DANIEL IVESmanaging director, technology, media and telecom research group, FBR Capital Markets– Virginie O’Shea, senior analyst, Aite GroupTHE NEW REALITY OF CYBER-SECURITY COMPLIANCE (Continued from Page 14)KARL SCHIMMECKvice president, financial services operations, SIFMA“We’ve been in contact with [the SEC’s] buy-side regulator group and cyber-security is a big issue for them as well,” says Karl Schimmeck, vice president of financial services operations at SIFMA. “They’re definitely going to be looking at doing more on” cyber-security with buy-side firms.In general though, analysts described both exams as more a testing of the waters than a fully realized regulatory regime.While those attacks did not cause lasting harm, Lew says there’s every reason to believe that the next round could.“It does not take much to imagine the impact of those attacks on U.S. banks if they had penetrated core operational functions rather than temporarily disrupting public websites,” says Lew, speaking at Delivering Alpha.Furthermore, the vast majority of attacks likely go unreported because cyber-security laws generally require companies to go public about attacks only when customers are at direct risk.Customer data remains the most attractive option for most hackers, with the massive breach at JPMorgan in August that compromised gigabytes of customer checking and savings information being a case in point.It’s rumored the attack may have been carried out by Russian hackers in retaliation for U.S. sanctions over the conflict in Ukraine. While the size of the attack is notable, its occurrence only serves to underscore the dangers financial firms are already scrambling to face.“Companies of our size unfortunately experience cyber- attacks nearly every day,” Patricia Wexler, a JPMorgan spokeswoman, told The New York Times.Areas such as the back office, where operational data is stored, are also likely to be more vulnerable to cyber- attacks because of that traditional focus on safeguarding customer data.“In the back office, I don’t think their systems are very well-guarded at all, if you want my honest opinion,” says Virginie O’Shea, a senior analyst at Aite Group. “Some of these systems are pretty old and at large institutions you could be working with a patchwork of hundreds of systems. There’s bound to be massive holes that could be exploited.”‘It’s Just Good Business’While the vulnerability of financial institutions to cyber- attacks might keep government officials like Lew up at night, at the end of the day financial institutions themselves stand to lose the most.Many smaller firms, however, especially on the buy side, are dragging their feet.“I’d say it’s the smaller guys and maybe some of the hedge funds that haven’t really thought about this before,” says O’Shea. “That’s where I’m seeing people kind of waking up and going, ‘Hang on a minute; we may have issues.’”16“I think right now the government is in an awareness phase,” says Roel Schouwenberg, senior security researcher at Kaspersky Lab, an IT security vendor. “The SEC and the DFS, they’re still kind of approaching it from the angle of ‘How should we determine what companies need to do, and then how should we put that in writing?’”With the risks posed by cyber-attacks growing by the day, analysts expect further action from the government in the months ahead.“I think the U.S. government has been kind of late to the game in a lot of these areas,” says Daniel Ives, an analyst with FBR Capital Markets. “I think a lot of the regulations have kind of lacked teeth. They need to dedicate more resources to this because it’s just a massive threat to the country.”Back-Office VulnerabilitiesThe nature of cyber-threats faced by financial institutions is evolving and multiplying rapidly, says Schouwenberg.Lew says banks and credit unions have faced more than 250 distributed denial-of-service attacks since 2011, which overload firms’ networks and can lead to crashed websites.In 2012, a spate of seemingly coordinated DDOS attacks took out the websites of several major U.S. banks for hours at a time. U.S. intelligence officials later said the act was the work of the Iranian government, lashing out in retaliation for American sanctions over its nuclear program.VIRGINIE O’SHEAsenior analyst, Aite Group“I’d say it’s the smaller guys and maybe some of the hedge funds that haven’t really thought about this before. That’s where I’m seeing peopleContinued on Page 18kind of waking up and going, ‘Hang on a minute; we may have issues.”’FALL 2014 | FTF NEWS MAGAZINE