardless of our specific statutory and regulatory authorities, effective cybersecurity and resiliency includes three key elements: (1) identifying and implementing baseline protections and best practices, (2) engaging in information sharing, and (3) preparing an effective response and recovery plan.
A. Baseline Protections and Best Practices
Turning back to the robbery at the Bangladesh Bank, like so many cyber-incidents, baseline protections likely would have prevented – or at least lessened – the loss. These protections include policies, procedures, and other controls that prevent access to networks, systems, and data. The protections also minimize damage if access is gained. Experts estimate that basic cyber hygiene can prevent up to 80 percent of all known cyber-incidents.[14] Here are five of these basics.
- First, it starts with multi-step identity checks – known as "multi-factor authentication" – before allowing access to an entity's networks, systems, and data. Why? Usernames and passwords can be easily guessed or stolen. Multi-factor authentication typically combines something the user knows (like a password) with something only the user has (like a smartphone or token).
- Second, basic cyber hygiene includes limiting special, high-level data and system access to as few people as possible. Users with this type of access, known as "privileged users," are typically IT professionals with administrative rights to install software, configure systems, and grant access to other users. Privileged users usually also have access to data that runs on the systems they service. Controls should also be tight around privileged users. Tightened controls can restrict the systems that privileged users can access and the functions that they can perform. Controls can also limit the time that privileged users can be logged in, and require regular reviews of access logs.
- Third, entities should patch their software in a timely and systematic manner. The vast majority of cyber intrusions that take advantage of system weaknesses can be found and fixed through software patching. Delays can prove costly. The data breach at the consumer credit reporting agency, Equifax Inc., was traced to the failure to patch a known system vulnerability for just two months.[15] The result was that more than 146 million U.S. citizens had their names, dates of birth, social security numbers, and other personal information compromised.
- Fourth, entities should systematically scan their systems for malicious activity. Scanning for indicators of compromise – such as rogue IP addresses or unique identifiers of malware (known as malware hashes) – helps detect system intruders. This is so important because we know on average it takes more than six months to identify a breach.[16]
- Finally, entities need to segregate their critical systems and data. It starts with identifying those critical systems and data, then isolating them. This is critical because once in, hackers may have unfettered access if systems are not appropriately segmented. As we learned from the Bangladesh Bank, as well as countless other incidents, once inside an organization, cyber criminals often move laterally to find a system or data to exploit. Therefore, reducing the number of pathways to critical systems can go a long way to mitigating potential cyber threats.
These are all important steps, but technology provides only part of the solution. Processes and people are the other parts. Beyond baseline protections, we as regulators should be pushing our regulated entities to develop cybersecurity strategies tailored to their distinct risks. Ideally, entities should also embed cybersecurity into their core governance, control, and enterprise risk management infrastructures.
Turning to people, employee education is one of the best – and simplest and cost effective – means to protect against cyber-incidents because employees are often the way that cyber criminals get in. The prevalence of phishing and other social engineering techniques makes training vital. One employee not clicking on an email attachment or hyperlink can make the difference between failure and success. Instilling a healthy dose of online skepticism can turn people from an organization's weakest link into its strongest defense.
B. Information Sharing
Malicious cyber actors often use the same or similar methods to target multiple institutions. That is why information sharing about cyber vulnerabilities, threats, and incidents is key. This means encouraging entities to share timely, actionable information with each other. Such sharing can limit incidents and stop contagion across systems, networks, and at other institutions.
Depending on the jurisdiction, sharing can be bilateral or multilateral. For example, the financial services sector has global hubs for sharing cyber intelligence. The Financial Services Information Sharing and Analysis Center (or FS-ISAC) is a private organization with 7,000 financial institutions as members from 70 jurisdictions around the world. FS-ISAC expanded its geographical footprint two years ago by setting up regional hubs in Singapore and London. With support from the Monetary Authority of Singapore, FS-ISAC's Asia Pacific Regional Analysis Centre became fully operational in 2018.[17]
Other sectors – like communication, energy, IT, and transportation – have specialized information sharing and analysis centers. After the incident at the Bangladesh Bank, SWIFT established its own intelligence and incident sharing center for its members. SWIFT credits that center with helping its members more effectively prevent and detect attacks from cyber criminals.[18]
Similarly, after a series of high-profile breaches – including related to the Panama Papers – law firms have created their own information sharing and analysis organization.[19] In my current role, I've been advocating for auditors to likewise consider establishing a mechanism to share actionable threat intelligence and vulnerability information across their profession.
C. Response and Recovery
Finally, even with the best laid and executed plans, regulators should urge entities to prepare for the likelihood of significant cyber-incidents. In that regard, cyber-incident playbooks are key. The playbooks should describe the basics: who does what, when, and reports to whom when a cyber-incident happens. These playbooks should also cover topics such as when to get executive management and the board involved, when to call regulators and law enforcement, and when and how to notify shareholders, customers, and counterparties.
To be most effective, playbooks need to be practiced. Those exercises should begin internally and should test communication, escalation, and incident response processes. The exercises can eventually evolve into industry-wide table-top drills with regulators.
IV. Conclusion
Given the increasing number and advancing nature of cyber assaults, much like the British government did in preparing its citizens for WWII, we must help the entities we regulate prepare for the eventuality of significant cyber-incidents.
It starts with baseline protections and best practices, combined with effective information sharing. It ends with engaging in detailed planning for response and recover and practicing those plans.
These three elements together can accelerate cybersecurity and resiliency. Not only for those organizations and their investors, customers, clients, counterparties, and other constituencies. But also, for each of our nations and the international financial sector as a whole. Then, if and when a significant cyber-incident occurs, we are better equipped to keep calm and carry on with the business of returning to normal.
Thank you for your attention and for inviting me to share my views on this important topic.
[1] The views I express here today are mine alone, and do not necessarily reflect the views of the PCAOB, my fellow board members, or the PCAOB staff.
Thank you to my terrific team – Robert Ravas, Treazure Johnson, and Jennifer Hardister, an intern from the University of Georgia – for helping me prepare these remarks. Any errors or omissions are mine alone.
[2] Sam Lucero, IoT Platforms: Enabling the Internet of Things, HIS Technology at 5 (Mar. 2016).
[3] Marriot International, Inc. "Marriott Announces Starwood Guest Reservation Database Security Incident" (Nov. 30, 2018).
[4] When hackers breached JP Morgan Chase's computer system – accessing the names, telephone numbers, and email addresses associated with 83 million household and business accounts – the damage was thought to be limited because sensitive financial and personal data, like social security numbers and account login information, was not exposed. However, the data stolen from JP Morgan and in other intrusions was allegedly used by an international criminal syndicate in subsequent stock manipulation schemes. Through those schemes, these criminals artificially inflated the prices of penny stocks and then tricked investors into buying the stock by sending spam to the email addresses they had previously stolen. See Securities and Exchange Commission v. Joshua Samuel Aaron, Gery Shalon, and Zvi Orenstein Complaint and United States of America v. Gery Shalon et. al Indictment.
[5] Joshua Hammer, "The Billion-Dollar Bank Job" The New York Times (May 3, 2018). Available at https://www.nytimes.com/interactive/2018/05/03/magazine/money-issue-bangladesh-billion-dollar-bank-heist.html.
[6] Society for Worldwide Interbank Financial Telecommunication, SWIFT in Figures: December 2018 YTD, 3 (Jan. 31, 2019).
[7] Gottfried Leibbrandt, Remarks at 14th annual European Financial Services Conference, Brussels, Belgium (May 24, 2016). Available at https://www.swift.com/insights/press-releases/gottfried-leibbrandt-on-cyber-security-and-innovation; Sergei Shevchenko, "Two Bytes to $951M," BAE Systems Threat Research Blog (Apr. 25, 2016). Available at http://baesystemsai.blogspot.co.uk/2016/04/two-bytes-to-951m.html.
[8] After the war, the estate eventually became the home for Wilton Park, which is an institution whose mission is to bring together experts, policy makers, and thought leaders to discuss challenges to security, prosperity, and justice. Wilton Park takes its name from the estate in Buckinghamshire that was used as a prisoner of war camp during World War II and eventually the site where more than 4,000 Germans attended re-education classes to discuss democratic processes with visiting political figures and intellectuals after the war. See https://www.wiltonpark.org.uk/.
[9] Annual Financial Reporting Conference, Baruch College Robert Zicklin Center for Corporate Integrity World Continuous, New York, NY (May 2, 2019).
[10] In May 2017, the American Institute of Certified Public Accountants (AICPA) issued a guide on the performance of a new cybersecurity assurance engagement that would cover all cyber-related risks and controls at entities. AICPA, Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls (May 1, 2017). That engagement has three parts. First, management provides a narrative description of the company's cybersecurity risk management program and the ways in which the company identifies, controls, and reduces its cyber risks. Second, management attests to whether the controls implemented are suitably designed and are operating effectively. Finally, the auditor opines on the accuracy and completeness of management's description as well as whether the cybersecurity controls are suitably designed and operating effectively to achieve the company's cybersecurity objectives.
[11] Paragraph A72 of AS 1215, Audit Documentation, Appendix A, Background and Basis for Conclusions.
[12] Paragraph .05 of AS 1015, Due Professional Care in the Performance of Work.
[13] PCAOB standards require an audit firm to have a system of quality control that provides reasonable assurance that firm personnel comply with applicable professional standards and the firm's standards of quality. Paragraph .03 of QC 20, System of Quality Control for a CPA Firm's Accounting and Auditing Practice.
[14] Center for Internet Security and Council on Cybersecurity, The Center for Internet Security and Council on CyberSecurity Launch a Nationwide Campaign for Basic Cyber Hygiene in Support of NIST Framework Adoption (Apr. 3, 2014). Available at https://www.prweb.com/releases/2014/04/prweb11732752.htm.
[15] Federal Trade Commission. "Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach" (July 22, 2019). Available at https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related.
[16] Ponemon Institute, 2019 Cost of a Data Breach Study at 6 (July 2019). Available at https://www.ibm.com/security/data-breach.
[18] Society for Worldwide Interbank Financial Telecommunication, Three Years on From Bangladesh – Tackling the Adversaries (Apr. 2019). Available at https://www.swift.com/resource/three-years-bangladesh-tackling-adversaries.