Financial Regulatory Forum

Cybersecurity should be a compliance issue, says expert

By Guest Contributor
August 27, 2013

By Emmanuel Olaoye, Compliance Complete

WASHINGTON, Aug. 27 (Thomson Reuters Accelus) – In March this year, a group of Islamic hackers announced that they were launching the latest phase of their denial of service attacks against the largest U.S. banks. The group, which called itself the Izz ad-Din al-Qassam Cyber Fighters, targeted the websites of banks including Bank of America, Wells Fargo, and PNC Bank.

Within days, customers of those banks were complaining of difficulties in accessing the institution’s websites.

The attacks highlighted the problems financial institutions are having with a particular type of cyber attack: Distributed Denial of Service attacks, and a reminder of looming responsibility for financial-firm compliance departments.

Hackers use DDoS attacks to overwhelm a financial institution’s network connection with the Internet with traffic. The Depository Trust Clearing Corporation has named DDoS attacks as one of the three types of attacks that pose a systemic risk to the financial system.

The DTCC, which settles the majority of securities transactions in the United States, said DDoS attacks against financial institutions have dramatically increased in the last 12 months. The cost from each minute of downtime from an attack is about $22, 000, according to a study by the Ponemon Institute in November 2012.

DDoS attacks are just one of several types of cyber attacks that regulators are warning financial institutions about. Traditionally, compliance departments have left the issue of cyber security with the folks in IT or Operations. But with regulators asking more and more questions, compliance may have to become more involved.

Gib Sorebo, the chief cyber security technologist at the technology solutions provider SAIC, says compliance professionals need to speak to their colleagues in IT or Information Security when a regulation is first introduced so that they know whether the firm has the technical capability to comply with the rule.

“The first conversation is understanding what the firm needs when compliance requirements come down … It is a lot easier if you have that conversation first about what is doable and not doable,” he said.

The role of compliance in cyber security will change in the future, Sorebo said. For example, the Gramm-Leach Bliley act of 1999 required financial institutions to establish standards to safeguard their customers personal financial information. The Sarbanes-Oxley corporate accountability reforms of 2002 required financial institutions to provide comprehensive reporting on their information security.

With regulators focusing more on cyber security, compliance will have to have “a more extensive cyber security program” instead of one more narrowly focused on protecting customer information, he said. Compliance departments will also need data to show regulators how well they are complying with a regulation.

“The compliance officer is going to have to define the overall compliance ecosystem he or she has to have to operate in. …They must certainly be prepared to address at a minimum how they are addressing all those compliance obligations,” he said.

(This article was produced by the Compliance Complete service of Thomson Reuters Accelus. Compliance Complete provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Accelus compliance news on Twitter: @GRC_Accelus)

Post Your Comment

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
  •