Financial firms need to do more to fight cybersecurity threats, Treasury Secretary Jacob Lew told attendees at a financial conference on Tuesday.
Lew spoke at the 2014 Delivering Alpha conference produced by CNBC and Institutional Investor. The Department of Treasury released excerpts of his speech today.
There have been more than 250 distributed denial of service attacks against US financial institutions since 2011, Lew said. Attacks can come from various sources, including state-sponsored groups, cyber criminals, and politically motivated groups. While these attacks have just been disruptive and inconvenient, that doesn’t mean cyber attacks don’t pose a real threat to “our economic and national security,” he said.
A successful attack on the financial system “would compromise market confidence, jeopardize the integrity of data, and pose a threat to financial stability,” Lew said. A malicious individual can cause “catastrophic damage” without directly attacking a bank.
“It is imperative that firms collaborate with government agencies and with other firms,” Lew said. The Obama Administration’s strategy is to collaborate with the private sector to establish cyber-security best practices and improve information sharing, he said.
Companies still have the “primary responsibility” to protect themselves, but government can also play an important role to help enhance the protections. The government will also prosecute cyber-criminals, hold state-sponsored attackers accountable, and provide intelligence about specific threats.
“Far too many hedge funds, asset managers, insurance providers, exchanges, financial market utilities, and banks should and could be doing more,” Lew said. “Disclosing security breaches is often perceived as something that could harm a firm’s reputation. This has made many businesses reluctant to reveal information about cyber incidents,” Lew said.
Lew also called on Congress to pass tougher cybersecurity legislation. “Our laws do not do enough to foster information sharing and defend the public from digital threats,” he said. The legislation also needs to protect individual privacy and civil liberties, he said.
Firms can’t just focus on their cybersecurity risks, but also risks faced by anyone they work with, such as vendors, suppliers, and contractors. Firms should use the Obama Administration’s framework document for managing cyber risk in critical infrastructure, he advised.
“Just as you consider your counter-parties when you take on financial risk, you should also consider your counter-parties in the area of cyber risk,” Lew said.
“The consequences of cyber incidents are serious. When credit card data is stolen, it disturbs lives and damages consumer confidence. When trade secrets are robbed, it undercuts America’s businesses and undermines U.S. competitiveness,” Lew said.