Boston Fed official: the financial industry is not bulletproof from threats

Most security experts would agree with Kenneth Montgomery, first vice president and COO of the Federal Reserve Bank of Boston, that the financial industry is, “the most regulated and the most prepared” of any to deal with constantly increasing and evolving cyber attacks.

But Montgomery, speaking at the Boston Fed’s 2016 Cybersecurity Conference on Monday, agreed that the scale and sophistication of the attacks means that no industry is bulletproof. As evidence, he cited the Symantec 2014 threat report that 1 million new pieces of malware were being created daily.

Getting a bit closer to the bulletproof ideal was the focus of the annual conference, and Montgomery said one of the Fed’s efforts to do that is a threat-sharing group that meets once a month.

As he and several other speakers noted, the stakes are high, because although the financial sector’s security is better than other industries (particularly retail and health care), a major breach could have a catastrophic impact.

Anjan Mukherjee, counselor to the secretary and deputy assistant secretary for financial institutions policy at the U.S. Treasury department, noted that the financial sector is considered critical infrastructure, for good reason.

[ MORE FROM THE CONFERENCE: Blindsided by the IoT? ]

The Lehman Brothers collapse in 2008 demonstrated that, “when a global bank fails, it produces shock waves across the world, and creates uncertainty and volatility,” he said, but added that a “significant software problem” at the Bank of New York more than 30 years ago, in November 1985, also disrupted security trades.

“In one case it was insolvency, in the other a technical glitch,” he said. “But they both highlight the inherent connectivity of the financial markets.”

So a major cyber attack that brought down a major institution even temporarily would create, “the very real risk of transmitting one institution’s stress to the rest of the market,” he said.

Peter Kuper, a partner at the high-tech venture capital firm In-Q-Tel

Peter Kuper, a partner at the high-tech venture capital firm In-Q-Tel, agreed. In a talk on the “unintended consequences” of a connected, global online economy, he noted that, “everything of value is already online in one form or another. So cybercrime is only going to increase – that’s where the money is.”

Don Anderson, senior vice president and CIO at the Boston Fed, confirmed that. He said populations that have been traditionally “underbanked” are now gaining access to it through mobile technology. “Fifty-seven percent have access to a smartphone, compared to 44% of of the general population,” he said.

Mukherjee said the goal for banks and other financial institutions should be, “to reduce the probability of an event happening, and if it does, minimize the cost,” through best practices.” Those include:

• Use the NIST (National Institute of Standards and Technology) framework. “It is not a technical document,” he said. “It is a powerful tool that provides a common lexicon to facilitate communication within organizations and with outside third parties.”
• Know and catalog all vendors that have access to your systems and data.
• Make sure those third parties have appropriate cyber security practices, and conduct ongoing monitoring to make sure of it.
• Join FS-ISAC (Financial Services Information Sharing and Analysis Center). “Be mindful of privacy, but this is a group with 7,000 members, and it leverages knowledge of threat indicators,” he said.
• Practice response and recovery, to contain and mitigate. “Have an internal team and coordinate with external teams. Have a playbook and exercise it regularly,” he said.
• Have backup plans and work-arounds, to make critical payments and deliveries manually if necessary.

Kuper warned, however, that technology and systems will not be enough, since the human element remains the weakest link in the security chain. “It’s about stopping stupid,” he said, “since 77% of intrusions are through email. That’s the attack surface.”

Kuper said situations like an employee being offered $20,000 to put a malicious USB thumb drive into a system, “happen all the time. We have to deal with insider abuse.”

Anderson acknowledged that email attacks have gotten much better. He said in one case, the Fed’s IT team sent out “test” emails to see if employees, including executives, would be fooled by it. “It looked legitimate,” he said, “and if I hadn’t been in a hurry, I might have clicked on it.”

Anderson said the bottom line is that, “the bad guys have technology too. Now is the time to disrupt ourselves.”