Today, the SEC is hosting a Cybersecurity Roundtable—in person and via webcast—to discuss cybersecurity and the challenges and issues it raises. The Roundtable will have four panels, each with distinguished panelists. We are blogging live to provide updates to our readers, so stay tuned throughout the day to get updates on each panel.
First Panel: “Cybersecurity Landscape”
The panelists began by generally discussing the three main areas of cybersecurity: the cyber attackers themselves, how to remain vigilant/incident management, and the ability to remain resilient against attacks. The panelists emphasized the importance of bringing everyone (agencies, government, and companies) together to thwart attacks. They noted that the private sector is at the front line for attacks and for defense.
Next, the panelists discussed the types of threats and challenges that companies currently face. They noted that although there have been a wide array of attacks, most of the focus, including the President’s focus, has been on critical infrastructure since it presents the gravest national danger. Banking has been the most attacked industry, followed by energy, because they not only have a significant level of money involved, but also represent our nation. As a result, they noted that critical infrastructure is way ahead of most companies in their cybersecurity initiatives. Regarding the current challenges, companies should be looking to three questions:
- How do I figure out what I really need to protect, since I can’t protect everything?
- How do I manage access to my information by third parties, i.e., vendors and professional services?
- How do I monitor what is supposed to be protecting the company?
The panel then focused on the board of directors, emphasizing that the board needs to be involved and that there needs to be continuous monitoring with a multi-layered approach. They noted that this will of course take a lot of work and people. Only 1% of boards have someone that is cyber proficient; as a result, the panelists focused on the importance of boards needing to know what questions to ask, having a plan in place, practicing that plan, and continually communicating with those dealing with cybersecurity issues. It was also noted that management needs to make sure that there is a culture in place so that everyone is part of the cyber risk plan because this is a business issue that requires a top-down approach. One panelist stated that boards with the best practices are getting outside expertise to deal with cybersecurity.
The panelists continued with a discussion on the state of preparedness. They again all focused on the need to share information, and that the financial services industry is probably the most advanced in cybersecurity. But, companies can never be 100% prepared, because there is always something new on the horizon. So, companies just have to stay on top of things and keep building safety devices, because “the DNA of a threat is never the same.”
Finally, the panel looked at protecting access and how to facilitate more productive dialogue between interested constituencies. The panelists talked about the Executive Order and the NIST Framework, noting that the NIST Framework is not a checklist per se because you can’t get “framework compliant.” And, right now, there are real barriers preventing government and the private sector from working together because of the lack of clarity on what information can be shared. Currently, companies do not share because they are afraid of incurring risks. The panelists discussed options for having an industry group that aggregates information and shares it with the industry anonymously, and the need to have legislation in place to determine when companies can share information without risk. The panelists stated that there are barriers to sharing on many levels: government to private sector; private sector to government; between government agencies; between governments; and between private sector companies. Barriers need to be identified in each lane of communication so they can be eliminated one by one. No one legislative solution will work.
The panelists concluded by focusing on the ever-evolving nature of the cyber threat: what is known today will be different from tomorrow. Thus, we should just go back to the basics—are we already thinking of our business preparedness in a way that we can get to the cyber problem before it becomes an issue?
Moderators: Thomas Bayer, Chief Information Officer, Keith Higgins, Director, Division of Corporation Finance, James Burns, Deputy Director, Division of Trading and Markets
- Cyrus Amir-Mokri, Assistant Secretary for Financial Institutions, Department of the Treasury
- Mary E. Galligan, Director, Cyber Risk Services, Deloitte & Touche LLP
- Craig Mundie, Member, President’s Council of Advisors on Science and Technology; Senior Advisor to the Chief Executive Officer, Microsoft Corporation
- Javier Ortiz, Vice President, Strategy and Global Head of Government Affairs, TaaSera, Inc.
- Andy Roth, Partner and Co-Chair, Global Privacy and Security Group, Dentons US LLP
- Ari Schwartz, Acting Senior Director for Cybersecurity Programs, National Security Council, The White House
- Adam Sedgewick, Senior Information Technology Policy Advisor, National Institute of Standards and Technology
- Larry Zelvin, Director, National Cybersecurity and Communications Integration Center, U.S. Department of Homeland Security