b'<html>\n<title> - CYBERSECURITY: RISKS TO THE FINANCIAL SERVICES INDUSTRY AND ITS PREPAREDNESS</title>\n<body><pre>[Senate Hearing 115-307]\n[From the U.S. Government Publishing Office]\n\n\n                                                     S. Hrg. 115-307\n\n\n    CYBERSECURITY: RISKS TO THE FINANCIAL SERVICES INDUSTRY AND ITS \n                              PREPAREDNESS\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                              COMMITTEE ON\n                   BANKING,HOUSING,AND URBAN AFFAIRS\n                          UNITED STATES SENATE\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                                   ON\n\n        EXAMINING CYBERSECURITY ISSUES IN THE FINANCIAL SERVICES\n SECTOR, FOCUSING ON THE RISKS TO THE FINANCIAL SERVICES INDUSTRY FROM \n   CYBERATTACKS AND CYBER THREATS AND THE READINESS OF THE FINANCIAL \n                    SERVICES INDUSTRY TO COMBAT THEM\n\n                               __________\n\n                              MAY 24, 2018\n\n                               __________\n\n  Printed for the use of the Committee on Banking, Housing, and Urban \n                                Affairs\n                                \n                                \n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                                \n\n\n                Available at: http: //www.govinfo.gov /\n                \n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n31-197 PDF                  WASHINGTON : 2019                     \n          \n--------------------------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,\nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).\nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="285847684b5d5b5c404d4458064b474506">[email&#160;protected]</a>    \n\n            COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS\n\n                      MIKE CRAPO, Idaho, Chairman\n\nRICHARD C. SHELBY, Alabama           SHERROD BROWN, Ohio\nBOB CORKER, Tennessee                JACK REED, Rhode Island\nPATRICK J. TOOMEY, Pennsylvania      ROBERT MENENDEZ, New Jersey\nDEAN HELLER, Nevada                  JON TESTER, Montana\nTIM SCOTT, South Carolina            MARK R. WARNER, Virginia\nBEN SASSE, Nebraska                  ELIZABETH WARREN, Massachusetts\nTOM COTTON, Arkansas                 HEIDI HEITKAMP, North Dakota\nMIKE ROUNDS, South Dakota            JOE DONNELLY, Indiana\nDAVID PERDUE, Georgia                BRIAN SCHATZ, Hawaii\nTHOM TILLIS, North Carolina          CHRIS VAN HOLLEN, Maryland\nJOHN KENNEDY, Louisiana              CATHERINE CORTEZ MASTO, Nevada\nJERRY MORAN, Kansas                  DOUG JONES, Alabama\n\n                     Gregg Richard, Staff Director\n\n                 Mark Powden, Democratic Staff Director\n\n                      Elad Roisman, Chief Counsel\n\n                      Travis Hill, Senior Counsel\n\n                 Elisha Tuku, Democratic Chief Counsel\n\n            Laura Swanson, Democratic Deputy Staff Director\n\n           Corey Frayer, Democratic Professional Staff Member\n\n                       Dawn Ratliff, Chief Clerk\n\n                      Cameron Ricker, Deputy Clerk\n\n                     James Guiliano, Hearing Clerk\n\n                      Shelvin Simmons, IT Director\n\n                          Jim Crowell, Editor\n\n                                  (ii)\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                         THURSDAY, MAY 24, 2018\n\n                                                                   Page\n\nOpening statement of Chairman Crapo..............................     1\n    Prepared statement...........................................    26\n\nOpening statements, comments, or prepared statements of:\n    Senator Brown................................................     2\n\n                               WITNESSES\n\nBill Nelson, President and CEO, the Financial Services \n  Information Sharing and Analysis Center (FS-ISAC)..............     5\n    Prepared statement...........................................    26\n    Responses to written questions of:\n        Senate Banking Committee.................................    85\nMichael Daniel, President and CEO, Cyber Threat Alliance.........     7\n    Prepared statement...........................................    35\n    Responses to written questions of:\n        Senator Reed.............................................    90\n        Senator Warner...........................................    91\n        Senator Cortez Masto.....................................    91\nPhil Venables, Chief Operational Risk Officer, Goldman Sachs.....     8\n    Prepared statement...........................................    46\n    Responses to written questions of:\n        Senator Warner...........................................    94\n        Senator Cortez Masto.....................................    95\nCarl A. Kessler III, Senior Vice President and Chief Information \n  Officer, First Mutual Holding Company..........................    10\n    Prepared statement...........................................    47\nBob Sydow, Principal and Americas Cybersecurity Leader, Ernst & \n  Young LLP......................................................    12\n    Prepared statement...........................................\n    Responses to written questions of:\n        Senator Warner...........................................   101\n        Senator Cortez Masto.....................................   106\n\n              Additional Material Supplied for the Record\n\nLetter submitted by the Credit Union National Association........   114\n\n                                 (iii)\n\n \n    CYBERSECURITY: RISKS TO THE FINANCIAL SERVICES INDUSTRY AND ITS \n                              PREPAREDNESS\n\n                              ----------                              \n\n\n                         THURSDAY, MAY 24, 2018\n\n                                       U.S. Senate,\n          Committee on Banking, Housing, and Urban Affairs,\n                                                    Washington, DC.\n    The Committee met at 9:28 a.m., in room SD-538, Dirksen \nSenate Office Building, Hon. Mike Crapo, Chairman of the \nCommittee, presiding.\n\n            OPENING STATEMENT OF CHAIRMAN MIKE CRAPO\n\n    Chairman Crapo. The Committee will come to order.\n    Today we will hear about cybersecurity in the financial \nsector. Today\'s witnesses come from a wide range of \norganizations and can provide us with insight on the threats \nfaced by and the preparedness of the financial sector when it \ncomes to cyber.\n    Four years ago, this Committee held a similar hearing where \nI noted that a recently aired ``60 Minutes\'\' segment called \n2014 ``the year of the data breach.\'\'\n    Given the various data breaches over the past few years, \nmost notably the Equifax data breach last year, I am not sure \nthat 2014 still holds that title.\n    As our society increases its reliance on technology and \nbecomes accustomed to immediate access to information and \nservices from companies, the risk of--and the potential damage \ncaused by--data breaches continually increases.\n    Americans are becoming more aware of the amount of \ninformation, including personally identifiable information, or \nPII, that is stored by companies, and there is a growing \nrealization that this information can be stolen or misused.\n    The collection of PII by both the Government and private \ncompanies is something that has long troubled me. Many question \nhow both use the data collected and how such data is secured \nand protected.\n    The collection and use of PII will be a major focus of the \nBanking Committee moving forward, as there is broad-based \ninterest on this Committee in examining it.\n    Today we will hear from our witnesses regarding \ncybersecurity and about the risks to the financial services \nindustry and its preparedness.\n    We have heard from many regulators before this Committee \nabout their focus on and oversight of cybersecurity and how it \nis critical to the operations of companies and our markets. \nThis is especially true for companies in the financial services \nspace.\n    The financial sector itself is a main target for hackers \nbecause, as many have said, ``that\'s where the money is.\'\'\n    Banks are under constant attack every day. Because of this, \nthey and other firms in the financial services industry have \ndevoted substantial resources to protecting information \nsystems, and the industry is widely viewed as one of the most \nadvanced sectors in terms of prioritizing cybersecurity.\n    Today I hope to learn more about: the risks to the \nfinancial services industry from cyber attacks and cyber \nthreats; the work being done in the financial services industry \nto increase cyber readiness, combat cyber attacks, and increase \nresiliency; and what more needs to be done by the private \nsector and Government to help protect companies\' and consumers\' \ninformation.\n    It is critical that personal data is protected, consumer \nimpact in the event of a data breach is minimized, customers\' \nability to access credit and their assets is not harmed, and \nthe financial sector is resilient enough to continue to \nfunction despite a cyber breach at a financial sector company.\n    I will welcome our witnesses again but welcome. And, \nSenator Brown, you may proceed.\n\n               STATEMENT OF SENATOR SHERROD BROWN\n\n    Senator Brown. Thank you very much, Mr. Chairman. Thank you \nfor holding this hearing today.\n    This Committee last considered cyber preparedness of \nfinancial institutions 3 \\1/2\\ years ago. Since then, \nsophisticated, targeted cyber attacks have become all too \nfrequent, exposing the personal information of millions of \nAmericans, costing our economy hundreds of millions of dollars.\n    Cutting corners on cybersecurity risks real harm to real \npeople\'s lives. Each data breach or each cyber heist that makes \nthe news seems larger than the one before, and after a while, \nwe barely raise an eyebrow. But think about a family trying to \nget a mortgage who finds out that their credit score has been \nwrecked through no--they do not have knowledge about it and it \nhas been wrecked through no fault of their own. It is clear \nthese risks to the financial system and Americans\' personal \ndata are growing.\n    Today\'s hearing will give us a window into how the \nfinancial services sector works on cyber preparedness, fighting \ncyber attacks, promoting cooperation among private and public \nentities.\n    Financial institutions must work diligently not just to \nmaintain standards set by industry and Government, but also to \nimprove protections for financial infrastructure and customer \ndata whenever possible. As risks increase and threats become \nmore advanced, financial institutions and Government agencies \nmust facilitate and encourage information sharing.\n    Banks certainly have the resources to invest in protecting \ntheir customers. The FDIC reported on Tuesday that banks are \ndoing better than ever. Including the benefit from the tax \nbill, net bank income increased 27 percent compared to 2017. \nThat has been consistent, in most cases double-digit profit \nincrease over most of the last 8 years. Even without the tax \nbenefits Republicans in Congress bestowed on the largest \ncorporations and the wealthy, bank profits would have been up \n12.6 percent from a year ago.\n    Record profits for banks should not just mean that top \nexecutives get bigger bonuses and the largest shareholders \nbenefit from stock buybacks and dividends.\n    Banks should be investing in their businesses, whether it \nis cybersecurity or a living wage for their employees. I \nremember the average teller in this country makes $26,000 a \nyear. Rather than lobbying to be let off the hook from rule \nafter rule, the Nation\'s largest banks should focus their time \nand effort on securing financial infrastructure against attacks \nand protecting sensitive consumer data.\n    Law enforcement also plays a critical role in assessing and \nwarning about cyber threats, and its ability to share sensitive \ncyber threat information more quickly will help combat those \nthreats. I know there has been good work done in this area. We \nneed to build on it. We cannot let up now. And that is why I am \nglad the five of you are here.\n    A secure and resilient financial system is the foundation \nof commerce and our economy. There is always the risk that \ncyber thieves will try to steal money and consumers\' personal \ndata or that a hostile country will seek to disrupt our \nfinancial system. We cannot risk undermining faith in that \nsystem.\n    It would take just one cyber attack to undermine our trust \nin financial institutions. Once that happens, it will take more \nthan hearings, legislation, or policy changes to restore that \ntrust.\n    I look forward to hearing all of you address these issues. \nThank you all for joining us.\n    Chairman Crapo. Thank you, Senator Brown.\n    We will now move to our witnesses and their testimony. We \nhave with us five excellent witnesses today, and I will briefly \nintroduce Mr. Nelson, Mr. Daniel, and Mr. Venables, and Senator \nBrown will then introduce our two witnesses from Ohio.\n    Senator Brown. Thank you.\n    Chairman Crapo. Mr. Bill Nelson is president and CEO of the \nFinancial Services Information Sharing and Analysis Center, \nalso known as FS-ISAC, and has held such a position since 2006. \nFS-ISAC is a nonprofit association dedicated to protecting the \nglobal financial services industry from physical and cyber \nattacks. Its members include organizations from banks, credit \nunions, securities firms, and insurance companies.\n    Mr. Michael Daniel is the president and CEO at the Cyber \nThreat Alliance. CTA was formed in 2014 through an informal \nagreement to share intelligence among Fortinet, McAfee, Palo \nAlto Networks, and Symantec. Prior to joining the CTA, Mr. \nDaniel served from June 2012 to January 2017 as Special \nAssistant to President Obama and Cybersecurity Coordinator on \nthe National Security Council staff.\n    Mr. Phil Venables is the managing director and head of \noperational risk management and analysis at Goldman Sachs. Mr. \nVenables has been at Goldman Sachs 18 years. His first 16 years \nhe served as Goldman\'s chief information security officer, or \nCISO, before moving into a wider role in Goldman\'s Risk \nDivision. Mr. Venables serves on the executive committee of the \nU.S. Financial Services Sector Coordinating Council for \nCritical Infrastructure Protection and is co-chair of the Board \nof Sheltered Harbor.\n    Senator Brown.\n    Senator Brown. Thank you, Mr. Chairman.\n    It is my pleasure to introduce two Ohioans on this panel. I \ndo not get this honor that often, so thank you.\n    Carl A. Kessler III is a senior vice president, chief \ninformation officer of First Mutual Holding Company, 25 years \nof experience in technology, 15 in banking at super-regional \nand community banks, of which Ohio has a number of them. While \nworking in banking, Mr. Kessler has tackled a broad range of \ncybersecurity issues, from building banking websites to \ndesigning security architecture. He began his career at the \nDepartment of Defense after graduating from the Honors College \nat Ohio University. Welcome. And Tom Fraser, the bank\'s CEO, \nand Mr. Kessler both do a really important and crucial job \nserving the banks\' customers in northeast Ohio. The bank is \nlocated in Lakewood, Ohio, west of Cleveland. Welcome, Mr. \nKessler.\n    Bob Sydow is a principal at Ernst & Young and Americas \ncybersecurity leader. He has more than 30 years of experience \nworking with Fortune 500 companies and all aspects of \ninformation security, data protection and privacy, identity and \naccess management, cyber threat management, and cyber \neconomics. I met with Mr. Sydow this week. I was impressed with \nhis expertise in all things cybersecurity, and I was also \nimpressed with his knowledge of all things Cincinnati Reds. \nWhile I am a Cleveland Indians fan in the other end of the \nState, I urge any of you that are baseball fans in this \naudience to at least one time go to a Cincinnati Reds opening \nday. It is a celebration of America\'s first baseball team. \nCincinnati is a baseball town, and I have been to opening day \nhalf a dozen times there, and it is something, if you love \nbaseball, you want to experience. But Mr. Sydow has promised if \nany of you will go, he will give you tickets and give you a \ntour----\n    [Laughter.]\n    Senator Brown.----and tell you all things Cincinnati Reds \nhistory.\n    So thanks to the both of you for joining us.\n    Chairman Crapo. Thank you, Senator Brown, and I think I \nwill try to take you up on your suggestion. I will not take the \ntickets, however.\n    Gentlemen, we appreciate you being with us today and \nbringing your expertise to assist us with this issue. We will \nproceed in the order that you were introduced. I remind you \nthat we ask you to keep your oral remarks to 5 minutes. You \nhave a little clock there that is supposed to help you. And \nthis is one of those days where we are jammed for time, hence \nthe reason we moved the time of the hearing up. Both Senator \nBrown and I are a little jammed for time. So I am reminding our \nSenators as well that we want you to keep yourselves to your 5-\nminute limit, if you can do so. Actually, we will try to help \nyou do so.\n    Mr. Nelson, you may proceed.\n\n  STATEMENT OF BILL NELSON, PRESIDENT AND CEO, THE FINANCIAL \n   SERVICES INFORMATION SHARING AND ANALYSIS CENTER (FS-ISAC)\n\n    Mr. Nelson. Thank you. Thank you, Chairman Crapo and \nRanking Member Brown and other Members of the Committee, for \ninviting me to speak today. I do not have one of the timers, so \ncut me off if I go over 5 minutes.\n    Chairman Crapo. Well, if you hear this sound [banging \ngavel] that means the bell rang.\n    Mr. Nelson. I will discuss the topics that you mentioned\nalready: cyber risks, efforts by the financial services \nindustry to increase cyber readiness, and what more needs to be \ndone by the\nprivate sector and Government to help protect companies\' and \nconsumers\' information.\n    As you mentioned in the intro, I have been CEO of FS-ISAC \nsince 2006 and have seen some major changes occur in the last \n12 years. I think the biggest change has been the growing \nsophistication and volume of cyber threats and attacks.\n    In response, the financial services sector has made \nsignificant investment in cyber defenses and has come together \nas a community to back major resiliency efforts. I have also \nwitnessed an evolution of the public-private partnership. Today \nthe financial services industry receives tremendous benefit \nfrom that partnership that enables cyber threat intelligence to \nflow to the sector and improve detection, prevention, and \nresponse to cyber threats and other risks.\n    By way of background, you mentioned that FS-ISAC is a \nprivate sector, nonprofit organization. We have been around \nsince 1999, and our formal mission is provided in the written \ntestimony. If I could sum it up in maybe just a few words, it \nis really to protect the financial services sector.\n    There is an inherent strength in sharing derived from three \nfundamental pillars: one, the public-private partnerships; two, \ncross-sector sharing; and, most importantly, three, member-to-\nmember sharing. We often think of FS-ISAC as a virtual \nneighborhood watch where financial institutions really keep an \neye out for each other. One company\'s reported incident can \nhelp the entire sector respond and prevent the same attack from \naffecting their firm.\n    Driven by the direction of our membership, FS-ISAC performs \na number of key critical functions: we share threat and \nvulnerability information; we conduct coordinated exercises, \noften with our Government partners; we manage rapid response \ncommunications for both cyber and physical events; we produce \neducation and training programs; and we foster collaboration \nwith other key sectors and with Government agencies.\n    We have grown rapidly in recent years. When I started, we \nhad a little bit under 200 members. We have about 7,000 \ncompanies that belong to FS-ISAC today. These include, like you \nmentioned earlier, commercial banks, credit unions, but also \nstock exchanges, clearinghouses, brokerages, investment firms, \ninsurance companies, payment processors, and financial services \ntrade associations. We are headquartered in Reston, Virginia, \nand have expanded globally with members in 44 countries today, \nand we have a team of over 100 staff and consultants in eight \ncountries across five continents. That is a long way from when \nI started in 2006 when we had me and about five outsourced \npeople. That was it. So we have grown really in response to the \nthreat.\n    Each day, cyber risks evolve as attacks increase. We have \ninvested a significant amount of money, but they continue, \nthese cyber threat actors, to target the financial services \nsector. Their motivation varies. It can be corporate espionage. \nIt can be stealing money. It can be launching disruptive \nattacks like we saw in 2012 and 2013 against about 50 financial \ninstitutions, and even destructive attacks.\n    As they grow in their sophistication targeting, the primary \nevidence of these attacks are the types of attacks leveraged \nagainst financial institutions to steal money and disrupt. They \ninclude things like phishing; targeted email spear-phishing \ncampaigns\nresulting in account takeover where they steal your money; also \nbusiness email compromise which involves the compromise of \nlegitimate business email accounts to initiate unauthorized \nwire\ntransfers or ACH; ransomware attacks, we all know about that; \ndistributed denial of service attacks, which can impede access \nto online services; and data breaches, which steal sensitive \ninformation.\n    I think the sector has really come together in a proactive \nmanner. As a result, we have greatly expanded our products and \nservices to our members. We have devoted a large number of \nresources to really tailor them to smaller financial \ninstitutions and their service providers. At the same time, we \nhave enhanced our analysis of threats and best practices for \ndefending against those threats.\n    We have expanded our exercise program, which includes an \nannual cyber attack against payment systems, or CAPS exercises, \nwith thousands of participants last year, and have introduced \nthe new cyber range program that allows members to have hands \non keyboards, to gain experience to respond effectively to a \nreal-live cyber attack. And we have improved our capability to \nrespond to major cyber and physical incidents, including \nemergency member calls. The last couple, we have had over 3,000 \nmembers participate on. And we have expanded our in-person \nonline member training programs.\n    In addition to these efforts, we have also created two new \nsubsidiaries--one to add an extra layer of security for \nconsumer accounts, and the other to reduce systemic risk. At \nthe request of leaders in the industry, we established the \nSheltered Harbor in 2016 to enhance the industry\'s resiliency \ncapabilities in the event of a major disaster or event.\n    In conclusion----\n    [Laughter.]\n    Mr. Nelson. I provide more details in my written statement, \nbut let me highlight four recommendations. We are encouraging \nregulators to harmonize their cyber regulatory requirements, \nleverage authorities in the Cyber Information Sharing Act, \nCISA, and the USA PATRIOT Act to implement more effective \ninformation-sharing programs; number three, establish cyber \ndeterrence and response capabilities, encourage adoption of \nglobal cyber norms; and four, support efforts to develop a \ntechnology-capable workforce.\n    Thank you very much. Thank you for the opportunity.\n    Chairman Crapo. Thank you for your flexibility. And we do \nread your written testimony very carefully. I want you to know \nthat.\n    Senator--I mean Mr. Daniel. I just about made you one of \nus. That probably was a demotion.\n    [Laughter.]\n\n STATEMENT OF MICHAEL DANIEL, PRESIDENT AND CEO, CYBER THREAT \n                            ALLIANCE\n\n    Mr. Daniel. Well, thank you very much. Thank you, Mr. \nChairman, Ranking Member, other distinguished Members of the \nCommittee. Thank you for the opportunity to come and speak with \nyou this morning.\n    What I think I can do is provide sort of a strategic \noverview of the threat context in which this industry is \noperating and then talk a little bit about what we have done to \ntry to tackle the problem and where we need to go going \nforward.\n    When you look out at the landscape, because we live in a \ndigital age, almost everything in our country is now heavily \ndependent upon the internet and cyberspace. And so, therefore, \nthese threats affect all of us. But the threat is actually \ncontinuing to get worse, and it is getting worse in four ways.\n    One is it is becoming broader. As we create this Internet \nof Things, we keep hooking more and more of stuff up to the \ninternet. And it is not just laptops and desktops anymore. It \nis your watch, your phone, your car, your light bulbs, a whole \nplethora of different devices. The threat is becoming more \nprevalent as more and more malicious actors, whether they are \nnation states or criminals, realize that they can try to \nachieve their goals by operating through cyberspace. The threat \nis becoming more dangerous as those actors are willing to \nundertake more and more destructive activities. If we had been \nhaving this hearing back when Bill first joined the FS-ISAC, we \nwould have been talking a lot about website defacement. None of \nus talk about that anymore because that is the least of our \nproblems.\n    And then, finally, the threat is becoming more disruptive. \nAs I mentioned, with our digital dependence, as it increases, \nthings that used to be merely irritating now pose, you know, \norganizational existential questions. You know, I often say \nthat when I first started working for the Federal Government in \n1995, if the network went down, we just did something else for \nthe day. You know, we worked on our noninternet-connected \ncomputers or we held meetings over the phone or did other \nthings. And now if the network goes down, you pretty much send \nyour workforce home because you cannot do anything.\n    Now, for the financial services industry in particular, you \nknow, they also face challenges related to both criminal and \nnation-state-enabled cyber theft, and those are a real problem \nfor the industry. But it is also becoming clearer that the \nthreat of disruption, those nation states that target the \nindustry for the purpose of inflicting economic harm on the \nUnited States and the West is becoming a more prevalent threat \nas well.\n    Now, one thing I want to hit on is actually there is a real \nquestion in here about exactly why cybersecurity is a hard \nproblem, because at the surface of it, it looks like it should \nnot be. After all, it is just computers and code. And so there \nis a question of why we simply cannot create a technical fix to \nthis problem. But the\nanswer is because cybersecurity is not just a technical \nproblem. While there are technical issues about it, it is also \nan economics issue, a business operations issue. It is a human \npsychology issue. And it is a national security issue. And it \nis all of those things rolled into one.\n    Cyberspace also plays by different rules than the physical \nworld, so a lot of our analogies for how to do things and how \nto actually go about securing things in the physical world do \nnot work in an environment that is a notable network that \noperates at light speed, where the concepts of time and \ndistance and proximity all have different meanings and borders \nthan they do in the physical world.\n    And then, finally, this is a new environment. Stretching it \nto the maximum, cyberspace is barely older than me. And we have \nnot had time yet to develop the body of law and policy and \npractice that we need to operate effectively in cyberspace.\n    Now, we have certainly made a lot of progress over the last \n20 years, including particularly within the financial services \nindustry. I certainly agree with the characterization of the \nindustry as one of the most, if not the most advanced sector in \nthe country. And the level of investment from the FS-ISAC to \nthe Systemic Analysis and Resilience Center, Sheltered Harbor, \nthe investments that this industry has made are tremendous. But \nI do think that there is more that we can do on both the \nindustry side and on the Government side. I think in particular \non the Government side there is a real need to look at how the \nGovernment can focus on its comparative advantage where it has \ncapabilities that the private sector does not and leverage the \ncomparative advantage of the private sector where the private \nsector has capabilities that the Government does not have.\n    The Government can also focus on incentivizing good \ncybersecurity behavior, and we could talk about that in the \nQ&A.\n    And then, last, on the industry side, I think continuing to \ninvest and having the industry figure out how the larger \ninstitutions can help the smaller institutions that do not have \nthe same level of capability also make progress in their \ncybersecurity is a very necessary step.\n    So, with that, I will conclude my opening remarks. Thank \nyou very much.\n     Chairman Crapo. Thank you, Mr. Daniel.\n    Mr. Venables.\n\n  STATEMENT OF PHIL VENABLES, CHIEF OPERATIONAL RISK OFFICER, \n                         GOLDMAN SACHS\n\n    Mr. Venables. Thank you. Chairman Crapo, Ranking Member \nBrown, and other Members of the Committee, thank you for this \nopportunity to testify at this hearing today. As we all know, \nthis is an increasingly important topic.\n    A number of factors are contributing to increased risk \nacross the financial services sector, and this is primarily due \nin many respects to the digitalization of finance and the \nglobally interconnected nature of the system. The same trends \nthat are increasing benefits of the global financial system are \nalso bringing on these new and enhanced risks.\n    On threats, as Bill and Mike have described, we are seeing \nincreases threats from organized criminal groups and nation \nstates for various different motivations around the world, and \nit is also worth reminding ourselves that we are not just \nfacing cybersecurity risks. We are also seeing many risks in \nrelation to how technology has managed and provided risks from \nresilience issues and software errors. And so while \ncybersecurity is tremendously important, it is also significant \nand also to focus on technology risk in general.\n    It is critical to have shared defenses across the sector so \nthat all institutions, large and small, can learn from each \nother\'s best practices and so that threat information can be \nshared among firms, reducing the likelihood that attackers can \nexecute their strategies without response.\n    We have a long history of robust information-sharing \nprocesses, and as Bill describes, the FS-ISAC is acknowledged \nas a preeminent example of such capability. We have established \ntighter coupling between the major firms using the Financial \nSystemic Analysis and Resilience Center, the so-called FS-ARC. \nAnd also under the Department of Treasury\'s leadership with \nvarious different initiatives through the Sector Coordinating \nCouncil, we have also increased sector-wide resilience, \nincluding formalized sector-wide drills and exercises that have \nspawned other initiatives, like Sheltered Harbor--an initiative \nto encourage and demand institutions maintain immutable data \nvaults to resist cyber attack.\n    Turning our attention to regulators and regulation, we \nbenefit from a number of strong regulators across the financial \nsector that stipulate cybersecurity and other controls that \nreduce the risk of major incidents. This includes regular \nexaminations and reviews. We continue to support the need for \nharmonization across regulation, domestically and globally, and \nwe commend the efforts to date from the industry and regulators \nand Government on the use of the NIST Cybersecurity Framework.\n    Notwithstanding the strong relationship between the public \nand private sectors, we continue to focus on improvements here, \nparticularly around metrics to make sure that we are able to \nquantify the value and timeliness of the information flow \nbetween the public sector and private sector.\n    Despite all this coordination and response to cybersecurity \nthreats, risk still remains, and we need to continue to be \nvigilant to adjust the defenses of individual firms and the \nsector as a whole by making sure we adopt innovative approaches \nto protecting customer data as well as making sure that we are \nprotecting the services that we offer. The goal here is to \nreduce single points of failure and also single focal points of \nattack.\n    Finally, I would recommend all organizations that operate \ncritical public services or protect customer data adopt strong \ndefenses and security programs based on a number of different \napproaches, specifically:\n    Integrate cybersecurity into the fabric of organizations, \nfrom business risk management processes, strategy and product \ndevelopment to the foundation of how the technology is built \nand operated.\n    Second, improving capabilities amongst people, processes, \nand technology. There needs to be continued emphasis on the \nembedding of controls into critical technology products and \nservices. We need secure products, not just security products. \nWe should also recognize that cybersecurity risk mitigation is \nnot solely the responsibility of designated cybersecurity \nprofessionals but is, perhaps more importantly, in the domain \nof leadership, risk managers, and engineers at all levels of \norganizations. In other words, we need more security-minded \npeople, not just security people.\n    And, finally, design for defensibility. Our goal should be \nto design our technology and information processing \nenvironments to be more inherently defendable and resilient in \nthe face of attacks, and we have to keep examining our global \nsupply chains to look for security issues and avoid excess \nconcentration risk in services and geographies.\n    Thank you, Mr. Chairman, for allowing me to provide this \ninput, and I look forward to taking questions as we go through \nthe panel. Thank you.\n     Chairman Crapo. Thank you.\n    Mr. Kessler.\n\n  STATEMENT OF CARL A. KESSLER III, SENIOR VICE PRESIDENT AND \n    CHIEF INFORMATION OFFICER, FIRST MUTUAL HOLDING COMPANY\n\n    Mr. Kessler. Chairman Crapo, Ranking Member Brown, and \ndistinguished Members of the Committee, thank you for the \nopportunity to testify before you today.\n    I will share the unique perspective of a front-line \npractitioner on the practical pros and cons of cybersecurity \nregulation, information sharing, and community bank \ncollaboration.\n    Two key regulatory changes have positively improved the \napproach of community banks in managing cybersecurity risks. In \nthe wake of the Dodd-Frank Act reforms, supervision of our \naffiliate banks migrated from the OTS to the OCC. In the last \nfew years, FFIEC established the Cybersecurity Assessment Tool, \nor CAT. These changes have led to an ongoing dialogue with \nregulators. The CAT provides a standard way to assess risk and \nprovides guidelines for what controls might be appropriate.\n    Highly trained examiners are critical. Because of the \nchanging nature of the threat environment, an exam is never a \nstatic, check-the-box activity. It is always a dynamic \nconversation. My recommendation to this Committee is to ensure \nthe consistent availability of highly trained IT examiners \nwhose skills are in high demand in both the public and private \nsectors.\n    Another consideration for this Committee is to ensure that \nsimilar cybersecurity rigor exists among nonbank financial \nservices companies. How do we safeguard customer data at \ncompanies that are outside the oversight of prudential \nregulators?\n    Community banks rely heavily on a network of third-party \nservice providers. While we always maintain primary \naccountability for safeguarding customers\' information, a \nsignificant portion of the risk lies with core processors, \npayments networks, and large providers.\n    This concentration of financial services into a few \nproviders\ncreates both advantages and challenges. One challenge is that \nthe current system relies on a high degree of blind trust in \nthe service provider with limited transparency. We depend on \nour regulator to\nexamine our service providers and identify patterns of \ncompromise and ensure remediation. At the same time, law and \nregulation\nrequire us to monitor the effectiveness of our service \nprovider\'s controls. This opaque approach runs contrary to best \npractices in vendor management.\n    One solution might be to create a cybersecurity scorecard \naggregating data from many sources including regulatory \nreviews. This scorecard would impact vendor selections and \ncreate positive momentum toward control improvements.\n    It is most critical that we have timely access to \ninformation sharing of active threats through public and \nprivate partnerships. The key for banks is that a comprehensive \necosystem of financial service providers shares threat \ninformation in real time to an entity qualified to analyze, \nverify, and then communicate it back digitally to our bank \nwhere we can use it to adapt our controls. We need our third-\nparty providers to share cyber threat information quickly with \nindustry partners like FS-ISAC, the goal being to respond in \nseconds or minutes rather than days or weeks.\n    Timely information sharing is foundational to the \nindustry\'s ability to combat a cyber threat. We cannot act on \ninformation we do not have. Important questions remain \nregarding if, when, and how businesses can share threats. There \nis still a great reluctance to share information. Liability, \ncontract, and privacy concerns are the most often cited \nreasons. While customer notification and privacy laws are \nclearly needed, simplification and modernization of the \nrelevant laws and regulations should enable information \nsharing. This is a good time to re-examine the effectiveness of \ncybersecurity law. Certainly, any solution must guard against \nshifting the liability to consumers from those who failed to \nprotect their data.\n    Our mutual holding company is faced every day with the \nchallenges required to implement an information security \nprogram. We deliver that same program to our affiliate banks in \na manner that they otherwise could not afford, design, or \nstaff. In our three affiliations, we have preserved a local \nbanking presence, improved security controls, and done so at a \nminimal marginal cost. This has proven a game changer for our \naffiliates.\n    In summary, the best way to protect consumers is to \nincrease transparency and information sharing within the \nfinancial services cybersecurity ecosystem. This Committee \ncould help move this forward by encouraging the transparency of \nthe performance of third-party service providers. You can also \nhelp by passing legislation which further encourages \ninformation sharing so that active threats are identified and \nmitigated in minutes.\n    Thank you for the opportunity to testify before you today. \nI stand ready to work with you in any way that I can to protect \nconsumers and our financial system, and I look forward to \nanswering your questions.\n    Chairman Crapo. Thank you, Mr. Kessler.\n    Mr. Sydow.\n\n  STATEMENT OF BOB SYDOW, PRINCIPAL AND AMERICAS CYBERSECURITY \n                   LEADER, ERNST & YOUNG LLP\n\n    Mr. Sydow. Thank you, Chairman Crapo, and thank you, \nRanking Member Brown, for that kind introduction. The Reds need \nhelp.\n    My name is Bob Sydow. I am Ernst & Young\'s (EY) Americas \ncybersecurity practice leader. I refer the Committee to my \nwritten testimony on details on my remarks.\n    Cyber attacks are on the rise. No organization, large or \nsmall, public or private, is immune to the threat. Our clients \nface three significant challenges: emerging interconnected \ntechnologies drive fundamental transformations and create \ncomplex third-party ecosystems; the volume, velocity, and \nprecision of attacks; and the shortage of cybersecurity \nresources and skilled professionals.\n    EY works with clients across all sectors, and many should \nbe commended for their efforts. In my experience, financial \nservices, especially the largest banks, are considered best in \nclass, not only in terms of organization and investment but \nalso for leading engagement with stakeholders across the \necosystem.\n    Large banks are accustomed to higher levels of regulatory \nscrutiny, and their third-party risk management programs tend \nto be more mature and robust. But challenges remain. Today \nfinancial institutions deal with third-, fourth-, and fifth-\nparty risk. In addition to vendor risk most institutions \nstruggle to secure resources and talent. Experienced cyber \nprofessionals are in high demand. Often small firms turn to \nthird-party providers to meet those needs.\n    There is no one-size-fits-all solution, so I will focus on \nthree areas where EY believes risks can be mitigated: corporate \ngovernance and risk management, the AICPA Cyber Reporting \nFramework, and policy solutions.\n    Ultimately, the board is responsible for governing a \ncompany\'s risk appetite and providing credible challenge to \nmanagement. By doing so, boards help protect investors and \nenhance the company\'s value and performance. Banks use a three-\nlines-of-defense risk management model. The larger ones are \nadopting this model for cyber. EY considers this a best \npractice. Increasingly, regulators, investors, and others want \nfinancial institutions to build cyber resiliency strategies \ninto the three lines.\n    Another challenge is understanding and communicating about \na cyber program\'s efficacy. While NIST and others have \ndeveloped implementation guidance, there has been no means to \nevaluate and report on program effectiveness. This distinction \nis subtle but significant.\n    In response, the American Institute of CPAs recently \ndeveloped the Cyber Risk Management Evaluation and Reporting \nFramework. This is voluntary and can provide stakeholders with \nreasonable assurance that the identification, mitigation, and \nresponse controls are in place.\n    No framework can guarantee against a breach, but the AICPA \ncyber risk model can offer an independent, validated \nunderstanding of a company\'s systems, processes, and controls. \nUnfortunately, there is no single legislative, regulatory, or \nmarket solution\nthat can guarantee against a cyber event. Bad actors are not\nconstrained by regulatory, liability, or jurisdictional issues \nlet alone ethics.\n    Policymakers and the business community should work \ntogether to foster collaboration and improve intelligence \nsharing. We need flexible and harmonized policy solutions that \nrecognize the dynamic challenge of cybersecurity and clarify \nconflicting directives.\n    We need to balance the need for compliance with a need to \nmanage cybersecurity and protect consumers. EY believes \ncompanies that engage in good-faith efforts, establish \nenterprise cyber risk management frameworks, and adopt best \npractices should be recognized, especially relative to \nliability and penalty measures.\n    Finally, EY encourages Congress to support modernization of \nGovernment\'s cyber posture, to focus on developing solutions to \naddress cyber workforce shortages, and to educate the public \nand help the country as a whole improve its cyber hygiene. EY\'s \npurpose is to build a better working world, and so I thank you \nfor providing the firm an opportunity to share our views and \nexpertise. I welcome your questions.\n    Chairman Crapo. Thank you very much, Mr. Sydow.\n    In the interest of time, I am going to go last, if there is \ntime before I have to leave, and so I will turn first to \nSenator Brown.\n    Senator Brown. Thank you, Mr. Chairman.\n    Mr. Kessler, do you think the current baseline for \nprotection of consumer information is adequate? Or would you \nlike additional control over how your personal information is \nstored or used by financial institutions?\n    Mr. Kessler. Well, I think we are all interested in knowing \nwhat is happening with our personal information. I am \npersonally assured when I am able to receive real-time alerts \nof when that information is changed, when it is affected, and \nchanges to my credit reports. I think that there are obviously \nopportunities to continue to share more information with our \nconsumers in that respect.\n    Senator Brown. And when there is a breach involving \npersonally identifiable information, I assume you think it is \nimportant for a financial institution to quickly notify \ncustomers, giving them the ability to protect themselves by \nfreezing or monitoring their credit file?\n    Mr. Kessler. Certainly, we like to take--as a mutually \nowned community bank, we like to take all the necessary actions \nto protect our customers in a timely way. So, yes, we find it \nvery important to notify the customers as soon as is practical \nafter working with the necessary law enforcement officers.\n    Senator Brown. Thank you.\n    Mr. Sydow, many community bank IT services are provided \nthrough large third-party service providers. Talk about the \neconomies of scale when it comes to cybersecurity that \ncommunity banks benefit from by using large service providers.\n    Mr. Sydow. Well, it is a matter of resource, Senator Brown. \nThe larger organizations can afford the staff and recruit and \nretain the kind of talent that you need in a cybersecurity \ndepartment and the focus that they can provide. They have the \nresources to buy the technologies and install and implement \nthose that a smaller organization would not have. So if a \nsmaller bank were to use those services, they have access to \ncybersecurity kind of resources that they would not have if \nthey tried to do that in-house or on their own.\n    Senator Brown. OK. Thank you. President Obama in 2009 \nestablished the position of White House Cybersecurity \nCoordinator to work straight cybersecurity efforts across all \nGovernment agencies. President Trump recently eliminated that \nposition. That is the position Mr. Daniel held in the Obama \nadministration. Will that help or harm Government\'s efforts to \nmake the country and especially the financial system more \nresilient and stronger against cybersecurity threats? Are you \nconcerned about that?\n    Mr. Daniel. Well, yes, I am Senator. I think the reason \nthat position was created was because, as a very new policy \narea, we need to drive better coordination across all the \ndifferent parts of the Federal Government that have a role in \ncybersecurity, and so I believe that having a strong leadership \nat the White House level is a real necessity right now.\n    Senator Brown. Do you know why he eliminated it?\n    Mr. Daniel. I do not. I presume that they were looking for \nways to streamline the bureaucracy on the NSC staff. At least \nthat was the statement that was given. But I am not sure of the \nreasoning behind it.\n    Senator Brown. OK. Thank you.\n    Mr. Sydow, you talked about workplace shortages in my \noffice this week and then in your testimony, and this is not \nreally a question, but as evidenced by the look of this panel \nand, frankly, the look of most of us up here, as evidenced by \nthe fact that, of the 30 largest banks in this country, there \nis a female CEO only at KeyBank in Cleveland. We do not really \ndo a very good job in financial services and technology at \nbringing a more diverse workforce, one of the reasons, clearly, \nthat we all face--that you and we face workforce shortages and \nattracting people, as Mr. Sydow pointed out. So I hope that we \nall pay more attention to STEM programs for women and for \npeople of color. We will bring more qualified people in, give \nmore opportunities, and, frankly, have more diverse \nperspectives in the way we all do our jobs.\n    Thank you, Mr. Chairman.\n    Chairman Crapo. Thank you.\n    Senator Rounds.\n    Senator Rounds. Thank you, Mr. Chairman.\n    Mr. Daniel, I would like to more or less just visit with \nyou for a little while, and I would love input from the others \nas well. I have the opportunity to serve as the Committee \nChairman on a Subcommittee for the Department of Defense\'s \ncybersecurity. I am just curious. Along the same lines as \nSenator Brown has indicated, that there had just been a change \nin which we do not have anybody at the White House who is \ndirectly responsible for the cyber defense, I am just curious. \nYou have had the opportunity to work at the Federal level. Now \nyou are part of a nonprofit organization that represents a \nnumber of different financial institutions.\n    In February of last year, the Department of Defense\'s \nScience Advisory Board put out both a classified and an \nunclassified version, not very long, 26, 27 pages, explaining \nthe need for our country to have not only a strong--the ability \nto attribute where attacks from outside the country were coming \ninto the country, but it also identified that we would not have \nthe capability to keep people out of our critical \ninfrastructure if they wanted to get in, both organized crime \norganizations but also other near peer competitors, nation \nstates.\n    Along with that, it indicated that for the next 10 years we \nwould be at risk and that one of the best approaches we could \ndo would be to make it very expensive for those organizations \nto get into our financial institutions--in fact, any of our \ncritical infrastructure. But it also made the point that we had \nto have a very strong offensive capability as a deterrent, \nsimilar to a nuclear deterrent today.\n    I would like to know, right now at the financial \ninstitutions level--and you work with a number of them--do you \nbelieve that we have a model in place today on a voluntary \nbasis, which I am in favor of, but one in which we are at the \nsame level across the different institutions that can then be \nprotected almost in an umbrella-like position by Homeland \nSecurity capabilities, Department of Treasury capabilities, and \nthen we will talk about DoD capabilities. But just your \nthoughts on that and how they connect with the Federal \nresponsibilities.\n    Mr. Daniel. Sure. So I think you are very right that if you \nlook at our level of digital dependence, as I talked about, and \nparticularly in the financial services industry, clearly cyber \nthreats are a major problem that this industry has to be \ndealing with. I think when you look at the nature of the \nthreats that they face, it is going to--anybody that tells you \nthey can give you, as several of the panel members said, a \nguarantee that you will not have any cyber incidents at all, \nthey are selling you snake oil. And what you can do, however, \nis manage that risk and drive that risk lower, and that \nrequires cooperation between both the Government and the \nprivate sector in some ways that we are not completely used to \nin the physical world. And I think it requires bringing all of \nthe capabilities to bear both from the private sector side and \nenabling good information sharing and coordination and \ncollaboration on the private sector side, but also within the \nGovernment, between, as you mentioned, the Department of \nTreasury, Homeland Security, Defense, State, Justice, and in \nbetween the Government and the private sector.\n    Senator Rounds. Let me bring this--because we are all going \nto be time limited today. Do you think the American public \ntoday thinks that with regard to their financial services, \ntheir assets, their checking accounts and so forth, do you \nthink they believe that the Federal Government has a role to \nplay in protecting those assets?\n    Mr. Daniel. I think they do.\n    Senator Rounds. Would it be fair to say that today Homeland \nSecurity has the ability to try and notify you and Homeland \nSecurity has the ability to try and assist in the defense? But \nwith regard to going outside, if the attribution indicates that \nit is coming from outside, is it fair to say that Homeland \nSecurity does not have the ability to respond offensively to \nstop those attacks before they actually occur?\n    Mr. Daniel. Well, I think that the ability to--it is a \nshared responsibility on the defensive side, and that is why I \nsay that you have got to do that good integration across all of \nthe different parts of the Federal Government that do have both \nthe network defense mission and the offensive mission.\n    Senator Rounds. Let me put it this way: If there had been \nan attack on an institution here and it was an attack--we have \na bombing and so forth, everybody would assume that the Federal \nGovernment has the first role in protecting against that. Would \nit be fair to also say that when it comes to cyber attacks, we \nhave a challenge in that we do not have the policy in place \ntoday to provide for that direct protection up front?\n    Mr. Daniel. Well, I actually do not believe that it is \npossible for the Federal Government to provide that same kind \nof protection in cyberspace that it does in the physical world \ndue to the way that cyberspace works. And I believe that it \nwill always be a shared mission between the private sector and \nthe Federal Government to achieve the level of protection that \nwe need.\n    Senator Rounds. Thank you.\n    Mr. Chairman, my time has expired, but I think this is a \nvery good meeting to start out that discussion. Thank you, sir.\n    Chairman Crapo. Thank you.\n    Senator Reed.\n    Senator Reed. Thank you very much. Gentlemen, thank you for \nyour excellent testimony. Also, let me as the ranking Democrat \nthank and commend Senator Rounds for his leadership on the \nCybersecurity Subcommittee. Thanks, Mike.\n    Senator Crapo, Senator Brown, thank you. This is a very \nimportant issue. One reason I think it is very important is \nthat I have legislation, S. 536, the Cybersecurity Disclosure \nAct, bipartisan legislation with Senator McCain, Senator \nCollins, and Senator Warner, and it would simply require \ndisclosure by public companies, which is the usual tradition of \npublic companies, of whether they have a director who is a \ncyber expert or they have some other arrangement. We do not \nmandate what they do, but I think it is essential to have \npublic companies particularly tell their shareholders and the \nmarkets what they are doing at the highest level when it comes \nto this issue of cybersecurity. And you have described all the \ndifferent ramifications throughout your testimony.\n    But I would like to just focus for a moment, if I could, \nwith Mr. Daniel, and that is, Chairman Clayton was here a few \nweeks ago, Mr. Daniel, and he said:\n\n        I think cybersecurity is an area where I have said previously I \n        do not think there is enough disclosure in terms of whether \n        there is oversight at the board level that has a comprehension \n        for cybersecurity issues. That is something that investors \n        should know, whether companies have thought about the issues, \n        whether there is a particular expertise on the board or not, \n        that is something companies should know. It is a very important \n        part of operating a significant company. Any significant \n        company has cyber risk issues.\n\nAnd my question would be: Do you agree with that sentiment?\n    Mr. Daniel. Yes, I do. I think that the nature of \ncybersecurity right now is that we actually do need more \ndisclosure. We have an information asymmetry, if you will, and \nit is hard for markets to operate efficiently when there is \ninformation asymmetry. So steps that the Government can take to \nenable more investors, the public, and others to have more \ninformation about how companies are tackling the cybersecurity \nproblem I think is generally a good thing.\n    Senator Reed. And just a quick follow-up. You have noticed, \nI would guess--I do not want to put words in your mouth--\nvariable sort of attention to these details. There are some \ncompanies that have very sophisticated individuals on the Board \nor arrangements. There are other companies that are essentially \nfree riders. Is that true?\n    Mr. Daniel. Well, I think that this is an area where \ncompanies are still learning how to address the issue, and some \nindustries and companies have been way more forward-leaning \nthan others. So I do think it is true that the capability \nacross the board varies a lot.\n    Senator Reed. Thank you.\n    Mr. Sydow, again, thank you for your testimony. I was very \nstruck with the comment:\n\n        At Ernst & Young, we believe that boards must be \n        educated about cybersecurity so that they are able to \n        make appropriate decisions anchored in sound logic and \n        data. By doing so, boards will not only be protecting \n        shareholders, but they will be enhancing the company\'s \n        value.\n    And, interestingly enough, the Vice Chair of the Fed, Mr. \nQuarles, stated:\n\n        The idea of having a board member with cyber expertise, when I \n        have been on boards that had a board member with that kind of \n        expertise, that is an extremely useful--that has not just been \n        a nice thing to have. It has been extremely useful.\n\n    So, again, the basic theme, does this make sense to have \nthis disclosure provision so that boards have some expertise?\n    Mr. Sydow. Senator Reed, thank you for the question. I have \nbeen in this role about 5 years, and I have gone to a lot of \nBoard meetings, and I think there has been increasing \nimportance placed on cybersecurity in those discussions, and \noften there is a challenge between the translation between the \ntechnical world and the business world at those meetings. And I \nthink that is something that--a gap that needs to be closed. \nHowever, in my remarks I also said to you that there is a \nshortage of qualified cybersecurity professionals, especially \nthe people that can make that translation. So as long as you \nhave flexibility in that and allow the boards ways to get \naccess to those kind of individuals, I think that makes sense.\n    Senator Reed. Indeed, this legislation is not prescriptive. \nIt is simply, ``Tell us what you are doing. In fact, tell your \nshareholders and the markets what you are doing,\'\' which I \nthink makes a great deal of sense.\n    One of the reasons, among many, as Ranking Member of the \nArmed Services Committee, we had the general officer in charge \nof TRANSCOM, all of our transportation assets, and in an \ninternational crisis, he would be responsible to move people by \naircraft, by sea, all of our military personnel to get the \nmission done. And he just said, volunteered that he talked to \ncybersecurity officers and companies that have no dialogue with \ntheir directors. And I can assure you that if something \nhappens, probably the first strike will not be a kinetic strike \nagainst the military. It will be a cyber strike against this \ninfrastructure of movement, logistics, et cetera. So this is \nanother reason why I think we really do have to have some \nlegislation like we are proposing.\n    So thank you all very much, gentlemen. Thank you, Mr. \nChairman.\n    Senator Brown. [Presiding.] Senator Heitkamp.\n    Senator Heitkamp. Thank you, Ranking Member Brown, and \nthank you for having this hearing. I think it is critical that \nwe have the ongoing conversation.\n    A couple points to begin with. I think the American public \nhas given up, and I think that there is a huge variance between \nunderstanding privacy and understanding cybersecurity. They are \nnot the same thing. And, you know, so most Americans say, look, \nI no longer believe that I have privacy. I do not know that you \ncan regulate this. I do not know that you can control this. But \nthey definitely want cybersecurity.\n    And so one of the things that I believe as a former law \nenforcement official is that, you know, you can have all the \nmost sophisticated law enforcement equipment, surveillance \nequipment, but you have got to teach people to lock the door. \nYou have got to teach people to lock their car. You have got to \nteach people to pay attention, maybe put some surveillance \nequipment of their own. And so I talk about cyber hygiene and \nthe role that cyber hygiene should play either with employees, \nnot just, you know, at that level of the people sitting on the \nboard, but at every level being trained and understand the \nchallenges, but also with membership or clients or patients, \nwhat role do they play? What role do vendors play?\n    We all harken back to what happened with Target. The Target \nbreach was related to a vendor and a back-door worm that came \nin. So how do we build better resiliency, cyber resiliency, \nwithin the community, writ large, within all users, so that \nthey understand that there are simple things that they can do \nthat will help protect the cyber system, protect our overall \nsystem, while we are looking for that iron dome--let us put it \nthat way, that iron dome that is going to make what we do \nimpenetrable--which, quite honestly, I am not convinced you are \never going to get an impenetrable iron dome. And I think that \nthe fault lines are always going to be at that lower level.\n    So someone, anyone on the panel who wants to take on the \nissue of cyber hygiene and what we should be doing here to \nencourage it, to educate, to move this issue of every user \nneeds to be informed on how we protect ourselves from a cyber \nattack as a country as a whole, kind of a ``lock your door\'\' \nstrategy.\n    Mr. Venables. Thank you, Senator, for the question. I will \ngo first, and then others can chip in. I think you raise an \nextremely important point. I think in many respects we need to \nfocus on basic cyber hygiene to make sure the easy attacks \ncannot be successful so we can focus our energy on the most \nsophisticated attacks. And I think it is the responsibility of \nall companies not only to make sure their employees and their \nown infrastructure is protected, but also to educate those \nemployees and to educate our customers. I think this is a \npartnership that we can do between Government and the private \nsector to educate everybody around what best practices they can \ndo to adopt the right controls for----\n    Senator Heitkamp. I really do believe, as a former kind of \ncustomer protection/consumer protection advocate, that people \nwant the tools. They want to understand how to do this. What \ncan we do to provide easier accessible tools to lock the door? \nMr. Nelson.\n    Mr. Nelson. Yes, thank you. Just to give a plug for the \nmulti-State ISAC, it is a State and local Government ISAC, and \nthe\nOctober Cybersecurity Awareness Month, they produce every month \na cybersecurity newsletter. It is weight-labeled, so you can \nput it on your company\'s letterhead, give it all to your \nemployees. It is a great effort. It has been going on for a \ncouple years, and we all kind of get geared up for that month \nin October to educate consumers.\n    So there are some efforts underway. It is a Government \ninitiative, too, at the Federal level and the State level.\n    Senator Heitkamp. Mr. Daniel?\n    Mr. Daniel. Thank you, Senator. I also think that it is \nincumbent upon the industry, the cybersecurity industry, to \nmake that cyber hygiene and the cybersecurity that you talk \nabout as simple as possible for consumers to do. You know, for \nexample, right now our guidance out to consumers is to have a \n16-character password that is not any actual words in the \nEnglish language, that has all sorts of----\n    Senator Heitkamp. And, you know, for a spreadsheet full of \nmedia passwords, they are all going to be different, like \nreally?\n    Mr. Daniel. Yes. And we need to get much better at enabling \npeople to have very simple ways to do their cybersecurity. Sort \nof the analogy I use is that we make it very simple for people \nto use seat belts when you get in a car, and we do not expect \nyou to answer questions about whether or not you want the \nantilock brakes to work. And so I think we need to try to find \nthe same, similar kinds of solutions and approaches in \ncybersecurity.\n    Senator Heitkamp. What grade would you give us right now in \nterms of how protected we are in a cyber hygiene world?\n    Mr. Daniel. Well, I think we are certainly better off than \nwhere we were, say, you know, 5 or 6 years ago. So we certainly \nhave made a lot of improvements. The problem is the bad guys \nkeep improving as well. So I think that we still have a long \nway to go.\n    Senator Heitkamp. Just a couple more comments, if that is \nOK.\n    Mr. Kessler. Certainly, educating all Americans, as you are \nsuggesting, is important but a monumental task. We try to \napproach it by educating our internal employees not only how to \nproperly handle customers\' information but their own, and then \nwe attempt to engage with our customers when there is an event. \nFor example, I think where you are going is if somebody is \nwilling to buy gift cards in order to pay the IRS, there is a \nproblem there. And how can we communicate to folks that this is \nnot something they should be doing?\n    I like the notion of a Cyber Education Month, and one of my \npeers here suggested including cybersecurity education in \ncurriculums in higher education and in other parts of our \nacademic--our normal education, which I think is a really good \nidea. Thank you.\n    Senator Brown. Senator Cortez Masto.\n    Senator Cortez Masto. Thank you. Thank you also. This is \nsuch an important conversation, and we have been having this, I \nknow, on various committees that I sit on. I appreciate the \ndiscussion today.\n    Let me say, you know, about 10 years ago, I remember \nsitting with our Nevada Banking Association, and we were \ntalking about how we guard against identity theft. Now, 10 \nyears later, we have a proliferation of cyber threats and \nattacks that we had not even contemplated at that time. But I \nwas struck, Mr. Daniel, by your comment to Senator Rounds that \nthis cyber infrastructure is a little different and how we \nmanage the enforcement and collectively address these issues. \nAnd it is not just Government\'s role to comment. It is \neverybody\'s role now to play a part in addressing the cyber \ninfrastructure and protecting against cyber threats. And I \nthink that is important for everybody to understand. That is \nthe first time I have heard somebody say that. And it is. It is \nimportant because it goes back to this issue that we have been \ntalking about. Everyone has a role in education. To me, \neducation is the first step in prevention. But everybody has \nthat role in education. Everybody has a role in the \ncoordination and the information sharing. When I say everyone, \nfrom Government to the private sector, the consumer, everyone \nhas a role, and the businesses as well. And then the workforce \nshortage that we have, that I have heard here as well, we can \nall play in this discussion.\n    Let me follow up on a couple of comments that were made. \nOne of them, Mr. Kessler, you talked about the need to pass \nlegislation that encourages information sharing. Can you go \ninto a little bit more about that and what you are talking \nabout? Who is sharing the information? What type of information \nare you referring to?\n    Mr. Kessler. Sure. Thank you very much. As a community bank \nand a smaller institution, we would benefit from a lot of what \nMr. Daniel has already talked about in terms of the sharing of \nindicators of threat throughout the industry. So as another \nbank identifies something, they would share it, and we would \nautomatically protect against that.\n    There are challenges today, when I talk to my service \nproviders and ask them are they participating with FS-ISAC, the \nanswer is yes. Are they sharing threats in real time? I often \nget the answer no, and the cited reasons are they have \nconfidentiality agreements with us, they have privacy \nrequirements, all things that we all agree are absolutely \nvaluable and essential, but at the same time, from my point of \nview, are preventing us from receiving some of that threat \nintelligence that would help us to further protect the \ncustomer\'s privacy.\n    Mr. Nelson. I would like to comment on that. I think one of \nthe great things about the FS-ISAC is you can share anonymously \non the portal, so I would encourage your third-party processor \nto get in touch with me, and we can work on that. We get legal \nobjections all the time. A lot of times we first get involved \nin the FS-ISAC, you think, ``Oh, my name is going to be in the \npaper tomorrow if I share.\'\' Well, it does not happen. We have \npretty good controls around that information. It is not shared \nwith attribution. In fact, every time there is an attack, our \nmembers are sharing online real-time. In fact, I was visiting a \nCISO in Charlotte, North Carolina. You can guess which one. \nThere are a couple big ones there. And I was meeting with him, \nand he had to leave to go into a special meeting for an attack \nthat was occurring. I whip out my BlackBerry or at that time I \nguess it was my iPhone, looked at it, and there was the alert \nalready. I did not say where it was coming from. I knew it was \nfrom him. So it was happening that fast while they were \nactually in a war room handling the attack.\n    So it can occur. It is just getting the right people. And \nlawyering up is not the answer. The answer is talk to us, let \nus get involved in it, and it is a pretty good voluntary \nsystem. We get lots of members sharing information. We have \nother third-party processors that are sharing.\n    Senator Cortez Masto. Thank you. So I would be interested \nin knowing at the Federal level if there is legislation that \nactually needs to be introduced or if it is more just \ncommunication and working together.\n    I know my time is running out, but we are talking a lot of \nacronyms here as well. FS-ISAC, can you explain a little bit \nmore what that is? And I recognize, I come from Nevada, I am \nnot so sure we have that type of coordination. I know it is on \nthe coasts, but I am not sure it is happening in every single \nState, or there is that collaboration.\n    Mr. Nelson. It is happening in every State. It is happening \nin 44 countries. We have 7,000 companies that are members now. \nIt was interesting. In 2014, Senator Crapo mentioned that was \nthe year of the data breach. It was also the year that the \nFFIEC, which is the regulatory agencies, the banking regulatory \nagencies, like the FDIC, OCC, even the National Credit Union \nAdministration, and others, put out a policy statement saying \nyou should share information if you are one of our regulated \nentities, and you need to belong to FS-ISAC. We \naffectionately--_\n    Senator Cortez Masto. Which stands for and means?\n    Mr. Nelson. Financial Services Information Sharing and \nAnalysis Center. And when that happened, we affectionately \nrefer to that as the membership tsunami started. We had 2,200 \ncompanies join that year, and we have been growing ever since. \nWhen I started, we had 200 members in 2006, and it has just \nbeen hockey stick growth the last few years.\n    Senator Cortez Masto. Thank you. I know my time has run \nout. Thank you very much.\n    Senator Brown. Senator Jones.\n    Senator Jones. Thank you, Mr. Chairman. And thank you to \nall the witnesses for being here. I agree that all of a sudden \neverything that I am seeing up here, there is some element of \ncybersecurity. It does not matter what committee I am on. It \ntouches everything. And I think you guys touched on this before \nI got here, and that is the cyber workforce and trying to keep \npace with the demand.\n    In Alabama, we have got Auburn University, which has got an \nincredible facility. Their cyber research center, University of \nAlabama in Huntsville, has one. And so we are doing our share \ndown there. But if you could, just expand a little bit on \nchallenges that are being faced because so many industries are \nnow competing for this workforce. And that is only going to \ngrow, I believe. It is only going to grow.\n    And so what can we do, what can the industry do? What are \nthe challenges? Is there anything that we can look at in the \nSenate and the Congress to try to help with increasing the \nworkforce for cybersecurity? I will just let you guys fight it \nout. Who wants to answer?\n    Mr. Venables. I can go first, Senator. I think it is a \nreally interesting question because I think while the backdrop, \nwe have to\ncontinue to encourage STEM education at all levels to feed a \nsolid technology and engineering workforce for the Nation. I \nthink also we have to not just focus on having trained and \ndedicated cybersecurity professionals, but thinking across all \nsectors from whether it is business risk management through to \nengineering through to product design, in making sure and \nencouraging in some way that every part of that, whether it is \nvocational training, academic training, professional \nqualifications, have an element of thinking about \ncybersecurity, privacy, and other aspects of technology risk \nand ethics about how we use technology.\n    So I think while it would be very important to continue to \nfocus on creating more cybersecurity professionals, I think \nmost of us worry just as much about making sure that every part \nof our workforce, both private and public, is equipped with the \nskills to think about how to manage this risk as a core part of \ntheir job.\n    Senator Jones. That is good.\n    Mr. Sydow. Senator, the other thing I think we can do is \nexpand the pool. Right now females only represent 9 percent of \nthe cyber workforce, and we have the same issue across \ntechnology. We need to continue to encourage young ladies to \njoin the profession. I know at EY we do several things, Girls \nThat Code, other things to encourage organizations to get women \ninto the workforce. I think that would be helpful to expand the \nbase.\n    Senator Jones. Right. We have done a pretty good job of \nthat in the political world because they are all running for \noffice this year. But I agree with you, that is incredibly \nimportant. You know, Bishop State, I was down there visiting a \njunior college recently, and Apple has a coding program that \nthey are working on with the students down there. I would \nassume that cybersecurity is always going to be a part of that \nas well. So thank you.\n    I do not know if anybody else has anything on that, but if \nnot, I have got one more.\n    Mr. Daniel. Well, the only thing I would add, Senator, is \nthat I also think that we need to diversify our thinking about \nwhat we mean about the cyber workforce. Just as in health care \nnot everybody is trained up to the same level as a neurosurgeon \nspecialist, we need to diversify our thinking about the levels \nof training and who does what in the workforce so that, again, \nwe can also continue to expand that pool.\n    Senator Jones. Perfect. Thank you for those. Those were \ngreat answers. Thank you.\n    I want to kind of followup real briefly on something that I \nthink Senator Reed kind of touched on as well, and that is the \nassessment of the risk, because I understand his bill to try to \nget more information into investors and the marketplace about \ncybersecurity at companies. But I am wondering if any of you \nthink that those ought to be--you know, something about \ncybersecurity threats ought to be included in the risk. When a \nbusiness or, in particular, for instance, a municipality is \nrated, bondholders often would look at a municipality, for \ninstance, as to whether or not that bond is going to be safe \nbecause of cybersecurity. Is there a way that we should rate \nusing cybersecurity as well?\n    Mr. Venables. I think there is a number of existing \ndisclosures that occur particularly for public companies as \npart of their regular filings and risk disclosures, and \ncertainly all the requirements to disclose if major events, \nparticularly material events, occur.\n    I think there is also a lot of work in the industry where \nthere is more and more public ratings of the outward appearance \nof various different companies, and certainly I think a lot of \nthe big audit firms, as the gentleman from Ernst & Young \nmentioned, working with us on various different standards \nthrough the AICPA to be able to vet and independently assess \nthe level of security and risk in those companies. I think it \nwould be interesting to further explore how that could be \nmarried with other types of public disclosures so you get a \nfull picture of the risk of organizations. I think it is \ncertainly something there is a lot of activity on and probably \nis worth future consideration.\n    Senator Jones. Great. Well, thank you all very much.\n    Thank you, Mr. Chairman.\n    Chairman Crapo. [Presiding.] Thank you. Senator Brown has \none----\n    Senator Brown. Yeah, one question. It is really a yes or no \nquestion for Mr. Kessler. You talked about how important it is \nto notify your customers. Did Equifax share information with \nyou about the breach in time to help your bank\'s customers?\n    Mr. Kessler. No.\n    Senator Brown. OK. Thanks.\n    Chairman Crapo. Senator Warner, just under the wire. You \nhave got 5 minutes or less.\n    Senator Warner. Thank you, Mr. Chairman, for that gracious \naccommodation.\n    [Laughter.]\n    Chairman Crapo. We always appreciate you.\n    Senator Warner. Mr. Venables, we have a lot of legacy IT \nsystems that are out there. Some of the systems are still \nFortran and COBOL. You know, how do we make sure, as we do \nupgrades--and I understand the United Kingdom just went through \na complete meltdown when they tried to--one of their banks \ntried to do an upgrade of their system. How are we thinking \nthrough this issue as we think about 21st century cybersecurity \nwhen we have got the legacy IT systems in place?\n    Mr. Venables. Thank you, Senator. I think it is a \nfascinating question because one of the things in my testimony \nyou are always keen to point out was cybersecurity is \ntremendously important but it is not the only technology risk \nsociety faces. We have multiple different risks, not least \nincluding how we continue to maintain and update legacy systems \nto make sure those are equally protected with all the new \nsystems that we are building.\n    One of the things that is interesting, I think particularly \nmost financial institutions, but I think many other large \ncorporations have pretty exacting standards for change \nmanagement, software quality assurance, standards for how they \napply preventative maintenance to systems to reduce exactly \nthat type of major project and major IT migration risk.\n    The other thing that I think is worth pointing out as well \nis while there is a tremendous amount of focus from the \nfinancial\nregulators on cybersecurity, there is also still an equivalent \namount of focus on change management, software acquisition and\ndevelopment, testing assurance, major project risk management. \nIn fact, there is a whole shelf full of FFIEC IT examination \nhandbooks, and quite a large number of them are about project \nrisk and major IT migration risk, and it is certainly something \nthat I think all major financial institutions experience quite \na lot of scrutiny over not just cyber, but also their IT \nproject risk management standards.\n    Senator Warner. For a lot of these systems, the legacy \nsystems, frankly, the original software vendor may not have \ncontinued to offer those systems, have not continued to upgrade \nthem, so there are these huge vulnerabilities?\n    Mr. Venables. I think part of the challenge, again, not \njust confined to the financial sector but across the world at \nlarge, is making sure you stay up to date within some \nreasonable window so that the older systems that may not be \nsupported by vendors, you are not exposed to risks from those. \nSo I think just like any other type of apparatus, you have to \ninvest in preventative maintenance and upgrades to keep \nyourself within some window to manage that technology risk.\n    Senator Warner. Anyone can address this, but my concern is \nbecause of the interconnectivity of all of your systems, aren\'t \nyou only as strong as your weakest link? If a single--if an \ninstitution does not keep up, doesn\'t that make the whole \nsystem vulnerable?\n    Mr. Venables. Well, not necessarily an individual \ninstitution, but certainly what we look at through the \norganizations we have set up, like the FS-ISAC and the FS-ARC, \nand also in work with the Department of Treasury and various \nother initiatives, we are exactly looking for those systemwide \nrisks that could affect everybody that may be contributed by \none or more elements of that, and so we are definitely focused \non systemic risk.\n    Senator Warner. I think this is probably outside the scope \nof the whole hearing, but to me, when we do not have a single \ndata breach notification requirement, when we have an Equifax \nmaking as gross an error as they did and no obligation to \nreport, or even when Yahoo has hundreds of millions outside the \nfinancial system but that is not even reportable on a SEC \nfiling, they do not think it was material enough, I do not see \nhow these massive failures should not fall into at least the \nlevel of a material disclosure in terms of SEC filings. So \nwhat--and I think I am down to 47 seconds, the last question. \nMaybe I will leave it at that and just come back to you \nindividually, because I would like to have gotten the more \nmacro approach of how we are going to get at this.\n    I just came from another intel brief, classified brief. \nThis problem is going to only exponentially grow, and I am not \nsure--one of the things I think particularly as we think about \nfrom both the hardware and software side, if we think about \nfinancial institutions, for example, that might be starting to \npurchase ZTE and Huawei equipment, you know, the \nvulnerabilities that we may be building into our systems \nbecause we--and this is more the intelligence community\'s \nresponsibility--are not fully informing the financial sector \nand other sectors of some of what we now call classified \nproblems that we have got to get out, is only going to get \nmuch, much worse.\n    So my apologies for getting here late, to the Ranking \nMember, and my hope is I will have a chance to pursue some of \nthese conversations with you individually. Yes, sir?\n    Mr. Nelson. Senator, I would like to comment. We at the FS-\nISAC, we are an information-sharing body, and we have people \nembedded at a top secret level at the NCCIC, the National \nCybersecurity Communications and Integration Center, at DHS. So \nwe are seeing some of that, and when we get--when it is \nrelevant, actionable for a community, we are sharing it. Also, \nFS-ARC is a subsidiary, and, Phil, you are involved in that. \nThey are doing it at a much more systemic level to see if there \nis any systemic impact. So we have some of that in place. I \nthink we could do more.\n    Senator Warner. My concern is, you know, virtually every \nmid-sized to larger financial institution around should have \nsomebody that has got classified status and clearances \nbecause--and this is where I am trying to push on the intel \nside. The intel side has not been as forthcoming to the----\n    Mr. Nelson. We could use a little bit of help in getting \nmore people classified quicker.\n    Senator Warner. Well, the fact that there is a 74,000-\nperson backlog is insane, and that is a national security risk \nthat----\n    Mr. Nelson. I agree.\n    Mr. Venables. Yeah, we would certainly support a much \nbetter clearance process to achieve that goal.\n    Senator Warner. Right.\n    Senator Brown. [Presiding.] Thank you, Senator Warner.\n    All of us, every Senator, can submit questions to you, and \nthe questions are due Thursday, May 31st, a week, and please, \neach of you, if Senators do submit questions in writing, please \nrespond to them as quickly as you can.\n    This concludes the hearing. Thank you for being here today. \nThe hearing is adjourned.\n    [Whereupon, at 10:43 a.m., the hearing was adjourned.]\n    [Prepared statements and responses to written questions \nsupplied for the record follow:]\n               PREPARED STATEMENT OF CHAIRMAN MIKE CRAPO\n    Today, we will hear about cybersecurity in the financial sector.\n    Today\'s witnesses come from a wide range of organizations, and can \nprovide us with insight on the threats faced by and the preparedness of \nthe financial sector when it comes to cyber.\n    Four years ago, this Committee held a similar hearing where I noted \nthat a recently aired ``60 Minutes\'\' segment called 2014 ``the year of \nthe data breach.\'\'\n    Given the various data breaches over the past few years, most \nnotably the Equifax data breach last year, I am not sure 2014 still \nholds that title.\n    As our society increases its reliance on technology and becomes \naccustomed to immediate access to information and services from \ncompanies, the risk of--and the potential damage caused by--data \nbreaches continually increases.\n    Americans are becoming more aware of the amount of information, \nincluding personally identifiable information or PII, that is stored by \ncompanies and there is a growing realization that this information can \nbe stolen or misused.\n    The collection of PII by both the Government and private companies \nis something that has long troubled me. Many question how both use the \ndata collected and how such data is secured and protected. ``The \ncollection and use of PII will be a major focus of the Banking \nCommittee moving forward, as there is broad-based interest on the \nCommittee in examining this.\n    Today, we will hear from our witnesses regarding cybersecurity and \nabout the risks to the financial services industry and its \npreparedness.\n    We have heard from many regulators before this Committee about \ntheir focus on and oversight of cybersecurity and how it is critical to \nthe operations of companies and our markets.\n    This is especially true for companies in the financial services \nspace.\n    The financial sector itself is a main target for hackers because, \nas many have said, ``that\'s where the money is.\'\'\n    Banks are under constant attack every day. Because of this, they \nand other firms in the financial services industry have devoted \nsubstantial resources to protecting information systems, and the \nindustry is widely viewed as one of the most advanced sectors in terms \nof prioritizing cybersecurity.\n    Today, I hope to learn more about: the risks to the financial \nservices industry from cyberattacks and cyber threats; the work being \ndone in the financial services industry to increase cyber readiness, \ncombat cyberattacks, and increase resiliency; and what more needs to be \ndone by the private sector and Government to help protect companies\' \nand consumer\'s information.\n    It is critical that personal data is protected, consumer impact in \nthe event of a breach is minimized, customers\' ability to access credit \nand their assets is not harmed, and the financial sector is resilient \nenough to continue to function despite a cyber breach at a financial \nsector company.\n                                 ______\n                                 \n                   PREPARED STATEMENT OF BILL NELSON\n   President and CEO, The Financial Services Information Sharing and \n                       Analysis Center (FS-ISAC)\n                              May 24, 2018\n    Chairman Crapo, Ranking Member Brown and other Members of the \nCommittee: Thank you for inviting me to testify at this hearing on \n``Cybersecurity: Risks to Financial Services Industry and Its \nPreparedness.\'\' My name is Bill Nelson and I am President and CEO of \nthe Financial Services Information Sharing and Analysis Center (FS-\nISAC), as well as Chairman of the Global Resilience Federation (GRF) \nfor cross-sector threat-intelligence sharing.\n    At your request, I will cover the following topics:\n\n  <bullet>  Current cyber-risks and threats that the financial-services \n        industry faces;\n\n  <bullet>  Efforts by the financial-services industry that are already \n        underway in order to increase cyber-readiness, combat cyber-\n        attacks and strengthen the industry from cyberthreats; and\n\n  <bullet>  Proposed additional measures by public and private sectors \n        to better protect companies\' and consumer\'s information.\n\n    Before I describe these, I want to provide background about the \nrole the FS-ISAC plays in the financial sector. Three key takeaways I \nwould like to leave you with today:\n\n  <bullet>  Despite a dynamic and ever-changing cyberthreat \n        environment, the financial sector has invested heavily to \n        protect the sector\'s assets and consumers\' information from \n        adversaries and cybercrime;\n\n  <bullet>  The financial sector has collaborated effectively to \n        enhance cyber-resilience; and\n\n  <bullet>  The financial sector continues to benefit from strong \n        public-private partnerships that enable cyberthreat \n        intelligence to flow through the sector and improve sector \n        detection, prevention, and response to cyberthreats and other \n        risks.\n\nFS-ISAC: Information Sharing to Fight Cybercrime\n    FS-ISAC\'s mission is to help assure the resilience and continuity \nof the global financial-services infrastructure and individual firms \nagainst acts that could significantly impact the sector\'s ability to \nprovide services critical to the orderly function of the economy. As \nsuch, FS-ISAC stands front and center in the face of continued cyber-\nattacks against our sector. FS-ISAC shares real-time threat and \nvulnerability information, conducts coordinated contingency planning \nexercises, manages rapid-response communications for cyber- and \nphysical events, conducts education and training programs, and fosters \ncollaboration with and among other key sectors and Government agencies. \nThink of FS-ISAC as a ``virtual neighborhood watch,\'\' where financial \ninstitutions help keep an eye out for each other.\n    FS-ISAC was formed in 1999 in response to Presidential Decision \nDirective 63 (PDD 63) of 1998, which called for the public and private \nsectors to work together to address cyberthreats to the Nation\'s \ncritical infrastructures. After the 9/11/2001 attacks, and in response \nto Homeland Security Presidential Directive 7 (and its 2013 successor, \nPresidential Policy Directive 21) and the Homeland Security Act, FS-\nISAC expanded its role to encompass physical threats to the sector. FS-\nISAC is a 501(c)(6) nonprofit organization and is funded by its member \nfirms, sponsors and partners.\nRapid Growth Both Nationally and Globally\n    FS-ISAC has grown rapidly in recent years. Today, we have about \n7,000-member organizations of all sizes, including commercial banks, \ncredit unions, exchanges, brokerages and investment companies, \ninsurance companies, payment processors and professionals, and trade \nassociations. We also maintain close ties with other financial-industry \ntrade associations as well as select, trusted Community Emergency \nResponse Teams (CERTs) and Computer Security Incident Response Team \n(CSIRTs), law enforcement agencies, and other information-sharing \ninitiatives around the world.\n    The FS-ISAC is based in Reston, VA. Because today\'s cybercriminal \nactivities transcend country borders, the FS-ISAC has expanded globally \nand has active members in 44 countries. The FS-ISAC has over 100 \nemployees and consultants in eight countries across five continents.\nFinancial Firms Respond to a Dynamic Threat Environment\n    In many respects, the current threat environment feels like an \n``arms race,\'\' and the financial sector has done a lot to enhance its \nindividual and collective capabilities. Each day, cyber-risk evolves as \nattacks increase in number, pace and complexity. The financial sector \nhas invested significantly to detect, prevent and respond to \ncyberthreats and other risks. Our member firms constantly adapt to this \nchanging threat environment. At the same time, malicious cyber-actors, \nwith increasing sophistication and persistence, continue to target the \nfinancial-services sector. These actors vary considerably, in terms of \nmotivations and capabilities, from nation-states conducting corporate \nespionage or launching disruptive and even destructive attacks, to \nadvanced cybercriminals seeking to steal money and hacktivists intent \non making political statements.\n    The financial sector (in addition to other critical-infrastructure \nsectors) is increasingly concerned about the possibility of attacks \nthat could potentially undermine the integrity of critical data, or \nlead to the manipulation or destruction of data. This growing threat \naffects all institutions in our sector, regardless of size or type of \nfinancial institution (e.g., bank, credit union, insurer, payment \nprocessor or brokerage/investment firm).\nTactics Used by Adversaries and Criminals to Target Financial Firms\n    There are numerous tactics that malicious cyber-actors use to \ntarget institutions, including the following:\n\n  <bullet>  Targeted spear-phishing campaigns, which are fraudulent \n        emails that\n        appear to be legitimate. These emails trick users into \n        supplying sensitive\n        information such as passwords that can result in the theft of \n        online credentials and fraudulent transactions.\n\n  <bullet>  Destructive malware attacks that impact the \n        confidentiality, integrity and availability of data.\n\n  <bullet>  Ransomware attacks, which involve malware that is \n        downloaded and used to restrict access to an infected computer \n        (often via encryption) until a ransom is paid (often in \n        Bitcoin).\n\n  <bullet>  Distributed-denial-of-service (DDoS) attacks, which can \n        impede access to services for extended periods of time.\n\n  <bullet>  Pretexting, which is built on a false narrative and \n        establishment of trust to ultimately initiate unauthorized \n        activity such as wire transfers. One form of this type of \n        scheme is known as a ``business email compromise\'\' attack.\n\n  <bullet>  Data breaches, which steal sensitive information including \n        payment and account information.\n\n  <bullet>  Supply chain threats.\n\n  <bullet>  Insider threats.\nBeyond Sharing: FS-ISAC and Financial Sector Resilience\n    Driven by the direction of our membership, FS-ISAC performs a \nnumber of key critical functions. We share threat and vulnerability \ninformation; conduct coordinated exercises; manage rapid-response \ncommunications for cyber- and physical events; produce education and \ntraining programs; and foster collaboration with other key sectors and \nGovernment agencies. We have greatly expanded our products and services \nto members. In particular, we have devoted a large number of resources \nto expand our services and tailor them to smaller financial \ninstitutions and their service providers.\n1. Information Sharing\n    FS-ISAC enables its members to voluntarily and efficiently share \nreal-time threat and vulnerability information for cyber- and physical \nincidents. We delivery timely, relevant and actionable cyber- and \nphysical threat information through email, web portal, telephone, and \nautomated feed alerts from various trusted sources and our members. FS-\nISAC maintains policies, procedures and controls to ensure that all \nthreat information shared by members is properly gathered, stored, \nlabeled and used in a manner that abides by related sharing agreements, \nprivacy protections, circles of trust, member operating rules, regional \nrequirements and governing laws.\n    FS-ISAC cooperates with members and partner organizations, \nincluding several public-private partnerships. These include \nfacilitating information sharing from Government partners to the FS-\nISAC community and assisting members in engaging Government and law \nenforcement members when required. For example, an FS-ISAC employee \nparticipates in the watch floor of the U.S. Department of Homeland \nSecurity\'s (DHS) National Cybersecurity and Communications Integration \nCenter (NCCIC), playing an important role in our public-private sector \ninformation and analysis sharing.\nThe Basis for the Community: Circles of Trust\n    We support numerous ``circles of trust\'\' based on roles (e.g., \nchief information security officers, business continuity executives, \npayments professionals, compliance experts) and institutions (e.g., \nasset managers, broker dealers, clearing houses, community banks, \ncredit unions, payment processors). We host regular threat-information \nsharing conference calls for members and invite subject matter experts \nto discuss the latest threats, vulnerabilities and incidents affecting \ncritical infrastructure. We organize and coordinate numerous regional \nmember meetings, roundtables, workshops and other forums that allow \nface-to-face exchange between members.\n    Our largest trust circle--the Community Institution and Association \nCouncil--includes thousands of community banks and credit unions that \nactively share information about threats, incidents and best practices. \nSince 2014, over 4,500 community institutions have joined FS-ISAC. \nWithin this Council, member discussions and participation increased 24 \npercent in 2017. In the last 12 months, the FS-ISAC\'s industry-focused \nwebinars on numerous topics, including protections against fraud, \nthreat-intelligence methods and cybersecurity tools, were attended by \nnearly 20,000 attendees.\n    In addition, FS-ISAC works with numerous national and State-based \nfinancial and payments organizations, including the American Bankers \nAssociation (ABA),\nFinancial Services Roundtable (FSR), Credit Union National Association \n(CUNA), Independent Community Bankers of America (ICBA), National \nAutomated Clearing House Association (NACHA) and Securities Industry & \nFinancial Markets\nAssociation (SIFMA), as well as card payment associations, payment \nprocessors and State banking associations.\n2. Creating and Invoking Playbooks for Incident Response\n    FS-ISAC maintains the financial-services sector\'s ``All Hazards \nCrisis Response Playbook,\'\' which outlines the processes and \nconsiderations for identifying and responding to significant threats or \nevents. As an example of sector-wide collaboration, this playbook was \ndeveloped in conjunction with many of our members and other industry \nassociations. We also lead sector-level crisis-response coordination \nand manage the Critical Infrastructure Notification System (CINS) for \nemergency threat or incident notifications to members.\nReducing Fear, Uncertainty, Doubt Through Media Response\n    FS-ISAC seeks to reduce fear, uncertainty and doubt through sector-\nlevel responses on significant cyber- and physical events. The FS-ISAC \nMedia Response Team was established in 2014, following highly visible \ncyberattacks that impacted the financial-services sector and other \nsectors like retail that were broadly reported in the press. The Team\'s \nmission is to accurately assess the actual current and potential risk \nof cybersecurity events (as opposed to the potential media ``hype\'\' \ncommonly seen) and leverage the FS-ISAC brand to properly respond to \nmedia activity using a fact-based approach. The team also strives to \neducate reporters and the public about cybersecurity and financial-\nsector practices, concepts, and terminology.\n3. Always Ready: Cyber-Exercises and Incident Response\n    Exercises are a proactive step to practice plans, find and close \ngaps, and better protect systems and communities. FS-ISAC began \nconducting exercises in 2010 with the Cyber-Attack Against Payments \nSystems (CAPS) exercises. FS-ISAC has since added exercises, such as \ndrills, to test the All-Hazards Crisis Response Playbook as well as \nregional exercises. In 2014, we launched the ``Hamilton Series\'\' of \nexercises in collaboration with the U.S. Treasury Department and the \nFinancial Services Sector Coordinating Council (FSSCC). These exercises \nsimulate a variety of plausible cybersecurity incidents or attacks to \nbetter prepare the financial sector and the public sector for \ncyberattacks. They also aim to improve public-and private-sector \npolicies, procedures and response capabilities. The ``Hamilton Series\'\' \nhas included leaders from the U.S. Treasury Department, financial \nregulatory bodies, the Department of Homeland Security and law \nenforcement agencies. Starting in 2018, FS-ISAC added range-based \ncyber-exercises for more technical, hands-on-keyboard experiences to \nraise capability maturity levels and resiliency across the sector. \nCollectively, these efforts build on the strong risk-management culture \nwithin the financial-services sector, in conjunction with extensive \nregulatory requirements.\n    FS-ISAC has improved its ability to respond to major cyber- and \nphysical events, including emergency member calls regarding new \nvulnerabilities and threats. The last call we had had over 3,000 \nparticipants.\n4. Support for the FSSCC, Sheltered Harbor, FSARC, Regional Coalitions \n        and Other Sectors\n    FS-ISAC supports several programs, either through direct funding or \nthrough subsidiary arrangements. These are outlined below.\nAddressing Policy Issues: The Financial Services Sector Coordinating \n        Council (FSSCC).\n    The FSSCC was established in 2002 to coordinate the development of \ncritical-infrastructure strategies and initiatives with its financial-\nservices members, trade associations and other industry sectors. The \nFSSCC works with the public sector on policy issues concerning the \nresilience of the sector. Members include 70 financial trade \nassociations, financial utilities and critical-infrastructure financial \nfirms.\n    FS-ISAC serves as the operational arm of FSSCC, providing \noperational support of FSSCC initiatives. The FS-ISAC and FSSCC have \nbuilt and maintained relationships with the U.S. Treasury and Homeland \nSecurity Departments, all the Federal financial regulatory agencies \n(e.g., Federal Deposit Insurance Corp., Federal Reserve Board of \nGovernors, Federal Reserve\n    Banks, Office of the Comptroller of the Currency, Securities and \nExchange Commission), and law enforcement agencies (e.g., Federal \nBureau of Investigation, U.S. Secret Service). Many of these public-\nsector agencies are part of the FSSCC\'s public-sector counterpart, the \nFinancial and Banking Information Infrastructure Committee (FBIIC), \nwhich is chaired by the U.S. Treasury Department.\nAn Extra Layer of Security for Consumer Accounts:\n    Sheltered Harbor. Sheltered Harbor was established in 2016 as an \nLLC, operating under FS-ISAC\'s umbrella, to enhance the financial-\nservices industry\'s resiliency capabilities in the event of a major \ndisaster or event. The concept for Sheltered Harbor arose in 2015 \nduring a series of successful cybersecurity simulation exercises \nbetween public and private sectors known as the ``Hamilton Series.\'\'\n    Sheltered Harbor is based on industry-established standards and the \nconcept of mutual assistance. Should a financial institution be unable \nto recover from a cyber-attack in a timely fashion, firms that adhere \nto the Sheltered Harbor standards will enable customers to access their \naccounts and balances from another service provider or financial \ninstitution. Sheltered Harbor members access specifications for common \ndata formats, secure storage (``data vaults\'\') and operating processes \nto store and restore data and receive a Sheltered Harbor \nacknowledgement of adherence to the specification. As of April 2018, \nSheltered Harbor membership covers more than 69 percent of U.S. retail \nbank deposit accounts and 56 percent of U.S. retail brokerage client \nassets.\nSystemic Risk Reduction: Financial Systemic Analysis and Resilience \n        Center (FSARC).\n    The CEOs of eight U.S. Government designated critical \ninfrastructure firms--Bank of America, BNY Mellon, Citigroup, Goldman \nSachs, JPMorgan Chase, Morgan Stanley, State Street, and Wells Fargo--\ncame together to proactively identify ways to enhance the resilience of \ncritical infrastructure underpinning the U.S. financial system. The \nresult was the creation of the FSARC as a subsidiary of the FS-ISAC. \nShortly after the FSARC was founded, an additional eight financial \ninstitutions, including the key financial market utilities identified \nby the U.S. Department of Homeland Security as operators of essential \ncritical infrastructure, joined the FSARC as member firms.\n    The FSARC\'s mission is to proactively identify, analyze, assess and \ncoordinate activities to mitigate systemic risk to the U.S. financial \nsystem from current and emerging cybersecurity threats. This is \naccomplished through focused operations and enhanced collaboration \nbetween participating firms, industry and Government partners. Key \nFSARC functions include:\n\n  1)  Identifying operational risks associated with systemically \n        relevant business processes, functions, and technologies \n        underpinning the financial sector (collectively ``Identified \n        Systemic Assets\'\');\n\n  2)  Developing resiliency plans to address those risks;\n\n  3)  Working with critical-infrastructure operators and the U.S. \n        Department of Homeland Security, intelligence and defense \n        communities to deliver strategic early warnings of attack on \n        Identified Systemic Assets;\n\n  4)  Working with law enforcement agencies to disrupt sophisticated \n        malicious actors that may pose a systemic risk to the sector \n        over time or may be targeting Identified Systemic Assets.\n\n    Thinking Nationally, Acting Locally: Regional Coalitions. Financial \ninstitutions in more than a dozen areas participate in the ``FIRST\'\' \n(Fostering Industry Resilience and Security through Teamwork) movement \nthrough the formation of public-private partnerships focused on \nHomeland security and emergency management issues with the public \nsector. Each coalition provides the opportunity for members to \ncollaborate with one another and with Government at all levels about \nissues of resilience and security.\n    FS-ISAC has established regional coalitions in the Northeast \n(Connecticut, Maine, Massachusetts, New Hampshire, New Jersey, New \nYork, Rhode Island and Vermont), Mid-Atlantic (District of Columbia, \nDelaware, Maryland and Northern Virginia) and California (San \nFrancisco, Fresno and Los Angeles). Through regional coalitions, FS-\nISAC learns the ground truth about the local effects of crises, while \nthe coalitions obtain national-level crisis and threat information from \nFS-ISAC. FS-ISAC also supports RPCfirst, an umbrella organization for \nall of the regional coalitions across the Nation.\nCross Sector Collaboration and Sharing\n    The FS-ISAC collaborates with other sectors, including the National \nCouncil of ISACs (NCI). Formed in 2003, the NCI today comprises 24 \norganizations designated as their sectors\' information sharing and \noperational arms.\n    Last year, the FS-ISAC spun off its Sector Services division into a \nnew standalone, not-for-profit called the Global Resilience Federation. \nI serve as the chairman of GRF, which is an information-sharing hub and \nintelligence provider. GRF\ndevelops and distributes cyber-, physical and geo-political security \ninformation among not-for-profit ISACs, ISAOs, CERTs and other \ninformation sharing communities across vital sectors around the world. \nThe company assists in the creation and operation of ISACs and ISAOs, \nor, if requested, support for the expansion of existing communities. \nThis ``community of communities\'\' was founded by charter members--FS-\nISAC, Legal Services Information Sharing and Analysis Organization (LS-\nISAO) and Energy Analytic Security Exchange (EASE)--and has since been \njoined by National Health ISAC, Oil and Natural Gas ISAC, Multi-State \nISAC, Retail Cyber Intelligence Sharing Center and National Retail \nFederation. As a cross-sector hub that also works with Government and \nindustry partners, GRF facilitates and supports cross-sector \nintelligence sharing as well as collaboration.\nRegulatory Requirements and Risk Management Culture\n    The financial sector has historically led the way in making \nsubstantial investments in not only security infrastructure and highly \nqualified experts to maintain the systems, but also in driving \ncollaboration across industries and with the Government. Financial \ninstitutions recognize that customers trust them to protect their \ninvestments, their records and their information. Individual financial \ninstitutions invest in personnel, infrastructure, services and top-of-\nthe-line security solutions and protocols to protect their customers \nand themselves, and to respond to cyber-attacks. These investments \nprotect the individual institutions and their customers, but on its \nown, an individual institution generally only has the ability to \nprotect what is within its control. Financial institutions, however, \nare interconnected to each other, with other sectors and with the \nGovernment. This reliance on others gives the financial-services sector \na unique and critical role in the cyber-landscape and requires \ncoordinated action for the most effective response. Recognizing the \ncyberthreat environment continues to expand in complexity and \nfrequency, and that individual institution efforts alone will not be \nenough, executives from the financial-services sector have stepped up \nefforts to work together.\nCybersecurity Practices Often Burdened by Regulation and Supervisory \n        Oversight\n    Financial institutions are subject to comprehensive regulations and \nsupervisory requirements with respect to cybersecurity and the \nprotection of sensitive customer information as well as business \nresiliency. For example, Title V of the Gramm-Leach-Bliley Act of 1999 \n(GLBA) directed regulators to establish standards for financial \ninstitutions to protect customer information. Pursuant to GLBA, \nregulators have imposed broad information security requirements for \nregulated financial institutions with strong enforcement authority. In \naddition to issuing regulations almost two decades ago, the Federal \nfinancial regulators have issued extensive ``supervisory guidance\'\' \nthrough the Federal Financial Institutions Examination Council (FFIEC) \nthat outlines the expectations and requirements for all aspects of \ninformation-security and technology-risk issues, including \nauthentication, business continuity planning, payments and vendor \nmanagement.\'\' Among the obligations to secure systems and protect data \nunder GLBA and supervisory guidance, financial institutions must:\n\n  <bullet>  Develop and maintain an effective information-security \n        program tailored to the complexity of their operations;\n\n  <bullet>  Conduct thorough assessments of the security risks to \n        customer information systems.\n\n  <bullet>  Oversee service providers with access to customer \n        information, including requiring service providers to protect \n        the security and confidentiality of information;\n\n  <bullet>  Train staff to prepare and implement information-security \n        programs;\n\n  <bullet>  Test key controls, systems and procedures, and adjust key \n        controls and security programs to reflect ongoing risk \n        assessments;\n\n  <bullet>  Safeguard the proper disposal of customer information; and\n\n  <bullet>  Update systems and procedures by taking business changes \n        into account.\n\nMany Regulations and Standards with Which to Comply\n\n    Financial institutions must comply with cybersecurity requirements \nand guidance from numerous regulatory bodies depending on their charter \nand activities. What\'s more, depending on the type of financial \ninstitution, organizations may have additional compliance and \nnonregulatory standards; for example, institutions that handle payment \ninformation also are required to comply with nonregulatory standards, \nsuch as the Payment Card Industry Data Security Standard (PCI-DSS). \nThis adds to the compliance burden of financial institutions, as well \nas that of merchants and other organizations that handle payment \ninformation.\n    Most recently, the FFIEC issued the Cybersecurity Assessment Tool \n(CAT)--an assessment tool designed to help smaller institutions, in \nparticular, identify their risks and determine their cybersecurity \npreparedness. The CAT provides a repeatable and measurable process for \nfinancial institutions to measure their cybersecurity preparedness over \ntime and aligns with the NIST\'s Cybersecurity Framework. In 2016, the \nFS-ISAC and FSSCC leveraged the FFIEC\'s CAT to produce a ``crowd-\nsourced\'\' version that incorporated automation to assist financial \ninstitutions in utilizing the FFIEC document.\nRecommendations to Further Protect Financial Institutions and Customers\n    Finally, you asked me to describe what more needs to be done by the \nprivate sector and the Government to help protect companies\' and \nconsumers\' information. For many years the financial sector has been \nworking diligently and collaboratively to make significant improvements \nin five major areas:\n\n  <bullet>  Enhance Information Sharing\n\n  <bullet>  Improve Strategic and Tactical Analytics\n\n  <bullet>  Improve Crisis Management Response and Coordination\n\n  <bullet>  Improve Core Components of the Cyber Eco-system through R&D\n\n  <bullet>  Improve Executive Communication and Advocacy\n\n    The financial-services sector has made significant progress in all \nof these. In so doing, the financial sector has developed strong \ncollaborative relationships with numerous Government agencies \n(including law enforcement, DHS, Treasury, and U.S. regulatory \nagencies). These efforts have enhanced the resiliency of the financial-\nservices sector. We also have worked closely with other ``critical \ninfrastructure\'\' sectors (e.g., telecommunications, energy) to enhance \ntheir capabilities and to address interdependencies.\n    While we are making good progress, much more work needs to be done. \nThe following are four major recommendations. Some of these \nrecommendations were developed in collaboration with the Financial \nServices Sector Coordinating Council (FSSCC) and publicly released in \nearly 2017.\n\n    1. Encourage Regulators to Harmonize Cyber-Regulatory Requirements. \nGiven that financial institutions are subject to numerous regulatory \nand supervisory requirements with respect to cybersecurity, protection \nof sensitive customer information, business resiliency, penetration \ntesting, vendor management, etc., there is little need for additional \nregulation in this space. Instead, there is a need to reduce the burden \nof implementing regulations for financial firms. What the sector most \nneeds now is a focused and coordinated effort among State, Federal, and \nglobal regulators to harmonize regulatory requirements. In so doing, \nthis is a good opportunity to leverage the National Institute of \nStandards and Technology (NIST) Cybersecurity Framework.\n    While regulatory requirements are a powerful and effective way to \nensure that financial institutions have adequate controls in place, a \ngrowing challenge facing large and global financial institutions today \nis the need for greater coordination and harmonization among the \nregulatory agencies, within the United States and globally. This will \nhelp financial firms keep pace with new threats, new financial business \nprocess models, and the necessary skillsets to evaluate the \nintersection of those two for security and resiliency purposes. A \ncommon refrain we hear from senior executives and practitioners in \nlarge and global firms is the need for regulators to harmonize \nregulatory requirements at both the policy and examination levels to \nreduce unnecessary regulatory compliance burdens and to better focus \nlimited resources to mitigate cyber-risks. In addition, it would help \nif the U.S. Congress and Administration enacted a consistent and strong \ndata protection and breach notification law across State and national \nplatforms.\n    Related to this recommendation to harmonize regulatory \nrequirements, we also encourage Congress and regulatory rulemaking \nbodies to integrate cyber-risk assessment into the legislation and \nrulemaking processes. Hence, Congress and regulatory rulemaking bodies \nshould weigh the implications of concentrating sensitive data that will \ncreate new cyber-targets when evaluating potential legislation and \nrulemaking. The potential aggregation of personally identifiable \ninformation via the SEC Rule 613 Consolidated Audit Trail or retrieving \nhighly sensitive penetration testing and vulnerability data on \nregulated institutions are examples of situations where care should be \ntaken to avoid creating new risks and creative solutions should be \nsought collaboratively with industry.\n\n    2. Leverage Authorities in the Cybersecurity Information Sharing \nAct of 2015 (CISA) and USA Patriot Act of 2001 to Implement More \nEffective Information Sharing Programs. FS-ISAC and others in the \nfinancial sector supported the enactment of the Cybersecurity \nInformation Sharing Act of 2015 (CISA). CISA encourages sharing for a \ncybersecurity purpose and includes incentives to entice entities to \nshare information, including protection from liability claims, \nexemption from disclosure laws and regulatory use, and antitrust \nexemption. CISA enables sharing of information including: malicious \nreconnaissance, methods to defeat controls or exploit vulnerabilities, \nsecurity vulnerabilities, malicious cyber-command and control, \nexfiltration of data and other attributes related to cyberthreats.\n    Mandated by the Cybersecurity Act of 2015, the Department of \nHomeland Security (DHS) developed a system to automate the sharing of \nthreat indicators on a machine to machine basis. This system is called \nAutomated Indicator Sharing or AIS and was put into service in 2016; it \nis free to use.\n    AIS leverages two internationally recognized standards for sharing: \nOne is the data standard called Structure Threat Information Expression \n(STIXT) and the other is the delivery standard known as Trusted \nAutomated eXchange of Indicator Information (TAXIIT). Threat indicators \ninclude data like malicious IP addresses, email addresses associated \nwith ransomware, phishing or social engineering attacks, known \ncybercriminal campaign information and much more.\n    Representing its members, the FS-ISAC agreed to participate in the \nAutomated Indicator Sharing (AIS) program on a trial basis in 2016. We \nhave engaged in numerous collaborative technical discussions with DHS \nand Treasury concerning the AIS program over the past 2 years.\n    FS-ISAC and member firms have provided direct and consistent \nfeedback to DHS regarding the early implementations of the AIS program. \nThis feedback includes the need for DHS to strongly structure vetting \nof AIS participants, the need to verify the integrity of data \ntransmitted and received within AIS, and the importance of providing \ncontext around the information. DHS has indicated it has heard the \nfinancial sector\'s feedback and is taking steps to incorporate that \nfeedback and has recently committed to delivering on improvements that \nadd context to indicators, includes rated scoring of vetted sources, \nutilizes the latest version of STIX/TAXII standards, and ability for \nAIS recipients to screen sources and receive data only from sources \nthat each recipient approves.\n    We also encourage our U.S. Government partners to improve response \ntime and the quality of shared information and analysis and to \nprioritize essential ``lifeline\'\' sectors in planning and event \nresponse. Focus Federal resources to assist those sectors whose \noperation is fundamental to the national defense and economy, such as \nfinancial services, electric power, and telecommunications, to mitigate \nagainst cyberthreats and to help in recovery. Continued private-public \ncollaboration is required to develop the list of cyber-defense \ncapabilities that can be used to respond to a significant cyber-\nincident affecting the Nation\'s critical infrastructure. Ensure that \nthe relevant members of the lifeline sectors receive the appropriate \nsecurity clearances. Also, seek improvements in sharing classified \ninformation, passing clearances and collaborating with the private \nsector in a classified environment. Together with the communications \nsector and the electricity subsector, FS-ISAC led the development of a \nplaybook for lifeline sectors, completed earlier this year. We began \ndrilling it during Cyber Storm and the National Level Exercise and plan \na Hamilton Series tri-sector exercise for it in the fall. One of the \nnext steps involves expanding the lifeline sectors for which it would \nbe applicable. Another is ensuring that the tri-sector playbook \nconnects with plans the Federal Government would use during a \nsignificant incident. The U.S. Departments of Treasury, Homeland \nSecurity and Energy have seen the playbook, though further Government \nsocialization and coordination remains.\n    In addition, we encourage the U.S. Government to invest further in \nfinancial services-supporting infrastructure and risk-based cyber R&D. \nTo ensure strong investment in the cybersecurity and resiliency of key \nFederal organizations, processes and systems essential to the \nfunctioning to the financial services system, it\'s important for the \nU.S. Government to assign clear responsibilities and increase \nsignificantly resourcing for efforts to detect, analyze and mitigate \ncyber threats to the financial system. This includes a dedicated effort \nwithin the Intelligence Community and an operational-level contingency \nplanning, indications/warnings, and exercises program. It\'s important \nto fund cybersecurity defense and R&D initiatives commensurate with the \nrisk that cybersecurity threats pose to the Nation\'s security, \nincluding funding to identify risks and mitigation techniques for \nemerging Internet of Things (IoT) and quantum computing technologies.\n    Finally, we encourage the Financial Crimes Enforcement Network \n(FinCEN) to provide greater clarity on legal protections for financial \ninstitutions that want to share information in accordance with the USA \nPatriot Act. On November 30, 2016, FinCEN participated in a FS-ISAC-\nsponsored webinar about information sharing on suspected money \nlaundering. This interaction helped anti-money laundering (AML)-\nregulated financial institutions better understand FinCEN\'s views of \nthe potential risk mitigation opportunities available by sharing \ninformation about suspected money laundering under section 314(b) of \nthe USA Patriot Act. Since the webinar, many of the financial \ninstitution executives who participated in the webinar, which was open \nto all AML-regulated financial institutions, have asked for written \nconfirmation of the information that FinCEN officials provided \nverbally. Financial institutions indicated that written confirmation is \nnecessary to encourage financial institutions to leverage the authority \nprovided under section 314(b) of the USA Patriot Act. If FinCEN \nprovides written guidance about what suspected money laundering and \nterrorist financing information can be shared with an association of \napproved financial associations under the USA Patriot Act Section \n314(b), then financial institutions that are members of an approved \n314(b) sharing information association would file Suspicious Activity \nReports (SARS) with more actionable information. In turn this might \nenhance the U.S. Government\'s efforts to investigate, extradite and \nprosecute transnational cyber criminals.\n    FS-ISAC provided a list of six questions and our understanding of \nthe answers to FinCEN on numerous occasions and is still waiting for a \nresponse. FS-ISAC would like to request that FinCEN publicize the \nanswers so financial institutions can reference these answers. This \nwould provide financial institution executives with much needed \nassurances of FinCEN\'s views and thus encourage greater information \nsharing about suspected money laundering by financial institutions \npursuant to section 314(b) and other U.S. laws that authorizing the \nsharing of suspected money laundering and suspected terrorist \nfinancing.\n\n    3. Establish Cyber-Deterrence and Response Capabilities and \nEncourage Adoption of Global Cybernorms. The Congress and \nAdministration should articulate how the U.S. Government will respond \nto certain types of attacks and how these actions might impact the \nfinancial-services sector and other critical infrastructure sectors. \nThe U.S. Government should also increase efforts to extradite and \nprosecute cyber criminals. Attacks on the financial services industry \nand critical infrastructure should be considered a violation of an \nexplicit global norm; violations of this norm should be pursued \nvigorously. The U.S. Government should also enable and expand cross-\nsector, real-time and actionable cyber threat information sharing and \nsituational awareness. The U.S. Government should also continue to \nengage with the global community to develop and adopt international \nnorms of behavior that discourage targeting of financial institutions \nand other critical-infrastructure sectors.\n\n    4. Support Efforts to Develop a Technology-Capable Workforce. The \nU.S. Government should partner with the private sector and academia to \ndevelop education and training programs to meet the business needs of \ntoday and tomorrow in addressing the significant shortage of cyber \nsecurity professionals and the education system in producing enough \nskilled cybersecurity professionals.\nCONCLUSION\n    The financial sector has made a significant investment in \ncybersecurity, risk reduction and resilience. However, threats, \nvulnerabilities and incidents affecting the sector continue to evolve. \nIndividual firms have responded by making significant investments in \ntechnology and risk reduction improvements at their respective \ncompanies. Collectively, the sector has made improvements in \ninformation sharing and made strides in focusing on systemic risk, \nmutual assistance, enhanced resiliency and consumer protection. While \nmore needs to be done, including additional collaboration with \nGovernment and global partners, the financial sector is making good \nprogress and on balance has invested heavily to protect the sector\'s \nassets and consumers\' information from adversaries and cybercrime.\n                                 ______\n                                 \n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n                                 \n                  PREPARED STATEMENT OF PHIL VENABLES\n             Chief Operational Risk Officer, Goldman Sachs\n                              May 24, 2018\n    Chairman Crapo, Ranking Member Brown, and other Members of the \nCommittee, thank you for inviting me to testify at this hearing on \nCybersecurity: Risks to Financial Services Industry and Its \nPreparedness. I appreciate the Committee\'s focus on such an important \nissue. My name is Phil Venables; I am the Chief Operational Risk \nOfficer of Goldman Sachs. I have been with the firm 18 years and my \nfirst 16 years at the firm I was Chief Information Security Officer \nbefore moving into a wider role in our Risk Division.\n    Today, I am going to provide my perspective on the cyber-threats \nthe financial sector faces, the broader technology risk landscape, the \nneed for shared defenses and what can be done to keep improving the \nsecurity and resilience of the financial system. A number of factors \nare contributing to increased inherent risk across the sector \nincluding, but not limited to, the increased digitalization of \nfinancial services and the globally interconnected nature of the \nfinancial system. The same trends that are increasing benefits of a \nglobal financial system are also bringing on these new and enhanced \nrisks.\n    First on threats, it will probably come as no surprise that the \nfinancial sector, globally, is targeted by a wide range of \ncybersecurity threats including from organized criminal groups with \nfinancial motivation as well as nation states for a broad array of \nreasons.\n    Additionally, it is worth reminding ourselves that cybersecurity is \nnot the only risk to information or technology systems. Risks posed \nfrom software errors, misconfiguration, outages and other resiliency \nissues can also cause as much impact as cybersecurity events.\n    It is critical to have shared defenses across the financial sector \nso that all institutions, large and small, can learn from each other\'s \nbest practices and so that threat information can be shared among \nfirms, reducing the likelihood attackers can execute their strategies \nwithout response.\n    We have a long history of robust information-sharing processes, \nwith the FS-ISAC acknowledged as a preeminent example of such \ncapability. Additionally, we have established tighter coupling between \nsystemically important institutions through the Financial Systemic \nAnalysis and Resilience Center, the so called FS-ARC. In addition, the \nsector\'s coordinating council under the Department of Treasury\'s \nleadership have proved instrumental in increasing sector resilience. \nFormalized sector-wide drills and exercises have spawned other \ninitiatives, like Sheltered Harbor--an approach for firms to ensure the \nmaintenance of immutable data vaults.\n    Turning our attention to regulators and regulation, we benefit from \na number of strong regulators across the financial sector that \nstipulate cybersecurity and other controls that reduce the risk of \nmajor incidents. This includes regular examinations and reviews. We \ncontinue to support the need for harmonization of regulation, \ndomestically and globally, and we commend the efforts to date on the \nuse of the NIST Cybersecurity Framework. Additionally, we should be \nwatchful for unintended detrimental consequences to cybersecurity from \nnoncybersecurity legislation or regulation.\n    Notwithstanding the strong relationship on this issue between the \npublic and private sectors, we continue to examine ways to enhance \ncoordination. For instance, there is room for improvement in the \nresponsiveness to financial sector Requests for Information. The \nestablishment of the DHS National Cybersecurity and Communications \nIntegration Center (NCCIC) in 2009 created the ability to have \nfinancial sector representatives in a cleared, collaborative space \nworking directly with partners from Government and other industries for \ncommon purpose. Collaboration,\nengagement, responsiveness, between and among DHS, other U.S. \nGovernment and industry partners continues to improve as relationships \nbuild and partners are better able to understand each other\'s \ninformation needs. We would propose that metrics be established between \nthe Government and financial sector to quantify and validate the flow, \nvalue and timeliness of information shared between the financial sector \nand public sector to quantify the state of these relationships.\n    Despite all this coordination and response to cybersecurity \nthreats, risk still remains and we need to continue to be vigilant to \nadjust the defenses of individual firms and the sector as a whole by \nmaking sure we adopt innovative approaches to protecting customer data \nand services as well as designing for resilience to reduce single \npoints of failure and single focal points of attack.\n    Finally, I would recommend all organizations that operate critical \npublic services or protect customer data adopt strong defenses and \nsecurity programs based on, at a minimum, the following approaches:\n\n    1. Integrate cybersecurity into the fabric of organizations--from \nbusiness risk management processes, strategy and product development to \nthe foundation of how the technology is built and operated, including \nplanning for resilience in the face of attacks. Sustaining \ncybersecurity is a first class business risk along with all other \nrisks--beginning with the Board and executive leadership and through \nall levels of the enterprise.\n\n    2. Improve capabilities amongst people, process and technology. \nThere needs to be continued emphasis on the embedding of controls into \ncritical technology products and services: we need secure products, not \njust security products. We should recognize that cybersecurity risk \nmitigation is not solely the responsibility of designated cybersecurity \nprofessionals but is, perhaps more importantly, in the domain of \nleadership, risk managers and engineers at all levels of organizations. \nI would support a national program to embed cybersecurity training into \nall academic and professional training and qualifications: we need more \nsecurity-minded people, not just more security people. I fully endorse \nefforts to deal with the shortage of trained cybersecurity \nprofessionals to help manage these risks, but I also note that there is \na wider issue related to the productivity of the cybersecurity \nprofessionals we already have and more needs to be done by Government \nand industry to improve tools, processes and the orchestration of \ndefense across multiple platforms to get the most out of those people.\n\n    3. Design for defensibility. Our goal should be to design our \ntechnology and information processing environments to be more \ninherently defendable and resilient in the face of attacks, and we have \nto keep examining our global supply chains for security issues and \nexcess concentration risk on specific services or geographies.\n\n    Thank you again Mr. Chairman for allowing me to provide this input \ninto this important process and we remain committed to assisting \nfurther as needed. I\'m happy to answer any questions you or the other \nMembers may have at this time.\n                                 ______\n                                 \n               PREPARED STATEMENT OF CARL A. KESSLER III\n        Senior Vice President & Chief Information Officer (CIO)\n                        First Mutual Holding Co.\n                              May 24, 2018\n    Chairman Crapo, Ranking Member Brown and distinguished Members of \nthe Committee, thank you for the opportunity to testify before you \ntoday. I am pleased that the Committee continues to place a focus on \ncybersecurity risks and their implications to the financial system, \nbusinesses, and consumers.\n    As Chief Information Officer of a holding company comprised of \nseveral mutual community banks, I will share the unique perspective of \ncommunity banks on cybersecurity regulation, information sharing, \ncommunity bank collaboration and customer transparency.\nCybersecurity Regulation\n    Two key regulatory changes have positively improved the approach of \ncommunity banks in managing cybersecurity risks. In the wake of the \nDodd-Frank Act reforms, supervision of our affiliate banks migrated \nfrom the Office of Thrift Supervision (OTS) to the Office of the \nComptroller of the Currency (OCC). The OCC has been consistent and \nadamant in raising all bank\'s readiness to address cybersecurity risks. \nTheir outreach and guidance have yielded vast improvements in the cyber \nposture of community banks. In the last few years, the Federal \nFinancial Institutions Examination Council (FFIEC) established the \nCybersecurity Assessment Tool (CAT) for evaluating cyber controls in a \nuniform way among depository institutions.\n    Both regulatory actions have created a firm, but fair, supervisory \napproach in responding to emerging threats. While some may question \nthese changes on the grounds of cost and a ``one size fits all \napproach,\'\' it is indisputable that regulatory oversight protects both \nthe banking system and the consumers. We have found that the regulators \napply the FFIEC CAT tool in a manner consistent with the risk a bank \nposes. I believe that cybersecurity defenses and monitoring systems are \nintegral infrastructure investments akin to those community banks have \ntraditionally made in physical security safety. I encourage this \nCommittee to continue its work with prudential regulators on these \nimportant matters.\n    With respect to OCC supervision and the advent of the FFIEC CAT, I \nunderstand both the perspectives of regional banks and community banks, \nhaving served in leadership capacities in both. I am pleased regulators \nuse the same information technology (IT) examiners and general \nframework at institutions of all sizes. These examiners possess a \nstrong understanding of cybersecurity risks and the controls deployed \nto protect banks and consumers. For any institution there is an \ninherent baseline of risk and a set of fundamental controls needed to \nprotect consumer information. The approach of using dedicated IT \nexaminers and practices fosters continuous improvement in preventing \nand detecting cybersecurity threats at institutions of all sizes.\n    At the same time, this approach also leads to ongoing dialogue with \nregulators. How much risk does our community bank present? What is most \ncritical for the protection of our bank, our customers and our \nfinancial system? How should cybersecurity investment dollars be \ndeployed? The FFIEC CAT helps institutions frame these risk questions. \nFirst, it provides a standard way to assess how much inherent risk an \ninstitution generates. Second, the FFIEC CAT provides guidelines for \nwhat controls might be appropriate to mitigate those risks.\n    After completing our holding company\'s assessment in 2015, we \nconcluded that our existing information security program was well-\naligned to the baseline expectations of the FFIEC CAT and, in fact, \nexceeded them. Subsequent actions focused our cybersecurity investment \nstrategy to attain compliance with our level of risk and to address new \nthreats as they arise.\n    Prudential regulation in conjunction with the FFIEC CAT is \nimportant to our bank\'s cyber readiness. Highly trained examiners are \ncritical to administering the CAT. Because of the nature of the threat \nenvironment and the rapidly evolving domain of cybersecurity controls, \nan exam is never a static, check-the-box activity. It is always a \ndynamic conversation. My recommendation to this Committee is to ensure \nthe consistent availability of highly trained IT examiners whose skills \nare in high demand in both the public and private sectors.\n    Another consideration for the Committee is to ensure that similar \ncybersecurity rigor exists among nonbank financial services companies. \nHow do we safeguard customer data at companies outside the oversight of \nprudential regulators?\nInformation Sharing\n    As the cyber threat landscape evolves, a critical enabler is timely \naccess to information sharing of active threats with community banks, \nthrough public and private partnerships.\n    To address the Committee\'s question of ``what more needs to be done \nby the private sector and Government to help protect companies\' and \nconsumers\' information,\'\' we must first identify where the significant \nrisks lie. According to the Independent Community Bankers of America \n(ICBA), 99.5 percent of all banks are community institutions, half of \nwhich have assets under $250 million.\\1\\ Almost all community banks do \nnot operate an in-house transaction processing center. In other words, \nmost community banks do not process customer transactions in their own \ndata centers. They rely on a network of third-party service providers \nto deliver banking services. While maintaining primary accountability \nfor safeguarding consumers\' information, we rely on third-party \nproviders including core processors, payments networks, and larger \nbanks.\n---------------------------------------------------------------------------\n    \\1\\ See ICBA Stats & Facts available at http://www.icba.org/go-\nlocal/why-go-local/stats-facts.\n---------------------------------------------------------------------------\n    Only a few core processors provide IT services, such as customer \ntransaction processing, mobile banking, and Bank Secrecy Act/Anti-money \nLaundering solutions. All banks interact through networks (ATM, debit \ncard, and ACH) which are the backbone of the payments system. Some \nlarge banks provide processing for community banks through white \nlabeled correspondent services. Although community banks represent the \nlargest segment of banks in number, the risks associated with \ntechnology operations are aggregated in the data centers of just a few \ncore processors,\\2\\ payments networks and large banks.\n---------------------------------------------------------------------------\n    \\2\\ The top three core processors hold a 70 percent market-share \nalthough how much of that is conducted in their data center versus the \nbanks\' data centers is unclear. https://bankinnovation.net/2018/02/\nfiserv-has-largest-u-s-marketshare-of-top-bank-core-processors/.\n---------------------------------------------------------------------------\n    Clearly, this concentration of IT services provides both advantages \nand challenges for managing community bank cybersecurity. The advantage \nis that through scale, the large service providers have more resources \nto address cyber threats. An additional benefit could also be realized \nif these providers acted transparently and shared cyber threat \ninformation with industry partnerships like the Financial Services \nInformation Sharing and Analysis Center (FS-ISAC) and with their \ncommunity bank clients.\n    Core processors are active acquirers of technology companies and \ncontinually roll out new products. Although a core processor\'s \ninformation security plan may be sound today, each new acquisition \nintroduces its own risk \\3\\ into the environment. Thus, risk is \nconstantly shifting within a core provider, and by extension to \ncommunity banks and consumers.\n---------------------------------------------------------------------------\n    \\3\\ In April, American Banker ran this story ``BankThink Banks are \nfrom Mars, fintechs are from Venus: Bridging the matchmaking gap\'\' by \nTerry Ammons which does a good job of representing the risks of a \nfintech acquisition; available at https://www.americanbanker.com/\nopinion/banks-are-from-mars-fintechs-are-from-venus-bridging-the-\nmatchmaking-gap.\n---------------------------------------------------------------------------\n    I know our core processor is reviewed regularly by the OCC and \nFFIEC. We have limited access to the results of these reviews. If a \nbank were in the center of a significant event like a contract renewal \nor if there were a security breach in the recent past, the bank can \nrequest additional information. Community banks also have access to \nthird-party audits conducted on a core processor\'s controls. Such a \nreport is limited and only communicates if a core processor\'s controls \nare deemed effective. The actual number of breaches is typically not \ndisclosed. Thus, a community bank must trust that if there is a \nsignificant pattern of breaches, its regulator will ensure that the \ncauses are identified and remediated. The only way to know if a breach \nhas occurred is if the bank is directly impacted or if the breach is \nsignificant enough to result in a news story that names a bank that \nhappens to use that same service provider. Although these third parties \nare the stewards of our customer\'s information, we have very little \ninsight into their overall security performance. In summary, law and \nregulation require banks to monitor closely the effectiveness of their \nservice provider\'s controls related to cybersecurity and protecting \nnonpublic customer information. The current system relies on a high \ndegree of blind trust in a service provider with limited transparency. \nThis opaque approach runs contrary to best practices in information \nsharing and vendor management.\n    To partially compensate for this lack of transparency, banks I \nmanage use a third party to track the information security performance \nof critical providers. My desire is more transparency in how service \nproviders protect our customer information. For example, one solution \nmight be to create a cybersecurity scorecard aggregating data from many \nsources including regulatory reviews. Such an approach must be \ncarefully weighed against a chilling effect on information sharing. \nThis scorecard, properly executed by a trusted third party, would \nenable banks to make better choices as they select vendors and create \npositive momentum toward control improvements.\n    It is important to explain what ``information sharing\'\' and \n``transparency\'\' mean to a community bank. The key for banks is that a \ncomprehensive ecosystem of financial services providers shares threat \ninformation in real time to an entity qualified to analyze, verify, and \ncommunicate it immediately to a bank where it can be used to adapt its \ncontrols.\n    FS-ISAC pioneered this kind of service and our bank was an early \nadopter. Upon validation of a threat by FS-ISAC, critical information \nsuch as the internet address of the attacker was automatically sent to \nour firewalls and blocked. This solution required our bank to setup a \nduplicative connection. Our ideal solution involves a close partnership \nbetween banks, our third-party service providers, a trusted third party \nand our security provider so that threats flow immediately to us via \nthe existing mechanisms we have in place. The goal is to respond in \nseconds or minutes rather than days or weeks.\n    The most critical factor in thwarting a cyberattack is speed. The \ntechnology continues to improve as machine learning and artificial \nintelligence become more prevalent. The technology though cannot act on \ndata it does not have. Important questions remain regarding if, when, \nand how businesses can share threat and/or breach information. In my \nconversations within the industry, there is still a great reluctance to \nshare information. Liability, contract and privacy concerns are the \nmost often cited reasons. I would suggest this is a good time to \nreexamine the effectiveness of cyber security law particularly as it \naffects information sharing. Timely information sharing is foundational \nto the industry\'s ability to combat a cyber threat. It may be \nworthwhile to require that service providers share threat and breach \ninformation with an authorized, trusted third party. In consideration \nfor this sharing requirement, this Committee could consider expanding \nsafe harbor liability provisions for third parties who meet certain \nstrict requirements. This would clearly enhance consumer information \nprotections.\nCommunity Bank Collaboration\n    I would like to share a few unique and not-so-unique actions we \nhave taken to help protect our customers. Established in 2015, our \nmutual holding company was founded on the belief that strong \nindependent banks play a vital role in our\ncommunities. As Ohio\'s largest independent, depositor-owned entity, we \nare faced every day with the cost, complexity and capacity required to \nimplement an effective information security program. We believe that \nour holding company model leverages these capabilities with our \naffiliate banks in a manner that they otherwise could not afford, \ndesign, or staff. In our three affiliations we have preserved a local \nbanking presence, improved security controls and done so at a minimal \nmarginal cost for the holding company. This proves the cost savings for \nindividual small banks is a game changer. We believe this is a real, \npractical example of the kind of collaboration envisioned by the OCC in \ntheir January 2015 paper ``An Opportunity for Community Banks: Working \nTogether Collaboratively.\'\'\\4\\\n---------------------------------------------------------------------------\n    \\4\\ https://www.occ.treas.gov/publications/publications-by-type/\nother-publications-reports/pub-other-community-banks-working-\ncollaborately.pdf.\n---------------------------------------------------------------------------\nCustomer Transparency\n    Finally, when talking about transparency and information sharing, \nwe tend to focus on companies and Government entities. In all instances \nhowever we need to put the consumer at the center of this discussion. \nWe are encouraged by the ability of technology to empower our \ncustomers. For example, many of us receive real-time alerts regarding \nour debit cards or when our credit report changes. I know this hardly \nseems to address ``what more needs to be done,\'\' but keep in mind it\'s \nalways about improving the speed at which we can detect and react to a \nthreat. Giving consumers the tools and access to information makes us \nall safer.\n    Transparency and information sharing with the consumer is \nparamount. A key challenge for banks is the complexity of customer \nnotification and privacy laws that exist today. While clearly needed, \nthe simplification and modernization of the relevant laws and \nregulations can enable information sharing and therefore enhance \nconsumer protections. Certainly, any solution must guard against \nshifting the liability to consumers from those who failed to protect \ntheir data.\nConclusion\n    Key takeaways:\n\n  <bullet>  Continue supporting the regulatory review process and the \n        FFIEC CAT\n\n  <bullet>  Encourage transparency regarding the effectiveness of the \n        security programs of the third-party service providers in our \n        financial system including nonbank entities\n\n  <bullet>  Review the effectiveness of current cybersecurity law with \n        a focus on information sharing\n\n  <bullet>  Review how the existing complexity of customer information \n        and privacy protections laws may be slowing down the exchange \n        of critical threat information\n\n  <bullet>  Encourage community banks to collaborate\n\n  <bullet>  Engage and empower the customer as a valued part of the \n        cybersecurity solution\n\n    The best way to protect consumers is to increase transparency and \ninformation sharing within the financial services cybersecurity \necosystem. This Committee can help move this forward by encouraging the \ntransparency of the performance of third-party service providers. You \ncan also help by passing legislation which further encourages \ninformation sharing so that active threats are identified and mitigated \nin minutes.\n    Thank you for the opportunity to testify before you today. I stand \nready to work with you in any way that I can to protect consumers and \nour financial system and look forward to answering your questions.\n                                 ______\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\nRESPONSES TO WRITTEN QUESTIONS OF THE SENATE BANKING COMMITTEE \n                        FROM BILL NELSON\n\nQ.1. Mr. Nelson, in your written testimony you requested \ngreater clarity on legal protections for financial institutions \nthat want to share information in accordance with the Patriot \nAct. What clarity would you like to see?\n\nA.1. Under section 314(b) of the USA Patriot Act, financial \ninstitutions may share information when there is suspicion of \nmoney laundering and terrorist activity. This authority \nprovides financial institutions with an opportunity to reduce \nmoney laundering and terrorism financing. However, doing so \nnecessarily involves sharing personally identifiable \ninformation, such as names and account information.\n    In the absence of specific legal guidance regarding the \nmanner in which such information may be shared, banking \nattorneys have limited sharing to those instances in which \nmoney laundering or terrorist activity can be confirmed. It \nwould be preferable to share such information earlier in the \nprocess, but liability concerns preclude it.\n    For example, in the case of suspected money mule activity \nassociated with business email compromise, banks have \nquestioned FinCEN if payment information can be shared between \napproved financial institutions and an approved association of \nfinancial institutions under the safe harbor of section 314(b). \nFinCEN has\nresponded verbally that this information can be shared and \nencouraged the sharing to provide more complete information in \nSAR filing. FinCEN has not provided written guidance to this \nquestion. Sharing the information in this example by a large \nnetwork of FinCEN-approved financial institutions would reduce \nrisk to the financial institutions and their customers. Federal \nlaw enforcement would benefit from more complete SAR filing \ninformation that will lead to more effective investigations and \nprosecution of cyber criminals.\n\nQ.2.-Q.3. A year and a half ago, William and Margaret Frederick \nsold their home in Ohio so they could buy a home in Las Vegas, \nNevada. The couple expected to make a $216,000 profit on the \nsale. But, their real estate agent read a hacked email \nsupposedly from William--the fake email had three L\'s in Bill \ninstead of two--and sent the profit to the hacker. William was \n83 and Margaret 77. Someone stole the money they intended to \nlive on in retirement. Real estate transaction fraud is a \nproblem in Nevada and nationwide. Thieves wait for the right \ntime to impersonate a bank or realtor and send you different \nwire transaction instructions. Estimates are as much as $400 \nmillion a year in losses. What more can financial institutions \ndo to prevent thieves from stealing people\'s down payments, \nearnest money and even the entire home payment if someone is \nbuying a home for cash? Please identify the best\npractices for realtors, title agents and mortgage brokers? One \nway to protect consumer\'s information is to not collect it. For \nexample, why should merchants of any sort, including doctors, \ninsurance companies and utilities, require social security \nnumbers as part of their information or data-set on their \ncustomers? Should we limit Social Security numbers provided to \nmerchants?\n\nA.2.-A.3. In this example, it appears that criminals, using \nmoney mules to launder the funds, stole the money. When banks \ndiscover this type of potentially criminal activity they are \nrequired to file Suspicious Activity Reports (SAR) with FinCEN. \nWhile banks want to share this suspicious activity within a \nnetwork of FinCEN-approved financial institutions under the \nprotections of section 314(b) of the USA Patriot, some banks \nare reluctant to share this suspicious activity because FinCEN \nhas not provided written guidance. If banks had network \nintelligence about active money mule accounts in the Nevada \ncase, the money transfer to the criminals may have been delayed \nand investigated by the bank staff. A bank investigation could \nthen lead to the money transfer being stopped.\n    Closing attorneys, mortgage brokers and title companies \nshould be encouraged to join an ISAC for their industry. Given \nthat criminals change tactics regularly, it\'s helpful for \ncommunities to share information about these tactics and \neffective risk mitigation measures. This ``strength in \nsharing\'\' approach goes a long way in protecting the companies \nand their customers. In addition, collaboration with law \nenforcement agencies are also effective in educating the \ncommunity and sharing tips. For example, the FBI\'s Internet \nCrime Complaint Center (IC3) has published numerous \npublications, including this one in May 2017 on tactics for \ndefending against business email compromise (BEC): https://\nwww.ic3.gov/media/2017/170504.aspx. The recommendations below \ncome from the IC3 report referenced in the link.\n    Businesses with an increased awareness and understanding of \nthe Business Email Compromise (BEC) scams are more likely to \nrecognize when they have been targeted by BEC fraudsters. \nTherefore, they are more likely to avoid falling victim and \nsending fraudulent payments. Businesses that deploy robust \ninternal prevention techniques at all levels (especially for \nfront line employees who may be the recipients of initial \nphishing attempts) have proven highly successful in recognizing \nand deflecting BEC attempts. Some financial institutions \nreported holding their customer requests for international wire \ntransfers for an additional period of time to verify the \nlegitimacy of the request.\n    The following list includes self-protection strategies:\n\n  <bullet> LAvoid free web-based email accounts: Establish a \n        company domain name and use it to establish company \n        email accounts in lieu of free, web-based accounts.\n\n  <bullet> LBe careful what you post to social media and \n        company websites, especially job duties and \n        descriptions, hierarchal information, and out-of-office \n        details.\n\n  <bullet> LBe suspicious of requests for secrecy or pressure \n        to take action quickly.\n\n  <bullet> LConsider additional IT and financial security \n        procedures, including the implementation of a two-step \n        verification process. For example:\n\n    <bullet> LOut-of-Band Communication: Establish other \n        communication channels, such as telephone calls, to \n        verify significant transactions. Arrange this two-\n        factor authentication early in the relationship and \n        outside the email environment to avoid interception by \n        a hacker.\n\n    <bullet> LDigital Signatures: Entities on each side of a \n        transaction should utilize digital signatures. This \n        will not work with web-based email accounts. \n        Additionally, some countries ban or limit the use of \n        encryption.\n\n  <bullet> LImmediately report and delete unsolicited email \n        (spam) from unknown parties. DO NOT open spam email, \n        click on links in the email, or open attachments. These \n        often contain malware that will give subjects access to \n        your computer system.\n\n  <bullet> LDo not use the ``Reply\'\' option to respond to any \n        business emails. Instead, use the ``Forward\'\' option \n        and either type in the correct email address or select \n        it from the email address book to ensure the intended \n        recipient\'s correct email address is used.\n\n  <bullet> LBeware of sudden changes in business practices. For \n        example, if a current business contact suddenly asks to \n        be contacted via their personal email address when all \n        previous official correspondence has been through \n        company email, the request could be fraudulent. Always \n        verify via other channels that you are still \n        communicating with your legitimate business partner.\n\n  <bullet> LCreate intrusion detection system rules that flag \n        emails with extensions that are similar to company \n        email. For example, a detection system for legitimate \n        email of abc_company.com would flag fraudulent email \n        from abc-company.com.\n\n  <bullet> LRegister all company domains that are slightly \n        different than the actual company domain.\n\n  <bullet> LVerify changes in vendor payment location by adding \n        additional two-factor authentication, such as having a \n        secondary sign-off by company personnel.\n\n  <bullet> LConfirm requests for transfers of funds. When using \n        phone verification as part of two-factor \n        authentication, use previously known numbers, not the \n        numbers provided in the email request.\n\n  <bullet> LKnow the habits of your customers, including the \n        details of, reasons behind, and amount of payments.\n\n  <bullet> LCarefully scrutinize all email requests for \n        transfers of funds to determine if the requests are out \n        of the ordinary.\n\nQ.4. What other sorts of information should financial \ninstitutions or others STOP collecting?\n\nA.4. Financial institutions collect information to identify \nindividuals, assess credit worthiness and maintain security. \nThis detailed collection of personal information is required by \nlaw and regulation. This personal information is required to be \nprotected by the Gramm-Leach-Bliley Act of 1999 (GLBA) and the \nregulations issued by numerous financial regulatory agencies. \nFinancial institutions are examined by bank regulators to \ndetermine if the information collected is adequate and \nappropriate. Regulatory examiners also review the security of \nthis personal information in compliance with GLBA. Bank \nregulators may be more knowledgeable in answering the question, \nwhat information should banks stop collecting?\'\'\n\nQ.5. What are the pros and cons of a Federal data breach law?\n\nA.5. I fully support handling data breaches in a manner that \nsafeguards customer data, addresses breaches expeditiously, and \nproperly involves law enforcement so as to bring bad actors to \njustice. One means of achieving this would be to create a \nFederal data breach law that would eliminate the possibility of \na plethora of regulatory and/or State laws on the subject, some \nof which would prove inconsistent and contradictory in part. \nThe current development of cybersecurity law is hindered by \nsuch problems, leading the financial sector to pursue efforts \nto harmonize such Federal and State laws.\n    One concern with a Federal approach is its possible effect \non smaller organizations, such as community banks and credit \nunions. A Federal law should not be tailored to the largest, \nglobal institutions, but should be flexible enough to apply to \nsmaller entities without burdening them.\n\nQ.6. How should Federal data breach laws coexist with other \ninternational laws?\n\nA.6. Whether regulatory, State, Federal, or foreign, \ncybersecurity rules generally, and data breach laws \nspecifically, should be reasonable, consistent, and harmonized. \nFirms will increasingly be subjected to the laws of many \nnations in the growing global economy. We must do our best in \nthis environment to facilitate the flow of commerce, while also \nprotecting consumer data and responding appropriately and \neffectively to any breach of that data. In this situation, NIST \nmay be able to play an important role.\n\nQ.7. Firms that fail to secure their data pay substantial \npenalties. Hundreds of hackers go to prison. The woman [Paytsar \nBkhchadzhyan] who hacked into Paris Hilton\'s accounts and stole \nher credit card information received a 5-year prison term. \nTaylor Huddleston (26) of Arkansas was sentenced to serve \nnearly 3 years for building and selling a remote access Trojan \n(NanoCore) to hackers. Can you give me some examples of fines, \npenalties and sentences for firms and individuals that engaged \nin cyber theft? Are these costs an appropriate deterrent?\n\nA.7. Aleksandr Andreevich Panin and Hamza Bendelladj were \nsentenced to a combined 24 years and 6 months in prison for \ntheir roles in developing and distributing the SpyEye banking \ntrojan, a powerful botnet similar to the ZeuS malware. Both \nhackers were charged with stealing hundreds of millions of \ndollars from banking institutions worldwide. The Department of \nJustice characterized SpyEye as a ``preeminent malware banking \nTrojan,\'\' which was used to infect over 50 million computers \nworldwide from 2010 to 2012, causing nearly $1 billion in \nfinancial losses to individuals and financial institutions \nglobally.\n    I support the sentences handed down in this case, which \nwere justified and tailored to deter other hackers. However, \nthe allure of stealing hundreds of millions of dollars while \nensconced in safe havens from which arrest and conviction are \nunlikely render lengthy sentences, as well as fines, \ninsufficient deterrents. The relative ease and low cost of \ncyber crime is unlikely to abate without greater cooperation \namong international law enforcement agencies. Moreover, where \nnation states are involved, the Federal Government should play \na greater role in deterrence and enforcement.\n\nQ.8.-Q.10. Seventy-seven percent of cyber attacks come from the \noutside. Yet sometimes, figuring out who the hackers were is \nhard to figure out. Hackers can spoof evidence. They can embed \nother hackers\' tools. How big of a problem is figuring out \nattribution for hacks? Are there ways we can enhance \ninformation sharing between industry and the Federal Government \nto enable more rapid detection and response to cyber attacks? \nWhat tools or resources would make it easier for financial \ninstitutions to correctly attribute cyber-attacks?\n\nA.8.-A.10. Obfuscation techniques adopted by threat actors can \ninhibit timely and accurate attribution. Many cyber defenders \ncan be more interested in learning threat actor tactics, \ntechniques, and procedures which will help to detect anomalous \nactivity than the threat actor origin. Attribution for the \nprivate sector can be most helpful, however, in identifying \nadversary intent. Armed with knowledge of intent, the financial \nsector can put additional monitors on systems. Furthermore, \nwhile the private sector is reliant on many sources of \ninformation, Government is uniquely situated to assess intent \nwith the greatest credibility based on its intelligence sources \nand methods. Perhaps the most valuable way to alert the private \nsector about threat actor attribution and intent is through \ntimely declassification of intelligence, or to provide \nrequisite clearances and classified exchanges for industry \nprofessionals who can make security decisions within their \norganizations. Likewise, timely information on changes in known \nadversary methods and tools is also helpful in correctly \nattributing activity. Many financial institutions do not have \nthe resources to independently attribute cyber activity and are \nreliant on timely Government releases or attribution provided \nby vendors.\n\nQ.11. In 2015, French-language TV station, TV5Monde was \nsubjected to a significant cyber-attack which disrupted its \nbroadcast for several hours by Fancy Bear. These are the same \nRussian government and military hackers that hacked the \nDemocratic National Committee. Multiple television channels \nwent dark. Social media channels run by the broadcasters began \nto spew ISIS propaganda. The attack was the work of Russian \nhackers which pretended to be ISIS. Russian government hackers \nalso attacked the World Anti-Doping Agency, the power grid in \nUkraine and the French electorate with another document dump. \nHow significant is the threat to private businesses--from \nhostile foreign governments or terrorist organizations?\n\nA.11. Nation-state-sponsored activity is a top concern of \nfinancial firms. While the majority of the financial sector \nmost commonly sees criminal activity, the risk of impact posed \nby nation-state\nactors is much greater. Furthermore, cyber criminals typically \nseek to steal funds, but have a vested interest in keeping the \nfinancial infrastructure intact. Nation states could have more \nnefarious intentions to disrupt the functions of the financial \nsystem in an effort to impact the U.S. economy. Businesses are \nreliant on the integrity of third parties and other critical \ninfrastructure dependencies_such as electricity, \ncommunications, water, etc._in order to keep their businesses \nrunning. Nation-states have seemingly been the most interested \nthreat actors in disrupting or destroying these functions, \nevidenced in part by NotPetya, WannaCry, and Shamoon attacks.\n\nQ.12. Some of the lessons from that attack was documenting IT \nprocesses, restricting access to IT processes, and keeping \ncommunications separate from incident responses. What should \nbusinesses do now to prepare for a possible attack in the \nfuture?\n\nA.12. Thoughtful and exercised incident response plans are \nencouraged for all financial institutions. The plans should \ninvolve multiple offices within the organization including \nsecurity, legal, communications, business resilience and \nexecutive leadership. Incident response plans can aid in more \naccurate and prompt information sharing, as well.\n    Businesses should also focus on the security of their \nthird-party suppliers and remain in an active dialogue about \ntheir security practices. The prevalence of third-party risks, \nsuch as digital supply chain attacks, has increased as attack \nsurface expands through use of the cloud and online services. \nSuch attacks can affect institutions of all kinds, even those \nwith robust cybersecurity measures in place. As evidence, \nNotPetya was initially distributed via a compromised accounting \nsoftware update from the provider\'s server and, separately, \nmalicious actors leveraged compromised credentials and malware \nto corrupt another software provider\'s updates to distribute \nmalicious data-stealing code. Further, a USG Technical Alert \nreleased this year shed light on ongoing campaigns affecting \ncritical infrastructure sectors which compromised staging \ntargets, such as third-party suppliers, with less secure \nnetworks to reach intended victims.\n                                ------                                \n\n\nRESPONSE TO WRITTEN QUESTION OF SENATOR JACK REED FROM MICHAEL \n                             DANIEL\n\nQ.1. In your written testimony, you stated that:\n\n        the Government can facilitate disclosure of information that \n        can help customers, clients, shareholders, and other relevant \n        parties take appropriate defensive actions, better assess risk, \n        and advocate for improved security. Examples of such \n        requirements could include data breach reporting, information \n        about material cybersecurity risks on financial statements, and \n        public acknowledgements about how a publicly traded company is \n        assessing and managing its cyber risk, particularly at the \n        board of director\'s level. Such disclosures do not assist \n        criminals or other bad actors--they already know where the \n        weaknesses are; instead these requirements allow market forces \n        to operate more efficiently.\n\nCould you please go into greater detail about how cybersecurity \ndisclosure would allow market forces to operate more \nefficiently?\n\nA.1. Right now, consumers often lack information about a \nproduct or service\'s cybersecurity. As a result, they cannot \nfactor that\ninformation into a purchasing decision. Just as with disclosing \ncalorie counts in food products, if consumers had more access \nto information they could use that information to make better \nchoices. And if some consumers began to discriminate among \nproducts or services based in part on their cybersecurity, then \nproducers and suppliers would have an incentive to create more \nsecure outputs.\n                                ------                                \n\n\n   RESPONSE TO WRITTEN QUESTION OF SENATOR MARK WARNER FROM \n                         MICHAEL DANIEL\n\nQ.1. Is verifying that financial institutions have an internal \ncybersecurity audit function or an independent third-party \nassessment sufficient, or should financial regulators develop \ntheir own view of the cybersecurity posture of supervised \nentities in addition to requiring independent third-party \nassessment?\n    Are you and others in the industry seeing an uptick in \ninterest from regulators in cyber risk? What issues do \nregulators focus on in their examinations?\n    What do you believe is the appropriate role of the \nfinancial regulators in assessing the cybersecurity of \ninstitutions they regulate?\n\nA.1. I believe that regulators should largely rely on third-\nparty assessments, rather than trying to develop the capability \nin-house to conduct reviews at the scale required for our \nfinancial sector. That said, financial regulators should have \nstaff capable of interpreting those assessments and determining \nwhether the assessment demonstrates that the institution is \nmeeting its requirements.\n    I cannot speak to what financial regulators focus on in \ntheir examinations but I can suggest the Committee explore the \noversight and examination material of the financial regulatory \nagencies and bodies such as the Federal Financial Institutions \nExamination Council.\n    The key issue is whether the institution is appropriately \nconsidering systemic risk as well as the immediate risk to the \ncompany in managing its cybersecurity. Institutions have an \nincentive to ensure that they can conduct business, maintain \ncustomers, and preserve their reputation. However, the \nincentives are not strong enough on their own for the \ninstitution to invest in cybersecurity that in turn helps drive \ndown risk across the sector (and therefore to the broader \neconomy) as a whole. That\'s where--systemic risk to the broader \nsector and economy--the Government regulators should focus.\n                                ------                                \n\n\n  RESPONSES TO WRITTEN QUESTIONS OF SENATOR CORTEZ MASTO FROM \n                         MICHAEL DANIEL\n\n    A year and a half ago, William and Margaret Frederick sold \ntheir home in Ohio so they could buy a home in Las Vegas, \nNevada. The couple expected to make a $216,000 profit on the \nsale. But, their real estate agent read a hacked email \nsupposedly from William--the fake email had three L\'s in Bill \ninstead of two--and sent the profit to the hacker. William was \n83 and Margaret 77. Someone stole the money they intended to \nlive on in retirement.\n    Real estate transaction fraud is a problem in Nevada and \nnationwide. Thieves wait for the right time to impersonate a \nbank or\nrealtor and send you different wire transaction instructions. \nEstimates are as much as $400 million a year in losses.\n\nQ.1. What more can financial institutions do to prevent thieves \nfrom stealing people\'s down payments, earnest money and even \nthe entire home payment if someone is buying a home for cash? \nPlease identify the best practices for realtors, title agents \nand mortgage brokers?\n\nA.1. Although the Internet often makes fraud easier to \nperpetrate, the best practices to combat cyber-enabled fraud \nare often the same in other domains. I would point to \nreferences like the Federal Trade Commission, the Financial \nCrimes Enforcement Network, the Federal Bureau of \nInvestigation_Financial Institution Fraud division, the \nFinancial Services Information Sharing and Analysis Center, and \nsimilar organizations that lay out best practices to combat \nfraud.\n\n    One way to protect consumer\'s information is to not collect \nit. For example, why should merchants of any sort, including \ndoctors, insurance companies and utilities, require social \nsecurity numbers as part of their information or data-set on \ntheir customers? Should we limit Social Security numbers \nprovided to merchants?\n\n  <bullet> LWhat other sorts of information should financial \n        institutions or others STOP collecting?\n\n  <bullet> LState and International Laws Relating to \n        Cybersecurity\n\n  <bullet> LWhat are the pros and cons of a Federal data breach \n        law?\n\n  <bullet> LHow should Federal data breach laws coexist with \n        other international laws?\n\nA.2. The first step in managing cyber risk more effectively is \nunderstanding your information environment: what information \ndoes your organization hold and why is it holding it? An \norganization should only hold and manage information for which \nthere is a legitimate business purpose, and it should only hold \nthat information for as long as needed for the business purpose \n(or according to law, if the organization has legal obligations \nfor data retention). Thinking through these questions will \nenable an organization to determine what information it really \nneeds to collect and store, and then how long it needs to \nretain that information.\n    In terms of digital identity and how best to conduct \nidentity proofing without relying on social security numbers, I \nwould recommend that the Committee look at research being done \nrelated to digital verification processes in cyberspace. Some \nexamples of this work and related suggestions can be found at \nthe National Strategy for Trusted Identities in Cyberspace \n(NSTIC) and the Better Identity Center here in Washington, DC.\n\nQ.3. Firms that fail to secure their data pay substantial \npenalties. Hundreds of hackers go to prison. The woman [Paytsar \nBkhchadzhyan] who hacked into Paris Hilton\'s accounts and stole \nher credit card information received a 5-year prison term. \nTaylor Huddleston (26) of Arkansas was sentenced to serve \nnearly 3 years for building and selling a remote access Trojan \n(NanoCore) to hackers.\n    Can you give me some examples of fines, penalties and \nsentences for firms and individuals that engaged in cyber \ntheft? Are these costs an appropriate deterrent?\n\nA.3. This specific question falls outside my area of expertise. \nHowever, measuring deterrence is always challenging, whether in \nthe physical world or in cyberspace.\n\nQ.4.a. Seventy-seven percent of cyber attacks come from the \noutside. Yet sometimes, figuring out who the hackers were is \nhard to figure out. Hackers can spoof evidence. They can embed \nother hackers\' tools.\n    How big of a problem is figuring out attribution for hacks? \nAre there ways we can enhance information sharing between \nindustry and the Federal Government to enable more rapid \ndetection and response to cyber attacks?\n\nA.4.a. Attribution remains a challenging endeavor for multiple \nreasons. First, attribution involves combining technical \ncapabilities, data from a number of victims, and considerable \ntime. While the U.S. Government and cybersecurity companies \nhave improved their attribution capabilities significantly, \neven these organizations have to invest considerable resources \ninto this work. Second, even if cybersecurity companies can \nattribute malicious activity to a particular group or \nadversary, taking the next step of tying that attribution to an \nindividual in the real world is even harder.\n\nQ.4.b. What tools or resources would make it easier for \nfinancial institutions to correctly attribute cyber-attacks?\n\nA.4.b. We can definitely improve information sharing between \nthe Federal Government and the private sector. In particular, \nwe need to build the technical mechanisms, the business \nprocesses, and the legal understandings to enable this exchange \nto occur at both machine speed and at human speed.\n    Financial institutions may not be able to attribute most \nmalicious activity on their own and it may not be in their best \ninterest to do so. However, they can provide forensic and other \ndata that can help organizations, such as threat researchers \nand Government agencies that can make the attribution.\n\nQ.5. In 2015, French-language TV station, TV5Monde was \nsubjected to a significant cyber-attack which disrupted its \nbroadcast for several hours by Fancy Bear. These are the same \nRussian government and military hackers that hacked the \nDemocratic National Committee. Multiple television channels \nwent dark. Social media channels run by the broadcasters began \nto spew ISIS propaganda. The attack was the work of Russian \nhackers which pretended to be ISIS. Russian government hackers \nalso attacked the World Anti-Doping Agency, the power grid in \nUkraine and the French electorate with another document dump.\n    How significant is the threat to private businesses--from \nhostile foreign governments or terrorist organizations?\n\nA.5. Criminal actors conduct the overwhelming majority of \nmalicious activity online and, as a result, are the primary \ncybersecurity threat to most businesses.\n    However, the threat from nation-state actors is very real \nand organizations should take it seriously. Fortunately, the \nbest practices that work against criminal organizations can \nalso impede nation-state actors. Therefore, companies should \nfocus on implementing cybersecurity best practices, regardless \nof the adversaries they face.\n    The threat from most terrorist organizations remains fairly \nnascent. Terrorist groups are effective at using the Internet \nas a recruiting platform, but their ability to use it to carry \nout operations remains limited. Some groups attempt to hack \ninto companies to expose private information, but few have the \ncapability to do more than that right now. However, given \nterrorists\' high motivation to cause damage, if a nation-state \ndecided to supply a terrorist organization with malware or \nother tools, that group\'s capability to cause harm could grow \nrapidly.\n\nQ.6. Some of the lessons from that attack was documenting IT \nprocesses, restricting access to IT processes, and keeping \ncommunications separate from incident responses.\n    What should businesses do now to prepare for a possible \nattack in the future?\n\nA.6. All organizations should adopt a holistic risk management \napproach and that should include managing their cyber risk. \nBest practices for managing cyber risk have been promulgated in \nthe Cybersecurity Framework published by the National Institute \nof Standards and Technology and in collaboration with the \nprivate sector and other Government agencies. Such an approach \ncan guide an organization to understand its information assets \nand business processes; invest in more effective protections; \nhave a capability to detect when malicious activity is \noccurring; develop an incident response plan for when bad \nevents occur; and create a plan for restoring business \noperations as soon as possible. Adopting a holistic approach is \nthe most effective way a company can prepare for malicious \ncyber activity.\n                                ------                                \n\n\n  RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARNER FROM PHIL \n                            VENABLES\n\nQ.1. How do banks--much less regulators--evaluate and manage \nrisk of IT environments that combine not only third-party \nsoftware and products, but also decades-old legacy IT?\n\nA.1. Third-party software and hardware risk is an ongoing \nchallenge requiring institutions to have clear policies and \npractices to manage the risk of third-party products in the \nenvironment. In more sophisticated organizations a risk \nassessment, code analysis and operational penetration testing \nmay be conducted to ensure any critical and externally facing \napplications and platforms are appropriately hardened.\n    Legacy IT infrastructure risk is a challenge facing many \nmedium-to-large organizations. Most financial institutions have \nbeen required by Federal regulators to conduct an appropriate \nrisk analysis of their IT environment to identify that \ninfrastructure which is not able to have software patches \napplied to address current vulnerabilities and threats. \nSophisticated organizations prioritize protection and \nremediation of these legacy environments based on relative risk \nof the platforms and technology. Externally facing\nsystems are generally the priority for remediation and Federal\nregulators will generally require evidence of an appropriate \nongoing vulnerability management and vulnerability scanning \nprogram to ensure that high-risk vulnerabilities are adequately \nbeing managed.\n    Effectively managing third-party and legacy infrastructure \nrisk is predicated on the organization having up-to-date \ninventories of hardware and software and understanding the \nassociated risks. This can be challenging in large, global \norganizations and requires significant and ongoing discipline \nwith appropriate policies and practices to ensure consistency.\n\nQ.2. Could the kind of meltdown we\'re seeing in the United \nKingdom with TSB Bank happen in the United States as a result \nof an IT migration?\n\nA.2. Public reporting on the TSB Bank incident indicates the \nissue was caused by a variety of failures in the organization\'s \ntesting, change management, migration, communications and \nregulatory engagement processes.\n    The migration of such a large volume of customers (5.2 \nmillion) in one activity is a significant risk. There is no \npublic information available as to what testing took place \nbehind the scenes prior to the upgrade and what processes \nfailed in the transition so our ability to assess what went \nwrong in the migration is extremely limited. Media reporting \nalso indicates TSB, and parent company Banco Sabadell, declined \nassistance from Lloyd\'s early in the migration crisis.\n    Sound change management policies and practices, exercised \nand comprehensively tested using a phased migration approach \nare clear recommendations for any complex or significant \nmigration or upgrade. For significant changes and migrations it \nis recommended to have a prepositioned communications plan \nsupporting clear and transparent customer and regulatory \nnotification should issues be encountered.\n                                ------                                \n\n\n  RESPONSES TO WRITTEN QUESTIONS OF SENATOR CORTEZ MASTO FROM \n                         PHIL VENABLES\n\nQ.1. What more can financial institutions do to prevent thieves \nfrom stealing people\'s down payments, earnest money and even \nthe entire home payment if someone is buying a home for cash? \nPlease identify the best practices for realtors, title agents \nand mortgage brokers?\n\nA.1. Fannie Mae and Freddie Mac provide comprehensive resources \nincluding fraud mitigation best practices to provide guidance \nfor all entities in the mortgage transaction flow.\n\n    https://www.fanniemae.com/singlefamily/mortgage-fraud-\nprevention\n\n    http://www.freddiemac.com/singlefamily/fraud.html\n\n    http://www.freddiemac.com/singlefamily/pdf/fraudprevention\n_practices.pdf\n\n    Small- to medium-sized organizations supporting mortgage \nservices should review and follow cybersecurity best practices, \nsuch as those offered by the ``Staysafeonline\'\' website \nmaintained by the National Cybersecurity Alliance, in order to \nprovide appropriate protection for the personal identifying and \nbank account information they collect. Public reporting \nindicates some mortgage brokers and smaller organizations may \nbe utilizing public email services for transacting business \nthat if compromised could allow identity theft and fraud. \nBusinesses should conduct a security review of their email \naccounts based on the provider\'s recommendations and implement \nthe appropriate enhanced security offerings for these email \nservices.\n\n    https://staysafeonline.org/cybersecure-business/\n\n    https://landing.google.com/advancedprotection/\n\n    https://help.yahoo.com/kb/SLN5013.html\n\n    Fannie Mae and Freddie Mac further offer recommendations \nfor consumers around red flags that may be indicative of fraud \nduring mortgage transactions. One significant indicator of \nattempted wire transfer fraud may be an unexpected email \nindicating a late change to the payee/beneficiary account \ninformation prior to an upcoming funds transfer. The safest \ncourse for consumers is to not trust any wire transfer \ninstructions received via email and to validate all financial \ndetails via phone call to a confirmed number that was not \nprovided in any email communications.\n\n    https://www.fanniemae.com/content/news/mortgage-fraud-news-\n0116.pdf\n\n    https://www.fanniemae.com/content/tool/mortgage-fraud-\nprevention-consumers.pdf\n\n    http://www.freddiemac.com/singlefamily/fraud.html\n\n    http://www.freddiemac.com/perspectives/robb_hagberg/2017\n0612_combating_mortgage_fraud.html\n\nQ.2. What other sorts of information should financial \ninstitutions or others STOP collecting?\n\nA.2. We support the adoption of the principle of ``data \nminimization\'\' under which a business should collect and \nprocess only such personal information as is necessary for it \nto achieve the task at hand, whether that be servicing the \ncustomer, complying with its own legal or regulatory \nobligations, or pursuing some other legitimate purpose.\n\nQ.3. State and International Laws Relating to Cybersecurity\n\nA.3. To date, most States have avoided the imposition of \ndetailed, prescriptive requirements as to the safeguarding of \npersonal and business related information opting instead for a \nhigh level, and more flexible, approach of requiring businesses \nto implement and maintain ``reasonable security procedures and \npractices\'\' appropriate to the nature of the information \nprocessed, the type of activities conducted, the size and \ncomplexity of the organization, etc. Notable exceptions to this \ngeneral rule are Massachusetts, Nevada and, more recently and \nonly as to organizations s under its supervision, New York \nState\'s Department of Financial Services.\n    In general, the ``data protection\'\' laws outside of the \nUnited States are principles based, particularly as it relates \nto security controls. Although an obligation to maintain the \nsecurity of\npersonal data is one of these principles, most countries have, \nlike the majority of our states. These laws generally do not \nimpose\nprescriptive safeguarding obligations and instead taken the \napproach of imposing an obligation to implement ``appropriate \ntechnical and organizational measures\'\' to protect personal \ndata. This approach is reflected in the E.U. General Data \nProtection Regulation which took effect late last month. Laws \nfocusing on the protection of information other than personal \ndata or on cybersecurity measures more generally have been less \ncommon. That trend changed, as to Europe at least, in 2016 with \nthe adoption of the Network and Information Security Directive \nwhich was required to be implemented by E.U. Member States on \nor before May 9, 2018. The Directive is the first EU-wide piece \nof legislation concerning cybersecurity.\n\nQ.4. What are the pros and cons of a Federal data breach law?\n\nA.4. The main and very significant benefits of a Federal data \nbreach notification law are consistency and efficiency. \nAlthough the State laws on this point share many similarities, \nthere is enough divergence in the underlying requirements to \nmake responding to an incident having a multi-State impact very \nchallenging. Analysis of these differences across State laws \nand their application to the specific facts of each incident is \ntime consuming and can result in unnecessary delay in notifying \nimpacted individuals. A single requirement at the Federal level \nwould promote consistency. Assuming a breach notification \nregime is to be required, there is very little downside in \nhaving this imposed at the Federal, rather than at the State, \nlevel.\n\nQ.5. How should Federal data breach laws coexist with other \ninternational laws?\n\nA.5. Individuals, regardless of where they are located, who are \nexposed to a significant risk of harm when their personal \ninformation is compromised due to a cybersecurity breach, \nshould be apprised of that breach and given sufficient \ninformation to take the measures necessary to protect \nthemselves. State breach notification laws have led the way in \nthis regard and, with the inclusion of a breach notification \nrequirement in the new General Data Protection Regulation, the \nEuropean Union has now formally acknowledged the value of this \nprinciple. In light of this new E.U. requirement, it is more \nimportant than ever that the United States adopt a single \nbreach notification regime nationwide in order to ensure that \nincidents having international impact are responded to \npromptly, consistently and efficiently.\n\nQ.6. Can you give me some examples of fines, penalties and \nsentences for firms and individuals that engaged in cyber \ntheft? Are these costs an appropriate deterrent?\n\nA.6. Recent examples of sentencing and penalties for criminal \ngroups and individuals are as follows:\n\n  <bullet> LOn April 18 2018, Dwayne C. Hans of New York was \n        sentenced to 36 months in prison for attempting to \n        steal more than $3 million from the Pension Benefit \n        Guaranty Corporation, Defense Logistics Agency and \n        General Services Administration. He was ordered to pay \n        restitution of $134,000.00 for activities conducted \n        between July 2015 and October 2016, when he committed \n        fraud by impersonating an authorized representative of \n        a U.S. financial institution and a defense contractor. \n        Hans had previously pleaded guilty to one count of wire \n        fraud and one count of computer intrusion. https://\n        www.justice.gov/usao-edny/pr/cyber-criminal-sentenced-\n        36-months-prison-attempting-steal-more-3-million-\n        financial.\n\n  <bullet> LOn November 30, 2017, Russian cyber-criminal Roman \n        Valeryevich Seleznev aka Track2, Bulba and Ncux, was \n        sentenced to serve 168 months in prison for one count \n        of participation in a racketeering enterprise and 168 \n        months in prison for one count of conspiracy to commit \n        bank fraud with the sentences to run concurrent to one \n        another. In both cases, Seleznev was ordered to serve 3 \n        years of supervised release to run concurrently and \n        ordered to pay restitution in the amount of \n        $50,893,166.35 in Nevada and $2,178,349 in Georgia. \n        Seleznev pleaded guilty to the charges and admitted \n        affiliation with the Carder.su organization, an \n        Internet-based, international criminal enterprise whose \n        members trafficked in compromised credit card account \n        data and counterfeit identifications and committed \n        identity theft, bank fraud, and computer crimes. \n        https://www.justice.gov/opa/pr/russian-cyber-criminal-\n        sentenced-14-years-prison-role-organized-cybercrime-\n        ring-responsible.\n\n  <bullet> LOn May 25, 2017, three Nigerian cyber actors were \n        sentenced for Federal offenses including mail fraud, \n        wire fraud, identity theft, credit card fraud, theft of \n        Government property, and conspiracies to commit bank \n        fraud and money laundering. The maximum penalty imposed \n        on a defendant was 115 years in prison and the minimum \n        sentence handed down was 25 years. Overall 21 \n        defendants had been charged in the case which was led \n        by Homeland Security Investigations. The stronger \n        penalties were imposed due to the bank fraud and money \n        laundering elements of their activities. https://\n        www.justice.gov/opa/pr/three-nigerians-sentenced-\n        international-cyber-financial-fraud-scheme.\n\n    Federal Judges may face difficulty in determining \nsentencing in cyber crime cases due to the broad types and \nscope of impact, including where there may be difficulty in \narticulating a direct financial loss. Based on sentencing \nguidelines from the Department of Justice, fraud cases where \nthere is direct loss to specific victims are generally easier \nto determine than matters where there is no direct loss, such \nas theft of information. Further, in general charges asserted \nin most cyber crime cases are generally a subset of a broader \narray of activity by the perpetrator, and for some alleged \ncrimes there may be only limited evidence for some crimes. \nConsequently, many cyber criminals may only ever be charged and \nsentenced based on a small subset of their overall criminal \nbehavior, which in many cases stretches back over many years.\n    Many overseas higher order cyber-criminal actors are \nunlikely to ever face prosecution and sentencing due to their \nlocation in countries that will not extradite or work with U.S. \nlaw enforcement. Further in some countries, advanced cyber \ncriminals may present a potential asset to Government military \nand intelligence capabilities so there is even less incentive \nto proceed with prosecution. The use of cyber criminals to \nsupport state-sponsored cyber operations was publicly confirmed \nwith the release of the indictment in the Yahoo email \ncompromise incident. https://www.justice.gov/opa/pr/us-charges-\nrussian-fsb-officers-and-their-criminal-conspirators-hacking-\nyahoo-and-millions.\n    There is likely some deterrent value in stiff sentencing \nfor cases, but the broad nature of offenses and diversity of \nsentencing is likely to present little deterrent to those \nadversaries located overseas, particularly if they have \nrelationships supporting intelligence and military operations.\n\nQ.7. How big of a problem is figuring out attribution for \nhacks? Are there ways we can enhance information sharing \nbetween industry and the Federal Government to enable more \nrapid detection and response to cyber-attacks?\n\nA.7. The ability to potentially attribute cyber threat \nactivities to a specific actor or series of actors varies \ngreatly based on the type and impact of the incident. \nAttribution is generally a complex problem and an investigative \nchallenge based on the availability of a set of technical \nfragments of evidence, which are aggregated, analyzed and \ncompared against other cyber activities where the perpetrators \nhave been identified with some degree of confidence.\n    At the strategic level, where nation states are the primary \nthreat actors, geopolitical context may suggest from an \nintelligence perspective that an adversary is responsible for a \nset of cyber threat activity that was triggered in response to \nspecific event(s).\n    Ability to attribute consequently varies between national \nsecurity and purely criminal threats, with national security \nthreat actors much more likely to be proactively monitored by \nthe Intelligence Community. In criminal cases there is \ngenerally a requirement for significant forensic reconstruction \nof events to be able to coherently trace and attribute \nmalicious activity. Further in the majority of cyber-criminal \ncases involving fraud and theft, following the network and \nfinancial transaction trails will generally lead overseas as \ncriminals know that cross international jurisdictions \nsubstantially increases the complexity of investigation for \nU.S. agencies, particularly if some of the traffic is routed \nthrough countries which have tense or poor relations with the \nUnited States.\n    Nation state military and intelligence services may also \nattempt to actively obfuscate and potentially misattribute \nactivity.\n    The financial sector has a variety of robust information \nsharing arrangements with U.S. Government agencies through \nsector associations including the Financial Services \nInformation Sharing and Analysis Center (FS-ISAC) and Financial \nSystemic Analysis and Resilience Center (FSARC), and at the \nindividual financial institution level. During the 2011-2014 \nDistributed Denial of Service (DDoS) attacks the FS-ISAC and \nindividual member institutions worked collaboratively and \nindividually with the Government agencies to identify, \nattribute and mitigate cyber threat activities. That \ncollaboration has continued through the current time.\n\nQ.8. What tools or resources would make it easier for financial \ninstitutions to correctly attribute cyber-attacks?\n\nA.8. To further clarify, the term cyber-attack is, at times, \nmisused in the media which unfortunately confuses the issue of \ndetermining the actual objective of an adversary, which may be \nsurveillance, theft, disclosure, manipulation/alteration or \ndisruption/destruction, and much of which has distinctly \ndifferent impacts to a victim organization.\n    Attribution is generally a confidence weighted activity and \nthe ability of a private institution, or group of institutions, \nto successfully attribute cyber activity varies greatly on the \ntype of activity and the type of adversary. In nation-state \ncases, there may be geopolitical indicators which provide a \nlevel of inference lacking in other types of cyber activity.\n    Publicly attributing cyber activity may present risk to any \ninstitution making the statements as an adversary may become \nparticularly focused on that institution in response. This was \nseen during the 2012 DDoS attacks where an institution that \npublicly attributed the attacks in media to Iran was subjected \nto ongoing focus as a result.\n\nQ.9. How significant is the threat to private businesses--from \nhostile foreign governments or terrorist organizations?\n\nA.9. Nation states have conducted cyber-criminal, cyber \nespionage and cyber-attack actions against private sector firms \nglobally.\n\nQ.10. What should businesses do now to prepare for a possible \nattack in the future?\n\nA.10. Businesses should understand the domestic and global \noperational risk environment in which they operate and have a \nclear view of which assets are at most cyber risk. They must \nadopt a defense-in-depth approach to cybersecurity that \nemphasizes a ``default deny\'\' approach and assesses \norganizational controls against most like adversary \ncapabilities.\n    Determining the identity, capabilities and likelihood of \nthe most significant cyber adversaries an organization faces is \nan ongoing activity that can then be used to assess the \nadequacy of the controls against the threat\'s technical \ncapabilities.\n    This ability to conduct this risk analysis is predicated on \nthe following organizational capabilities:\n\n  <bullet> LIdentifying targeted campaigns against the \n        organization from broader activity targeting the \n        industry and Internet as a whole\n\n  <bullet> LAnalyzing and attributing the campaigns that have \n        been previously observed and are currently being \n        observed\n\n  <bullet> LAscertaining the adversary\'s objectives in the \n        campaigns\n\n  <bullet> LUtilizing observations and threat intelligence to \n        develop a model of adversaries technical capabilities \n        and then prioritizing them based on the highest \n        technical capabilities\n\n  <bullet> LModeling adversaries\' capabilities against the \n        organization\'s control capabilities should result in a \n        residual risk assessment of the organization\'s \n        abilities to defend against their prioritized adversary \n        capabilities and highlight control gaps or deficiencies \n        that need enhancement.\n\nMore broadly this type of analysis should be conducted on an \nongoing basis against the broader cyber threat environment to \nensure the organization always understands its ability to \nmitigate current and developing cyber threats.\n                                ------                                \n\n\nRESPONSES TO WRITTEN QUESTIONS OF SENATOR WARNER FROM BOB SYDOW\n\nQ.1. Do regulators, who have the ability to supervise the banks \nand their relationships, but not the third-party vendors \nthemselves, have sufficient authority to monitor these risks \nappropriately?\nA.1. Regulators have been addressing the topic of third-party \nrisk and the vendors across a number of dimensions, including \nbut not limited to:\n\n  <bullet> LIssuing guidance and requirements for outsourcing \n        risk and third-party risk management\n\n  <bullet> LSetting expectations that regulated firms have \n        effective programs over their third parties to confirm \n        that they are fulfilling the firms\' contractual, \n        compliance, consumer protection, legal and obligations\n\n  <bullet> LExamination of how firms manage third parties--\n        especially critical vendors--within the context of how \n        they assess and manage risks across various domains \n        (e.g., cyber, critical business processes, Recovery and \n        Resolution Planning).\n\n    For example, the Office of the Comptroller of the Currency \n(OCC) has issued the following guidance for managing third-\nparty risk:\n\n        When circumstances warrant, the OCC may use its authority to \n        examine the functions or operations performed by a third party \n        on the bank\'s behalf. Such examinations may evaluate safety and \n        soundness risks, the financial and operational viability of the \n        third party to fulfill its contractual obligations, compliance \n        with applicable laws and regulations, including consumer \n        protection, fair lending, BSA/AML and OFAC laws, and whether \n        the third party engages in unfair or deceptive acts or \n        practices in violation of Federal or applicable State law. The \n        OCC will pursue appropriate corrective measures, including \n        enforcement actions, to address violations of law and \n        regulations or unsafe or unsound banking practices by the bank \n        or its third party. The OCC has the authority to assess a bank \n        a special examination or investigation fee when the OCC \n        examines or investigates the activities of a third party for \n        the bank. (OCC Bulletin 2013-29.)\n\n    Another example is:\n\n        Guidance for Managing Third-Party Risk,\'\' FIL-44-2008, \n        published by the Federal Deposit Insurance Corporation. It \n        states in part: ``Review of third-party relationships \n        contributes to the FDIC\'s overall evaluation of management and \n        its ability to effectively control risk. Additionally, the use \n        of third parties could have a significant effect on other key \n        aspects of performance, such as earnings, asset quality, \n        liquidity, rate sensitivity, and the institution\'s ability to \n        comply with laws and regulations. Findings resulting from the \n        review of an institution\'s third-party relationships will be \n        addressed as needed in the Report of Examination. Appropriate \n        corrective actions, including enforcement actions, may be \n        pursued for deficiencies related to a third-party relationship \n        that pose a safety and soundness or compliance management \n        concern or result in violations of applicable Federal or State \n        laws or regulations. Financial institutions are reminded that \n        indemnity or other contractual provisions with third parties \n        cannot insulate the financial institution from such corrective \n        actions.\n\nQ.2. Are regulators focusing on third-party vendor management \nin their examinations? Are you seeing increased enforcement or \nother critical action from regulators against banks due to \ninsufficient compliance programs for third-party vendor \nmanagement?\n\nA.2. EY sees banking regulators conducting exams that include a \nspecific focus on third-party vendor management. The focus of \nthese exams is across topics ranging from governance, due \ndiligence, risk assessment, ongoing monitoring, cyber, \nresiliency, contracting and the cataloging and inventory of \nthird-party vendors.\n\nQ.3. In its semiannual report in 2017, the Office of the \nComptroller of the Currency noted that concentration in third-\nparty service providers, such as providers of enterprise \nsoftware or security products and services, has increased \ncybersecurity supply chain risk. Do you agree with this \nassessment? Do you believe that there is a potential systemic \nrisk issue with dependencies on key third-party vendors or the \nwide use of certain software? Should regulators require a \nsoftware bill of materials to understand what\'s inside third-\nparty IT products?\n\nA.3. A number of factors are contributing to an increase of \ncybersecurity supply chain risk including: emerging \ninterconnected technologies that drive fundamental \ntransformations and create complex third-party ecosystems; the \nvolume, velocity and precision of attacks; and the shortage of \ncybersecurity resources and skilled professionals. \nAdditionally, many entities face not only third-party risk, but \nmay also need to consider fourth and fifth parties in their \nevaluation of risk.\n    While vendors can help provide solutions to address some of \nthe resource constraints, third parties inherently create \nadditional risk. Any single entity can be a potential threat \nentry point, which may cause a ripple effect across the \nenterprise or industry. Heightened regulatory and market focus \nhave increased pressure on financial institutions to account \nfor how third-party suppliers and vendors use and protect their \ndata and manage sustainable operations, especially for critical \nservices.\n    Additionally, many financial services companies work with \nFin Tech and RegTech companies or are looking for efficiency \nand innovation through use of the cloud. These also put further \nfocus on third-party vendor cybersecurity risks.\n    The private sector is also focused on components of the \nsupply chain that could create systemic risk and is working \nwith the regulatory community to identify, evaluate, plan and \nexercise cyber response plans. This includes but is not limited \nto the power and utilities sector, payment processors, \nservicers, financial market utilities and infrastructure \nproviders. Continued collaboration and focus on these efforts \nwill be critical for preparedness.\n    Leading practices for companies to enhance their cyber \ncapabilities, including consideration for third parties, \ninclude:\n\n  <bullet> LIdentify their most important assets consisting of \n        critical business processes, systems, infrastructure, \n        data and dependent third parties that are most critical \n        to the financial institutions, including their role in \n        the broader financial services ecosystem.\n\n  <bullet> LProtect their high-value assets and underlying \n        system architecture for enhanced security.\n\n  <bullet> LDetect threats and vulnerabilities to proactively \n        identify threats with better threat intelligence, \n        detection and management capabilities.\n\n  <bullet> LRespond to cyber incidents to rapidly contain the \n        damage, and mobilize the diverse resources needed to \n        minimize impact--including direct costs and business \n        disruption, as well as reputation and brand damage.\n\n  <bullet> LRecover from cyber disruptions to resume normal \n        business operations as quickly as possible.\n\nQ.4. Is verifying that financial institutions have an internal \ncybersecurity audit function or an independent third-party \nassessment sufficient, or should financial regulators develop \ntheir own view of the cybersecurity posture of supervised \nentities in addition to requiring independent third-party \nassessment?\n\nA.4. Traditionally, the main role of internal audit, which is \noften referred to as the third line of defense in the three \nlines of defense (3LoD)\\1\\ risk management model described \nbelow, has been to provide an independent and objective \nassessment of the firm\'s processes across the first and second \nlines of defense, with the focus on operational effectiveness \nand efficiency as part of the firm\'s overall risk governance \napproach. As qualified technical resources are limited, \ninternal audit groups often turn to co-sourcing arrangements \nwith a qualified third party to augment their teams to provide \ntechnical resources to assess risk and execute audit programs \nto validate controls over applications and technology \ninfrastructure, cyber risk governance and risk managements, \nconduct independent penetration testing and vulnerability \nassessments, etc.\n---------------------------------------------------------------------------\n    \\1\\ This Includes excerpts from EY\'s Cyber risk management across \nthe lines of defense, EYGM Limited, April 2017.\n---------------------------------------------------------------------------\n    In cases where a firm has taken the appropriate actions so \nthat qualified technical resources are available to support \ntheir internal audit team, the need for an independent third-\nparty assessment and/or independent regulatory review would not \nappear to be necessary. Conversely, in cases where a firm does \nnot have sufficiently qualified technical resources inhouse and \nhas elected not to utilize the services of a qualified third \nparty, some form of annual--independent assessment may be \nnecessary.\n\nQ.5. Are you and others in the industry seeing an uptick in \ninterest from regulators in cyber risk? What issues do \nregulators focus on in their examinations?\n\nA.5. In light of the heightened threat presented by cyber \nrisks, regulators globally have stepped up their focus on \ncybersecurity. Each regulator reviews cybersecurity in its own \nway, and takes into consideration its own view of the cyber \nrisks in the industry and specific institutions, when \nconducting its reviews.\n    Across the course of their ongoing supervisory reviews, \nsupervisors increasingly assess a bank\'s ability to manage \ncyber risk across the 3LoD. The first line operates the \nbusiness, owns the risk and designs and implements operations. \nThe second line defines policy statements and the risk \nmanagement framework, provides a credible challenge to the \nfirst line and is responsible for evaluating risk exposure for \nexecutive management and the board to consider when \nestablishing a risk appetite. The third line of defense, which \nis also commonly referred to as ``internal audit,\'\' is \nresponsible for the independent evaluation of the first and \nsecond lines.\n    EY has found that establishing a 3LoD approach to cyber \nrisks is not a trivial task for an organization, but it is \nbecoming essential in the cyber world we have entered. \nFinancial services firms are still grappling with how to best \nimplement the model across their businesses for existing \nnonfinancial risks. Adding cyber risk management as well as \nstrong board oversight during the implementation of the 3LoD \nmodel poses an even greater challenge for organizations.\nFirst line of defense\n    A strong first line of cybersecurity defense requires a \nsignificant effort. Whether in the retail bank, investment \nbank, corporate bank, private bank or any other area, business \nheads will have to perform a thorough examination to determine \nwhether the business is doing enough to manage cyber risk. \nInformation security groups can no longer apply one-size-fits-\nall solutions to the entire enterprise. Instead, each line of \nbusiness must carefully define the cyber risks and exposures it \nfaces. Cyber risks need be woven into the fabric of the first \nline\'s risk and control self-assessment and into fraud, crisis \nmanagement, and resiliency processes.\n    The lines of business will need to actively monitor \nexisting and future exposures, vulnerabilities, threats and \nrisks associated with their activities. In addition to \nleveraging technologies, businesses need to determine the \nimpact that cyber risk will have on its clients, operational \nprocesses and strategies. These new responsibilities require \nsignificant investment in people and tools, including upgraded \nmonitoring and analytic capabilities to provide improved \nassessments of current levels of cyber risk.\nSecond line of defense\n    The independent second-line cyber risk management function \nmanages the enterprise cyber risk appetite and risk management \nframework within the context of the overall enterprise risk \nstrategy. This group challenges the first line\'s application of \nthe board-approved cyber framework and appetite. Second-line \nrisk management plays a critical role in managing cyber risks \nand should not be walled off as a separate risk function. As \nthe keeper of a firm\'s board-approved risk tolerance, it \ndetermines how to appropriately measure cyber risks, embedding \nquantitative and qualitative (e.g., reputational) thresholds \nfor cyber risks into the statement of risk tolerance for the \nfirm. Moreover, these clearly established appetite and \nassociated thresholds need to cascade down into the operations \nfor each line of business.\n    Given the relative novelty of applying the 3LoD model to \ncyber risk, most of the first and second lines focus \nappropriately on more effective management of these risks \nrather than the narrower issue of compliance. However, with an \nincreasing volume of regulatory guidance and mandatory \nrequirements stemming from industry, professional and \nregulatory standards, cyber will increasingly constitute a \nmaterial compliance risk. Accordingly, supervisors should \nassess whether financial institutions integrate cyber risk \ncompliance into second-line risk management.\nThird line of defense\n    Traditionally, the main role of the third line of defense \nhas been to provide an independent and objective assessment of \nthe firm\'s process across the first and second lines of \ndefense, with the focus on operational effectiveness and \nefficiency as part of the firm\'s overall risk governance \napproach. Regulators are now focusing on how effective and \nindependent a firm\'s internal audit team is when it comes to \nreviewing the firm\'s approach to cybersecurity. For example, \nbanking regulations focused on cybersecurity often include \nreferences to the importance of an ``annual independent \nassessment,\'\' such as those included in Federal Financial \nInstitutions Examination Council (FFIEC) and NIST requirements \nand guidelines.\n    As a foundation, EY recommends that the internal audit team \ninclude within its overall audit plan an evaluation of the \ndesign and operating effectiveness of cyber risk management \nacross the first and second lines of defense. Traditionally, \nindustry standards, such as the NIST\'s Cybersecurity Framework \nguidelines have been used as the benchmark for evaluating a \nfirm\'s effectiveness. Going forward, internal audit teams at \nfinancial institutions may need to create their own framework \nor apply multiple industry frameworks. By doing so, internal \nauditors will maintain greater objectivity in assessing cyber \nrisk management effectiveness, eliminating the potential blind \nspots that can result from using a common standard throughout \nall three lines of defense.\n    Under the 3LoD model, internal auditors perform procedures \nsuch as assessments, validation of applications and technology \ninfrastructure, evaluations of third-party risks, conduct some \nlevel of intrusive-based testing, either by themselves or using \nthird parties, incorporate cyber into regular audits and have a \nresponsibility to stay abreast of cyber threat intelligence.\nBoard oversight of cyber risk management\n    Supervisors should also assess the degree to which boards \nof directors provide effective challenge and oversight of the \nbank\'s cyber risk management. Boards need to understand the \nmaturity of their organizations\' approach relative to evolving \nindustry and regulatory trends. A cyber risk maturity \nassessment should be broad in nature, considering people, \nprocess and technology as well as existing and planned \nimprovement or remediation activities.\n    The view on program maturity needs to be combined with a \nproper assessment of existing threats and vulnerabilities, and \nthe evolving threat landscape. Boards should press management \nto quantify cyber risk as much as possible so that quantitative \nstatements on the degree of cyber risk are incorporated into \nthe firm\'s risk appetite statement. The cyber risk appetite \nstatement should link directly to cyber and technology \noperational thresholds and tolerances. Boards should insist on \nmore credible cyber risk reporting, in the context of the \napproved cyber risk appetite. Boards should also determine how \nthey evaluate the quality, accuracy and timeliness of cyber \nmetrics. Boards should challenge how they oversee cyber risk \nacross their own governance structure.\n    The board should revisit its strategy for keeping directors \nabreast of cyber threats, trends and the evolving business \nimplications. Boards should press management to quantify cyber \nrisk as much as possible so that quantitative statements on the \ndegree of cyber risk are incorporated into the firm\'s risk \nappetite statement. The cyber risk appetite statement should \nlink directly to cyber and technology operational thresholds \nand tolerances. Aspects of cyber risk management should be \nbuilt into an ongoing training program throughout the year, \nwith overview sessions and deep dives on the most relevant \ntopics and issues.\\2\\\n---------------------------------------------------------------------------\n    \\2\\ For an example of an effective cyber risk dashboard, see \nAppendix F of the ``Cyber-Risk Oversight: Director\'s Handbook Series,\'\' \nNational Association of Corporate Directors, 2017.\n---------------------------------------------------------------------------\n    Ultimately, the board is accountable for requiring that \nmanagement adapts quickly enough to manage this enterprise risk \nmore effectively and efficiently, and it is charged with \nproviding a credible challenge to management\'s approach.\n\nQ.6. What do you believe is the appropriate role of the \nfinancial regulators in assessing the cybersecurity of \ninstitutions they regulate?\n\nA.6. We see several regulatory roles related to cybersecurity \nincluding:\n\n  <bullet> LEngaging in public/private sector dialogues and \n        efforts to support sharing intelligence and leading \n        practices\n\n  <bullet> LConsidering how effectively cyber resiliency has \n        been built into an organization\'s three lines of \n        defense as referenced in my testimony\n\n  <bullet> LConsidering the level of board engagement in cyber \n        risk management\n\n  <bullet> LAdvancing opportunities to seek sources of new \n        talent for both public and private sector needs, as \n        observed during my testimony\n\nCompanies that exercise good faith efforts, establish cyber \nrisk management frameworks and adopt such leading practices as \noutlined in the previously submitted testimony should benefit, \nnot only within the company, but in the eyes of stakeholders, \nregulators and enforcement agencies, especially relative to \nliability and penalty measures.\n                                ------                                \n\n\nRESPONSES TO WRITTEN QUESTIONS OF SENATOR CORTEZ MASTO FROM BOB \n                             SYDOW\n\nQ.1. A year and a half ago, William and Margaret Frederick sold \ntheir home in Ohio so they could buy a home in Las Vegas, \nNevada. The couple expected to make a $216,000 profit on the \nsale. But, their real estate agent read a hacked email \nsupposedly from William--the fake email had three L\'s in Bill \ninstead of two--and sent the profit to the hacker. William was \n83 and Margaret 77. Someone stole the money they intended to \nlive on in retirement.\n    Real estate transaction fraud is a problem in Nevada and \nnationwide. Thieves wait for the right time to impersonate a \nbank or realtor and send you different wire transaction \ninstructions. Estimates are as much as $400 million a year in \nlosses.\n    What more can financial institutions do to prevent thieves \nfrom stealing people\'s down payments, earnest money and even \nthe\nentire home payment if someone is buying a home for cash? \nPlease identify the best practices for realtors, title agents \nand mortgage brokers?\n\nA.1. Consumer education about common financial fraud methods \nand how to securely communicate their sensitive data should be \ndriven as a combined effort by the private sector and public \nentities to foster an ongoing culture of greater awareness. \nFinancial institutions can work to implement two-way \nverification of identities on the web, mobile and other virtual \nspaces to gain greater confidence that they are interacting \nwith their intended customer and for the customer to have \nconfidence they are communicating with their intended \ninstitution. Additional monitoring controls for higher-risk \nconsumers and transactions should be considered, but this \nshould be balanced with the need to maintain fluidity and \nvelocity of transactions without adding risk to the banks \nthemselves for delays or rejected payments. Underpinning all of \nthese controls, however, is the growing need for an improved \nform of digital identification for all entities, consumer and \ninstitutional, that can support enhanced authentication and be \neasily used and verified for online transactions.\n    Educating individual business owners about cybersecurity \nand cyber posture is a topic on which the public and private \nsector should work together. EY recognizes the importance of \nbetter cyber hygiene throughout the ecosystem, and would \nencourage policymakers to consider what levers it has available \nto reach individual business owners.\n\nQ.2. One way to protect consumer\'s information is to not \ncollect it. For example, why should merchants of any sort, \nincluding doctors, insurance companies and utilities, require \nSocial Security Numbers as part of their information or data-\nset on their customers? Should we limit Social Security Numbers \nprovided to merchants?\n\nA.2. The value of the Social Security Numbers (SSN) as a \nprivate and unique identifier must be viewed relative to the \nrisk that currently exists based upon years of propagating this \nsame identifier across multiple systems. In my view, continued \nusage of this same identifier, coupled with the aggregation of \ncybersecurity breaches that have gained access to this \nidentifier, diminish its value and instead heightens the risk \nassociated with using it. Unique identifiers must be evaluated \nfrom multiple perspectives before deciding upon their value. \nFor example, the use and collection of an identifier that is \nunique to a particular industry segment may be reasonable, if \nits usage across various entities encourages innovation, \nbenefits society, limits other risks or provides convenience to \nconsumers and furthermore, if the risks associated with using \nthe identifier do not outweigh those values or may be \nmitigated. It is the data that is associated with the unique \nidentifier that creates the risk and hence there may be ways to \nstill achieve value while minimizing risk by limiting those \ndata elements about an individual that are associated with any \nidentifier.\n    In other contexts, there may be better ways than using a \nunique identifier to manage risk. One example is when the \nidentifier\nis being used solely for the purpose of authenticating \nsomeone\'s\nidentity. There are other ways to achieve this, including \nthrough encrypted identifiers and multifactor authentication.\n\nQ.3. What other sorts of information should financial \ninstitutions or others STOP collecting?\n\nA.3. Many companies across industries are required to collect \nSSNs to comply with legal and regulatory requirements. For \nexample, financial institutions are required to collect and \nretain SSNs when customers open an account or apply for a \nmortgage. Health insurance companies are also mandated by \nGovernment to collect SSNs for individuals they insure. In such \ncases, companies cannot voluntarily choose whether or not they \ncollect SSNs from their customers.\n    When considering policies to change the collection and use \nof SSNs, it is important to understand whether the proposal \nwould impact the use of the SSN as an identifier or \nauthenticator. SSNs were created to be a unique identifier, and \norganizations continue to use them in this way to connect \ndisparate pieces of information about a person. Today, SSNs are \nalso widely used as authenticators to verify the identity of a \nperson. This is problematic because authenticators are only \nvaluable if they remain a secret--which is not the case with \nSSNs after years of massive data breaches have made them widely \navailable to criminals on the dark web.\nState and International Laws Relating to Cybersecurity\nQ.4. What are the pros and cons of a Federal data breach law?\n\nA.4. Because pros and cons can vary for differing stakeholders, \npolicymakers in Congress are in the best position to determine \nthe path forward that balances the needs of constituents and \nother key stakeholders. EY believes key considerations include \nthe potential benefit of harmonization and the need for \ninteroperability across jurisdictions, which we address \nelsewhere in this document.\n\nQ.5. How should Federal data breach laws coexist with other \ninternational laws?\n\nA.5. In EY\'s view, it is important for U.S. policymakers to \nconsider the potential for conflict that could arise across \njurisdictional differences in laws. EY routinely hears from \nclients how regulatory harmonization at the State, Federal, and \ninternational levels has the potential to reduce compliance \ncosts and free up capital to invest limited financial resources \navailable to improve their security posture. Conversely, it \nwould add to costs and complexity to have disparate approaches \nthat are not interoperable.\n\nQ.6. Firms that fail to secure their data pay substantial \npenalties. Hundreds of hackers go to prison. The woman [Paytsar \nBkhchadzhyan] who hacked into Paris Hilton\'s accounts and stole \nher credit card information received a 57-month prison term. \nTaylor Huddleston (26) of Arkansas was sentenced to serve \nnearly 3 years for building and selling a remote access Trojan \n(NanoCore) to hackers.\n    Can you give me some examples of fines, penalties and \nsentences for firms and individuals that engaged in cyber \ntheft? Are these costs an appropriate deterrent?\n\nA.6. There are various Federal and State Government authorities \nthat bring enforcement actions relating to cybercrime. A non-\nexhaustive list includes the following. The Federal Trade \nCommission brings actions alleging that companies have engaged \nin unfair or deceptive practices that failed to adequately \nprotect consumers\' personal data; information on such cases is \navailable at www.ftc.gov/datasecurity.\n    The U.S. Securities and Exchange Commission (SEC) also \nbrings actions alleging account intrusion and failure to \nsafeguard customer data, for example, information on such cases \nis available at www.sec.gov/spotliqht/cybersecurity-\nenforcement-actions. Because various States have their own data \nprotection and breach notification laws, some States have State \nauthorities with enforcement authority relating to cybercrime.\n    Additionally, there can be criminal sanctions for cyber \ntheft. To take one recent example, the U.S. Department of \nJustice (DOJ) announced charges against 36 people from the \nUnited States and six foreign countries earlier this year \nalleging that they were responsible for hundreds of millions of \ndollars of losses from the acquisition and sale of stolen \nidentities and other information. See ``Thirty-six Defendants \nIndicted for Alleged Roles in Transnational Criminal \nOrganization Responsible for More than $530 Million in Losses \nfrom Cybercrimes,\'\' DOJ Press Release No. 18-145 (Feb. 7, \n2018), available at www.justice.gov/opa/pr/thirty-six-\ndefendants-indicted-alleged-roles-transnational-organization-\nresponsible. Notably, although DOJ announced the arrests of 13 \nof the people charged, it was uncertain whether the 23 \nremaining defendants would ever face trial in the United \nStates.\n    There are a variety of criminal statutes available to \nFederal prosecutors. See, e.g., ``Prosecuting Computer \nCrimes,\'\' DOJ OLE Litigation Series, Appendix A, ``Unlawful \nOnline Conduct and Applicable Federal Laws,\'\' available at \nwww.justice.gov/criminal/cybercrime/docs/ccmanual.pdf. For \nexample, the Computer Fraud and Abuse Act, 18 U.S.C. \x06 1030, \nprovides for maximum sentences of 10 years for a first offense \nand 20 years for a second offense. While cybersecurity experts \ngenerally feel that there is an important role for law \nenforcement to play in apprehending cyber criminals, many \nexpress the sentiment that these efforts are unduly hampered by \nthe length of criminal sentences that are imposed. More often, \ncybersecurity experts tend to realize that bad actors in this \nspace are able to operate across the globe, including in places \nthat make it difficult for U.S. law enforcement authorities to \nreach them.\n    This is not to say that there is no place for criminal and \nregulatory enforcement in the cyber realm. Clearly, there is. \nHowever, especially given the rapidly changing nature of the \nthreat, and the extent to which the threat can originate \noverseas, enforcement will never be sufficient on its own. \nInstitutions need to protect themselves and their stakeholders \nbecause many actors in cybercrime are unlikely to be deterred, \nno matter how robust the penalties. As a result, EY encourages \nthe Committee to focus not only on enforcement but also on ways \nto incentivize responsible and effective corporate governance \nand risk management strategies by rewarding good behavior and \nadoption of leading practices.\n    As stated in the written testimony EY submitted to the \nCommittee, not only do threats evolve day-by-day, but those who \nwant to do harm are not constrained by regulatory, liability or \njurisdictional issues, let alone ethics. While no one can \nguarantee that any or all attacks can be prevented, the market \nis developing best\npractices and ways to mitigate risk and impact. Companies that \nexercise good faith efforts, establish cyber risk management \nframeworks and adopt such best practices as outlined in this \ntestimony should benefit, not only within the company, but in \nthe eyes of stakeholders, regulators and enforcement agencies, \nespecially relative to liability and penalty measures.\n\nQ.7. Seventy-seven percent of cyber attacks come from the \noutside. Yet sometimes, figuring out who the hackers were is \nhard to figure out. Hackers can spoof evidence. They can embed \nother hackers\' tools.\n    How big of a problem is figuring out attribution for hacks? \nAre there ways we can enhance information sharing between \nindustry and the Federal Government to enable more rapid \ndetection and response to cyber attacks?\n\nA.7. Attribution can be incredibly difficult depending on the \nsophistication of the adversary and as a result of the \ntransient nature of digital evidence. An adept adversary \nunderstands forensics and cyber investigative methodology and \nwill take steps to minimize their digital fingerprints if they \nchoose to obscure attribution. Additionally, attribution often \nrequires correlation between different investigations or \nsources of information. Therefore, many organizations that do \nnot routinely respond to breaches lack the data to make \ncorrelations and assessments regarding attribution. Finally, \nsome key data points that are helpful in providing attribution \nare maintained by private or foreign entities that may be \nunwilling to provide this critical information.\n    There are a number of initiatives currently underway to \npromote the sharing of information between the private and \npublic sector including:\n\n  <bullet> LThe Department of Homeland Security\'s Cyber \n        Information Sharing and Collaboration Program (CISCP)\n\n  <bullet> LThe Cybersecurity Information Sharing Act (CISA) \n        program, and related Automated Indicator Sharing \n        Initiative\n\n  <bullet> LThe Federal Bureau of Investigation\'s InfraGard \n        program\n\n  <bullet> LThe U.S. Department of Energy\'s Cybersecurity Risk \n        Information Sharing Program for the electric utility \n        sector\n\n  <bullet> LSector-specific as well as regional Information \n        Sharing and Analysis Centers (ISACs)\n\nThese initiatives are each having a positive effect on \nmarketplace efforts to combat cyber attacks, but there is \nalways more that can be done, including: (1) providing enhanced \nliability protection for private sector companies when good-\nfaith efforts are made when sharing information, (2) increasing \nthe speed with which information is disseminated, and (3) \nincreasing the speed of security clearance investigations \n(needed before access can be provided to certain protected \ninformation).\n\nQ.8. What tools or resources would make it easier for financial \ninstitutions to correctly attribute cyber-attacks?\n\nA.8. Attribution can be incredibly difficult depending on the \nsophistication of the adversary and the transient nature of \ndigital evidence. The rapidly escalating volume, velocity and \nsophistication of cybersecurity attacks on the financial \nservices ecosystem continues to present a significant challenge \nto financial institutions in safeguarding their sensitive data. \nFinancial institutions should continue to enhance their cyber \ncapabilities--people, process and technology by identifying \ntheir high-value assets; securing their high-value assets and \nunderlying architecture; proactively detecting threats and \nvulnerabilities; rapidly responding to cyber incidents to \ncontain the damage; and recovering from cyber disruptions to \nresume normal business operations as quickly as possible.\n    Additionally, financial institutions should explore the \npossibility of sharing cyber threat information in a \nconfidential, timely manner with their peers and appropriate \nexternal stakeholders and also collaborating with them to \nprotect the financial system ecosystem.\n\nQ.9. In 2015, French-language TV station, TV5Monde was \nsubjected to a significant cyber-attack which disrupted its \nbroadcast for several hours by Fancy Bear. These are the same \nRussian government and military hackers that hacked the \nDemocratic National Committee. Multiple television channels \nwent dark. Social media channels run by the broadcasters began \nto spew ISIS propaganda. The attack was the work of Russian \nhackers which pretended to be ISIS. Russian government hackers \nalso attacked the World Anti-Doping Agency, the power grid in \nUkraine and the French electorate with another document dump.\n    How significant is the threat to private businesses--from \nhostile foreign governments or terrorist organizations?\n\nA.9. The threat to the private sector from attacks waged by \nhostile foreign actors is extremely significant. There have \nbeen a number of public reports of instances where these actors \nhave demonstrated the ability and intent to maliciously attack \nprivate companies with the goal of stealing intellectual \nproperty, disrupting operations (e.g., via ransomware attacks), \nconducting industrial espionage and other nefarious purposes. \nThese attacks directly affect specific companies and have a \nripple effect on the U.S. economy as a whole, potentially \nundermining the public\'s trust and the backbone of our economy.\n\nQ.10. Some of the lessons from that attack was documenting IT \nprocesses, restricting access to IT processes, and keeping \ncommunications separate from incident responses.\n    What should businesses do now to prepare for a possible \nattack in the future?\n\nA.10. A growing number of companies experience cyber events as \npart of the routine course of business and are well versed in \nresponding. Incident management, continuity and crisis \nmanagement programs can support how a company responds to an \nevent. For significant cyber events, many of EY\'s clients are \nfocused on the following areas:\n\n  1. LCommunications and disclosures: timely and accurate \n        reporting, notification and disclosure is an \n        increasingly critical concern following a cyber breach \n        as it must be factual and meet requirements under \n        Federal and State law as well as other regulatory \n        requirements and guidelines, including the most recent \n        SEC guidance updates and, where applicable, various \n        foreign requirements such as the new European Union \n        (EU) General Data Protection Regulation (GDPR).\n\n  2. LSimulation exercises: firms have been practicing \n        technical ``war games\'\' and conducting trainings to \n        prepare technical resources for an event. EY is seeing \n        a trend where firms are extending these exercises \n        further to include executive management and in some \n        cases members of the board to practice and refine \n        response mechanisms.\n\n  3. LIndustry efforts: financial services firms are engaging \n        in various industry exercises, collaboration efforts \n        and information sharing programs to help address the \n        potential client impacts as well as possible systemic \n        impacts that could occur.\n\nHowever, it should be noted that there is no silver bullet. No \norganization, large or small--public or private--is immune to \nthe cyber threat. As noted in the prepared remarks delivered to \nthe Senate Banking Committee, EY\'s clients face three \nsignificant challenges:\n\n  1. LEmerging interconnected technologies drive fundamental \n        transformations and create complex third-party \n        ecosystems\n\n  2. LThe volume, velocity and precision of attacks\n\n  3. LA shortage of cybersecurity resources and skilled \n        professionals\n\n    EY works with clients across all sectors, and many should \nbe commended for their efforts. Financial services firms, \nespecially the largest banks, are considered best-in-class not \nonly in terms of organization and investment, but also for \nleading engagement with stakeholders across the ecosystem. The \nindustry is not without challenges, and there is variation \namong firms. For example, while the largest banks have \nconsiderable resources dedicated to cybersecurity risk \nmanagement, smaller entities often struggle with costs and \naccess to a competitive talent pool. That is not to say these \norganizations are not committed to cyber risk management or do \nnot take the issue seriously. Cyber breaches and associated \nlosses are not good for business, and when a company\'s business \nmodel depends on customer trust, a cyber event can cause long-\nterm damage to brand and reputation.\n    Large banks are accustomed to higher levels of regulatory \nscrutiny, and their third-party risk management programs tend \nto be more mature and robust--but challenges remain. Today, \nfinancial institutions deal with third-, fourth- and fifth-\nparty risk. In addition to vendor risk, most institutions \nstruggle to secure resources and talent. Experienced cyber \nprofessionals are in high demand. Often, small financial \nservices institutions rely on third-party providers to meet \nthose needs. There is no one-size-fits-all solution, but there \nare three areas where EY believes risk can be mitigated: \ncorporate governance and risk management, the American \nInstitute of Certified Public Accountants\' (AICPA) \nCybersecurity Risk Management Reporting Framework and policy \nsolutions.\n    Ultimately, the board is responsible for governing a \ncompany\'s risk appetite and providing a credible challenge to \nmanagement. By doing so, boards help protect investors and \nenhance the company\'s value and performance. Banks use a \n``three-lines-of-defense\'\' risk management model (described \nlater in this document). The larger ones are adopting this \nmodel for cyber. EY considers this a leading practice. \nIncreasingly, regulators, investors and others want financial \ninstitutions to build cyber resiliency strategies into the \nthree lines of defense.\n    Another challenge is understanding and communicating about \na cyber program\'s efficacy. While the National Institute of \nStandards and Technology (NIST) and others have developed \nimplementation guidance, there had been no means to evaluate \nand report on program effectiveness. The distinction is subtle, \nbut significant. In response, the AICPA recently developed the \nCybersecurity Risk Management Evaluation and Reporting \nFramework. This is voluntary and can provide stakeholders with \nreasonable assurance that the identification, mitigation and \nresponse controls are in place and operating effectively.\n    No framework can guarantee against a breach, but the AICPA \nFramework can offer an independent validated understanding of a \ncompany\'s cybersecurity systems, processes and controls. While \nthe AICPA\'s model is relatively new, voluntary market adoption \nappears to be gaining momentum. Unfortunately, there is no \nsingle legislative, regulatory or market solution that can \nguarantee against a cyber event. Bad actors are not constrained \nby regulatory, liability or jurisdictional issues, let alone \nethics.\n    Policymakers and the business community should work \ntogether to foster collaboration and improve intelligence \nsharing. The private sector needs flexible and harmonized \npolicy solutions that recognize the dynamic challenge of \ncybersecurity and clarify conflicting directives. There needs \nto be a balance between the need for compliance with the need \nto manage cyber risk and protect consumers.\n    EY believes companies that engage in good faith efforts, \nestablish enterprise-wide cyber risk management frameworks and \nadopt leading practices should be recognized, especially \nrelative to liability and penalty measures.\n    Finally, EY encourages Congress to support modernization of \nthe Government\'s cyber posture, to focus on developing \nsolutions to to address cyber workforce shortages, and to \neducate the public and help the country as a whole improve its \ncyber hygiene.\n\n              Additional Material Supplied for the Record\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n                           \n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'