U.S. Deputy Treasury Secretary Sarah Bloom Raskin, speaking to the CityWeek conference in London on Wednesday, said that cybercrime likely poses the biggest risk to companies across the world, and they need to do more to help governments tackle the problem.
“Each of us must recognize this risk is perhaps the most pressing operational risk of our time, ” she said, adding:
Will you offer us a hand? Every gift, regardless of size, fuels our future.
Your critical contribution enables us to maintain our independence from shareholders or wealthy owners, allowing us to keep up reporting without bias. It means we can continue to make Jewish Business News available to everyone.
You can support us for as little as $1 via PayPal at office@jewishbusinessnews.com.
Thank you.
“What does this mean about the pervasiveness and the vastness of the cyberthreat? We know that cyber attacks are growing in frequency, severity, and sophistication. Over the past year in the United States we have had a series of high profile attacks against U.S. firms and government agencies.
“But the United States is not alone. Last fall, the accounting and consulting firm PricewaterhouseCoopers released the results of its annual global information security survey of business executives. That survey, which included more than 9, 700 participants from 154 countries, reported almost 43 million detected cybersecurity incidents in the prior year, a 48 percent increase over 2013.
“The survey also reported the average loss attributed to cybersecurity incidents at $2.7 million—a 34 percent increase from 2013—and noted a 92 percent increase in entities reporting losses of $20 million or more.
“According to the survey, Europe experienced a more than 40 percent increase in reports of cybercrime, compared to an 11 percent increase in North America.”
Raskin suggested we compare malicious cyber activity to our traditional understanding of crime. Unlike our notion of most traditional crime, she pointed out, borders pose no limits.
Once they embedded their malware in target companies’ systems, “these attackers assess the critical assets and vulnerabilities of target organizations and individuals, ” she said. “The attackers can stay for days, weeks, months or even years; they need not dash out as soon as the sun comes up or when they hear homeowners pull into their garage. And, unlike a burglar, a cybercriminal faces very little immediate risk of arrest and can reach the same result from the comfort of his home with his laptop and by pressing a couple of keys.”
Raskin said companies could take initial steps to fight cyberattacks, including sharing threat information with other firms, vetting third-party vendors for risk, and preparing for major breaches.
Then she advised: “Rather than thinking of cyber risk as a newfangled technology and security risk, each of us—financial institutions and public institutions—must recognize this risk as perhaps the most pressing operational risk of our time.
“Of course it is more than just an operational concern. Given the ease of contagion within and across the financial sector and other critical infrastructure, and given the amount of consumer data held within the financial sector, it is also a systemic concern and a reputational concern.
“This means that instead of building greater cyber resiliency separate from, or siloed within, the financial institution, leaders like yourselves should enhance your current initiatives by demanding that your organizations embed particular resiliency features into existing control structures, business processes, and cultures.
“Instead of grafting cybersecurity controls on top of existing controls with a hope that they’ll stick, cybersecurity must become considered and intertwined in the development of fundamental components of processes so that cyber measures cannot be circumvented, removed, or defeated. Such an approach creates multiple levels of defense and enhances a cyber resiliency that is at the essence of an organization and its functions.”
“Cyber threats will continue to evolve, and challenges will change form, always requiring defenses and safeguards that are equally nimble and effective, ” Raskin said, “But what is attainable is a more cyber-resilient financial system; aspiring toward a system where a threat is assumed to have permeated already, but keeping that threat from causing damage needs to be front and center in the consciousness and systems of financial firms.
“With each passing day, and with each intrusion, executives and officials at the senior-most levels of government and our financial institutions are grappling with how to improve resiliency from cyber attacks. The new reality is demanding that we collectively—regulators, governments, leaders of our critical financial infrastructure—embrace a shift in our thinking and approaches.”
“We will never eliminate intrusions, ” Raskin said in conclusion, adding, “But that is not necessary. It is only necessary to mitigate intrusions, recover our systems, and protect consumers’ data. When we focus this way, we will surely find that advancing cyber resilience will promote a stronger system of essential intermediation, which will advance prosperity in all of our countries.”
