Effective Cyber Defenses Are Essential: SIFMA CEO

Kenneth E. Bentsen, Jr.

Cybersecurity is a top priority for the financial services industry and everyone recognizes there are very serious consequences to not having strong cybersecurity protections in place, according to SIFMA President & CEO Kenneth E. Bentsen, Jr.

Speaking on the SIFMA Podcast, “Cybersecurity Readiness”, he said that effective cyber defenses are essential to protecting customers’ information and assets and to ensure an efficient, reliable executive settlement and payment of transactions and are a foundational requirement for maintaining public trust and confidence in the resilience of our financial markets.

Bentsen noted said the securities industry is focused on protecting clients, their data, networks, operations from diverse cyber threats including theft, disruption and destruction. 

He added that SIFMA and its members continue a decades-long work on a robust cyber-resiliency training exercise and planning protocol.

“Cyberattacks didn’t stop for COVID and, in fact, increased from WannaCry to SolarWinds. And to these increasingly bold ransomware attacks, the threat remains very, very high,” he said.

Bentsen said that the industry’s work over the last decade has also evolved and grown, but the threat remains.

Tom Price

Tom Price, Managing Director, Operations Technology & BCP, said that since 2011, SIFMA has conducted a series of biannual industry-wide resiliency exercises called Quantum Dawn, covering physical threats, cybersecurity, terrorism and natural-disaster risks. 

“One of the key objectives for these exercises is to ensure financial firms, SIFMA and the U.S. government crisis and incident management playbooks are synchronized to aid in the rapid response and recovery efforts of the impacted institutions, third parties as well as the financial markets and the entire financial services ecosystem,” he said.

SIFMA will host its sixth Quantum Dawn exercise later this fall, according to Price. 

“As the threat landscape continues to change, for this exercise we’ll be testing industry preparedness during a global ransomware attack and ensuring financial firms have robust ransomware recovery plans in place,” he said.

Tom Wagner

Tom Wagner, Managing Director, Financial Services Operations, highlighted SIFMA’s work on mitigating the [incident of] threat and its development of global-penetration-testing guidance, saying that since 2011 SIFMA hosted quarterly insider-threat forums and developed best-practice guides really to help financial firms develop effective insider-threat programs.

Price added that SIFMA is “constantly working to improve cyber defenses, resiliency and recovery” through massive monetary investments in technology and personnel, regular testing, best-practice development and industry tests including our annual business continuity and REG SCI testing as well as the Quantum Dawn series.

The financial services industry is among the most highly regulated industries in the U.S, according to Bentsen.

He said that as regulators think about whether or not they want to enhance regulation in cybersecurity, they should take into consideration what this industry has already done as a critical sector.

“Effective regulation should be risk-based, threat-informed and flexible to account for different business models and available resources,” he stressed.

“We encourage U.S. regulators to continue to collaborate with the industry to understand the myriad of cybersecurity risks and what approaches have been working to mitigate those risks,” he added.

“We also want to ensure that there is timely disclosure of any material breaches so that our members firms can take the appropriate steps to immediately mitigate any risk breaches may cause and properly safeguard their institutions, customers and investors,” he said.

As cyber threat is continuing to evolve and attacks become more advanced all the time, Wagner said: “We really need to continue to coordinate, share best practices and really work together to keep our industry and, by extension, our clients safe.”

“We need to continually test our systems and our backups to ensure we have resiliency,” Price concluded.