Dodd-Frank Stress Tests Are Fine, but We Need a Cybersecurity Stress Test, Too

Last week, news emerged that China had hacked the FDIC on several occasions during the past few years.  This revelation renews concerns about the security of America’s financial institutions and comes on the heels of the third bank hacking through the Swift global payments network in the past year alone. What’s truly scary is that there may be further breaches of which we are simply unaware.

It’s possible to think of even more terrifying possibilities. What if hackers  infiltrated the information systems of the San Francisco Federal Reserve Bank or the Federal Reserve Board of Governors rather than those of the FDIC or banks in remote locales such as Bangladesh, Ecuador or Vietnam? What if Edward Snowden had breached the Federal Reserve instead of the U.S. State Department? Proprietary information belonging to the nation’s largest banks such as drafts of living wills, information regarding the Federal Open Market Committee’s monetary policy strategy and the delicate global system of funds flow could be instantly compromised.  Simply put, the effects of a cybersecurity breach at the Federal Reserve would be widespread and calamitous and have global consequences rivaling those  of the 2008 financial crisis.

In February of this year, President Obama unveiled an ambitious, detailed plan to address cybersecurity risks in the United States. The plan promises abundant resources but not proactive accountability. While he acknowledged that government agencies and private sector financial institutions would be a top priority, his plan failed to provide concrete specifics other than earmarking funds to overhaul computer systems at government agencies.  In the rapidly evolving world of cyber terrorism, upgrading computer systems is necessary but not sufficient.  Rather, all government agencies and private sector financial institutions should be subject to annual and rigorous cybersecurity stress tests carried out jointly by the Federal Chief Information Security Officer and members of the Commission on Enhancing National Cybersecurity.  The stress tests would measure not only an individual entity’s ability to withstand a myriad of attempted breaches, but also its  ability to communicate with other financial institutions about cybersecurity risks.

Publicly held companies, not just government agencies and private financial institutions, should also be held accountable through cybersecurity stress tests. For years, countries such as China, Russia and North Korea have been committing corporate piracy and espionage against U.S. companies, resulting in the theft of valuable commercial research and development secrets and sensitive customer information such as social security numbers. However, surveys of business leaders show that most American companies do not have adequate cybersecurity safeguards. For example, a recent survey of 100 security executives revealed that 63 percent of their companies had suffered one or two cybersecurity breaches in the past year. More worrisome is that 13 percent did not know how many cybersecurity breaches may have occurred.

The Securities and Exchange Commission has pressed directors of companies to place cybersecurity at the top of their board agendas. The SEC has also recently focused on cybersecurity disclosure in securities filings, but this strategy is misguided, serving only to reveal information to potential attackers. Rather, chief information officers, chief technology officers, senior IT directors and similar individuals at SEC reporting companies should be required to certify in quarterly and annual  financial reports that adequate cybersecurity safeguards are in place. As with CEO and CFO certifications mandated by Sarbanes-Oxley, it would be a federal offense if the certification turned out to be false and the company in question was ill-prepared for a cybersecurity attack. This rule would motivate corporate leaders to make cybersecurity a prirority. Such a certification would not only help protect companies and customers, but also shield shareholders from financial losses stemming from cybersecurity attacks.

China’s brazen infiltration of the FDIC is a reminder that cyber terrorism is an urgent and significant danger that requires more than just spending additional money and creating  new organizations.  What’s needed is sustained, proactive accountability from all key stakeholders.

This post comes to us from Keerthika M. Subramanian, a corporate attorney in Northern California. The views expressed herein are solely her own.