THE NEW REALITY OF CYBER-SECURITY COMPLIANCE (Continued from Page 16)It’s unclear whether the laggards will take a more proactive stance as the importance of cyber-security continues to sink into the industry’s consciousness, or whether they’ll need to be goaded by the government before they get serious.“If there is a compliance aspect [of cyber-security] then so be it,” says Schimmeck. “But that won’t be the overriding factor as to why firms invest in this area. At the end of the day most of [SIFMA’s] members look at this and say, ‘Cyber-security is something we’ve got to take seriously because it’s just good business.’”Schouwenberg isn’t so sure.“We still see in too many cases that regulations are what drive part of the security equation,” says Schouwenberg. “But that’s a badsituation to be in. Regulations are almost always out of date, and they’re very general. They could also be interpreted by some people as only requiring them to do less than they really should. But nonetheless I think it makes a lot of sense for the government to be pushing to get everyone in better shape.”The Trickle-Down EffectFor most firms, improving their cyber-security systems will mean relying heavily on third-party software and service providers.Arnold Rozenvasser, director, head of systems development, Optima Fund Management, says his firm relies on third-party vendors for everything from the latest security software to the testing of said software — in the form of firms Optima pays to attempt to hack its systems, and report back on any weak points they find.“A malicious cyber-actor could cause catastrophic damage to our financial system without directly attacking a bank,” says Lew, speaking at Delivering Alpha. “Risks to the system can be found at the vendors, suppliers and contractors. ... An incursion at a strategic point along the network could lead to market disruption and massive harm.”The cyber-security of third-party vendors that firms contract with is a prominent component of both the SEC and DFS exams.Analysts say they’ve also seen a “trickle-down effect” at the third-party vendors themselves, where an increasing focus on cyber-security at customer firms creates pressure for them to do the same.“Nowadays, it’s very hard for firms to keep all of their data within their four walls,” says Schimmeck. “Over time, you’ll continue to see the back office get consolidated and migrated, so you’re going to have a greater obligation on your compliance teams, your tech risk and business resiliency teams to provide additional oversight on those third-party relationships.“Firms nowadays, when they’re looking to contract with vendors, security is a huge part of what they’re talking about.”Unlimited CapabilitiesIt’s still unclear what future regulations on cyber-security might look like, but in general, greater government involvement in the sector is a sure thing, analysts and industry representatives say.In February, the National Institute of Standards and Technology released its Cybersecurity Framework, a voluntary how-to guide for U.S. businesses seeking to improve their cyber-security preparedness. The framework was the direct result of an executive order issued by President Barack Obama last year.That’s in addition to a controversial cyber-security information sharing bill currently being considered by Congress.There have also been calls by SIFMA for the government to create a “cyber-war council,” Bloomberg reports, which would coordinate among the government and the financial sector and allow the government’s vastly superior cyber- capabilities to step in and defend the industry in the event of a particularly daunting threat.However the regulatory and cooperative initiatives unfold, the stakes are such that neither side can afford to stay aloof from advancing the government-industry relationship for long.“A lot of what we’re seeing in terms of more sophisticated attacks comes from nation-states or terrorist organizations that are supported by nation-states,” says Schimmeck. “In those cases we will have to rely on the government to help defend the private firms in the sector, because we just don’t have the unlimited capabilities that the U.S. government does.”ROEL SCHOUWENBERGsenior security researcher, Kaspersky Lab18“In my view, it all has to be outsourced,” Rozenvasser says. “It cannot be handled internally. Even with Big Five firms like Goldman [Sachs], we’re in the business of finance, not the business of cyber-security.”Ives puts the breakdown between third-party security services and software versus internal best practices at about 70-30, respectively.As firms take stock of their systems’ preparedness for cyber-attacks, they’ll need to start looking much more closely at all their relationships with third-party vendors.ARNOLD ROZENVASSERdirector, head of systems development, Optima Fund ManagementFALL 2014 | FTF NEWS MAGAZINE