Finance Group Seeks More Timely Info

Exchange Hack Discovered in October Kept Secret for 102 Days
Finance Group Seeks More Timely Info
The financial services industry and government haven't adequately addressed the need to share information in a timely manner to prevent cyberattacks on financial institutions, the chair of an industry group told Congress on Friday.

"Although we have made good progress in creating information sharing entities, to share information securely and efficiently, we have not adequately tackled the critically important issues associated with the timeliness and completeness of information," Jane Carlin, chairwoman of the Financial Services Sector Coordinating Council, testified before the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies.

Carlin cited a cyberattack on a major exchange that was discovered by the exchange last October, which she contended involved too much secrecy. Though the exchange alerted its primary regulator and law enforcement, information about the attack and its impact on other financial institutions was not disclosed to others in financial industry for 102 days, a time when financial institutions closed their books for the year and prepare annual reports. "This could have had an enormous impact on employees, stockholders, large and small, and the market as a whole," Carlin said. "The lack of meaningful information for more than three months left the entire sector unnecessarily vulnerable."

In response to the exchange attack, the council and Department of Homeland Security have agreed to collaborate on developing guidelines for when information should be shared, especially information that is technical and contextual. "A more transparent decision-making process would accelerate the dissemination of information without interfering or undermining criminal and national security investigations," Carlin said.

She said industry and the government must focus on clarifying and compartmentalizing information so that "actionable intelligence" can be disseminated to organization that will use it to protect critical infrastructure. What's actionable intelligence? Carlin said it's redacted technical information and contextual information that doesn't reveal sources and uses or tips off criminals or adversaries.

"There is a strong need to establish appropriate and well-understood protocols to share information so that we collectively understand the problems and risks that we face in order to arrive at the right response or solution," Carlin said in her remarks to the panel. "The fundamental issue of striking a balance between confidentiality for criminal investigations and timely information sharing remains a work in progress."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.