The financial industry body that represents some of the biggest firms on Wall Street has called for the creation of an inter-agency government group to help co-ordinate cyber security in the face of mounting attacks.
The Securities Industry and Financial Markets Association, or Sifma, made the recommendation on Monday as it unveils suggestions for how regulators can harmonise cyber security efforts to bolster defences against potential attacks.
Despite a spate of high-profile data breaches, cyber security guidelines remain a patchwork of conflicting rules and recommendations.
Creating an inter-agency body to help co-ordinate efforts between the private sector and public bodies could improve cyber security across jurisdictions and different businesses, Sifma said.
The industry group is also calling on regulators to hold third-party data and service providers to the same cyber security standards as banks and other big financial companies.
Cyber attacks are “one of the top threats” to the financial services industry, said Karl Schimmeck, Sifma’s managing director of financial services operations. “Collaboration is the best and most effective way to produce a solution.”
Sifma warned that many of the risks facing big banks, asset managers and other financials could come through third-party partners who are charged with managing electronic systems and storing the vast reams of data used by Wall Street.
Sifma wants regulators to “increase their coverage of third parties and put pressure on these third parties to meet the regulatory expectations of the financial services firms that they serve”.
Assessing cyber security measures is currently part of regular bank examinations conducted by the Federal Reserve and the Office of the Comptroller of the Currency.
But regulators have also called for tough standards for all of the parties involved in cyber security breaches to eliminate weak links between third-party vendors and banks.
“We see the asymmetry in the requirements of non-bank companies, or the absence of requirements for non-bank companies to take measures to protect personal information,” Fed Governor Dan Tarullo said in testimony to Congress in September. “I feel to some degree we’ve all got one hand tied behind our back.”
The Obama administration has also urged Congress to pass stalled legislation that would set up national standards for reporting cyber security breaches. Senate Judiciary Committee Chairman Patrick Leahy, the Democratic sponsor of the bill, is working on a bipartisan compromise with Senator Chuck Grassley in hopes of moving the plan forward, according to a person familiar with the efforts.
Financial institutions also worry about the potential pitfall of sharing information on cyber security. For example, there are different interpretations between the US and Europe about whether IP addresses are public or private, and can be shared.
A bipartisan bill sponsored by the Senate Intelligence Committee in July attempted to address some of those concerns. The bill provides for liability protection when sharing cyber security threat information between the government and the private sector.
Sifma has been pushing politicians to enact legislation that would make cyber “info-sharing” easier. But given that Congress will return in November to a lame duck session, political analysts are pessimistic that lawmakers will do so for the remainder of the year.
Recommendations from Sifma come days after the Financial Times revealed that Fidelity Investments, one of the largest US mutual fund companies, was one of 13 financial institutions attacked by hackers believed to be the same group that stole customer information from JPMorgan Chase.
The attack on JPMorgan resulted in the theft of names, addresses and other personal data from about 76m US households.