Cybersecurity is very, very tough: How a SIFMU’s cyber chief sees the threat

Sep 25, 2017

Cybersecurity is very, very tough: How a SIFMU’s cyber chief sees the threat

Spencer Doar

Spencer Doar

Associate Editor

The OCC’s new chief security officer talks about risks and prevention. 

It’s alarming and getting ugly.

The Equifax hack in March compromised the personal information of an estimated 40 percent of the United States population. The Bangladeshi central bank is down $81 million after the SWIFT messaging system was hacked in early 2016. The SEC recently disclosed that a 2016 hack of its EDGAR database may have resulted in trading on nonpublic information for personal gain.

Then there are the cyber breaches of retailers: Target in 2013, which settled for $18.5 million, and Home Depot in 2014, which settled for $19 million, plus the recent backdooring of CCleaner, the compromise of the U.S. Office of Personnel Management in 2015, the WannaCry attacks targeting a variety of industries — the list continues and the costs are enormous.

None of this is lost on the financial services sector, which has multiple points of entry and plenty of critical data to protect. It is in this environment that OCC hired its first chief security officer (CSO), Mark Morrison, in May. Morrison spent 30-plus years working in cybersecurity for various government agencies, including the National Security Agency and Department of Defense. After retiring from the government, Morrison headed to State Street in 2013 before becoming the OCC’s CSO. Beyond Morrison’s hire, the OCC has tripled the number of security staff in the last five years.

Morrison’s arrival at OCC comes at a critical time. The clearinghouse is in the process of revamping its core technology stack – to likely cloud-based system. The security of this new system is of the utmost importance.

The OCC, by nature of being a SIFMU and a clearinghouse, has different security concerns from the rest of the financial industry, though the pervasiveness of threats is universal. According to Verizon’s 2017 Data Breach Investigations Report, 24 percent of data breaches affected financial organizations – the highest percentage of any industry in the study.  


Enemies at the gates

The overall cybersecurity environment has shifted dramatically since the dotcom boom. For starters, the nature of the adversaries changed, with much more criminal activity at the root.

“The adversaries are learning it’s much easier to make money, say, robbing a bank through cyber means than to do it with a gun and a mask,” Morrison said. “There’s less chance of getting caught and depending on where you’re originating from, probably a small chance you’ll get extradited and sent to the United States to be prosecuted.”  

Complicating matters is the sophistication of certain nation states’ cyber attack capabilities. While sovereign elements were more of a focus during his tenure with the government, Morrison said the sophisticated nature of these actors means that if a group really wanted to get into the underbelly of the financial system, it probably could.

Plus, there is more out there to compromise – the world is mobile and things are “smart.” It is possible to hack cars, toasters and refrigerators now. (Morrison does not have Alexa in his  home, nor does he do any mobile banking.) Basically, the concerns around access expanded.

“It used to be I’d have to gain physical access to a company’s work station,” Morrison said. “Now, I can do everything remotely… These are things we have to address that 10 to 15 years ago [were protected by] gates, guards and guns.”

Then consider the early internet was not conceived with security in mind. ARPANET (and the TCP/IP protocol suite that would become the foundation of the internet as we know it) was secure simply because everybody on the network was known and there were a limited number of access locations. The current security of the web has been an exercise in retrofitting. (One benefit of moving to the cloud is that, as a newer phenomenon, its infrastructure was developed by the Googles and Amazons of the world with more built-in security, though it does add a whole other layer of third party vendor risk.)  

Of all the developments of the last decade, Morrison is most concerned by the rise of destructive malware, or ransomware (the WannaCry attack being an example). These tools can manipulate or encrypt data so it is not accessible to the user unless someone pays off those holding the information hostage.

“If a large amount of your transaction data were corrupted, it would make for a bad day,” Morrison said.

Despite the advances made by those with nefarious motives, exploiting people remains the most successful way to compromise systems, usually through phishing with email attachments and links. It’s also cheap.


Approaching the problem

While the general pillars of cybersecurity are the same across industries – confidentiality, integrity and availability of information, sometimes known as the “CIA triad” – Morrison said the OCC’s key is availability. The organization needs to be able to facilitate trading and support its customers, whereas the government’s focus is more on the confidentiality side.

Morrison said he was pleased with the initiatives the OCC had in place when he joined and that the first step at any organization is to identify the “crown jewels.”

“The first thing you want to do is know what you want to protect. It’s probably not within your cost model or a good concentration of resources to try to protect everything equally,” Morrison said. “We want to protect our clients’ position data on a much stronger profile than the menu in the cafeteria. So, that’s how you want to be able to layer the defense.”  

Morrison’s number one priority is ensuring the OCC is prepared for the attackers of the future. In order to be prepared, a company needs to ask if it has the agility within its procedures and protocols to deal with new threats, not just past and present security concerns.

“A truly secure environment is probably not a very good operational environment, so you do need to find that sweet spot between business operations and security,” Morrison said.

There is good news: no one is fighting the good fight alone. Unlike just about any other aspect of finance, there is, as Morrison said, “no competitive advantage to cyber.”  There is widespread cooperation within the industry and Morrison said he is frequently in touch with other CSOs, comparing notes on threats and responses.

It’s a big lift and the industry realizes it. In October 2016, the Financial Services Information Sharing and Analysis Center (FS-ISAC) announced the formation of the Financial Systemic Analysis & Resilience Center (FSARC) with the goal of greater information sharing between financial services firms and various government agencies like the Federal Bureau of Investigation and Department of the Treasury. The FSARC was created after eight big bank CEOs met earlier in 2016 to talk about enhancing the resiliency of the financial system.

“Given the interconnectivities and dependencies we all have on each other in financial infrastructure, it is a ‘it takes a village’ type of thing,” Morrison said. “We’re all in this together, because any attack on one of us is going to impact virtually all of us – whether it’s a resiliency issue or reconciliation or market manipulation – we’re all going to be affected.”


John Lothian Newsletter

Today’s Newsletter

We visit more than 100 websites daily for financial news (Would YOU do that?)

Now Read This

[pro_ad_display_adzone id="39789"]

John Lothian Newsletter

We visit more than 100 websites daily for financial news (Would YOU do that?)

“John Lothian and Company… our industry intelligence.”

Rick Lane

CEO, Trading Technologies

Past Options Newsletters

Pin It on Pinterest

Share This Story