By Robin Sidel
Big banks are revving up efforts to combat cybercriminals
targeting the financial-services industry.
Eight of the largest U.S. banks are forming a group that seeks
to tackle the growing cyberthreat. It includes J.P. Morgan Chase
& Co., Bank of America Corp. and Goldman Sachs Group Inc.,
among others.
While still in its early stages, the big banks expect the group
members will share more information with each other about threats,
prepare comprehensive responses for when attacks occur and conduct
war games designed for the issues facing the biggest
institutions.
The big banks are currently part of a wider group of banks that
looks to share information about cyberrisks. But with 7,000
members, the biggest banks felt they needed an outlet that
reflected the fact they are more likely to be targets of hackers
than their smaller brethren and have more complex systems,
according to people familiar with the matter.
The financial-services industry ranked third in number of
cyberattacks last year, after health care and manufacturing,
according to a U.S. cybersecurity report released by IBM Corp. in
May. Two years ago, J.P. Morgan, the largest U.S. bank by assets,
was targeted by cybercriminals in a breach that exposed names,
addresses and other information of 76 million customer households,
although no money was taken.
Banks have intensified efforts to protect themselves this year
despite the adoption in December of the Cybersecurity Information
Sharing Act, a federal law that aims to make it easier for private
companies to share cyberthreat information with the government.
Financial institutions have expressed concern about the federal
initiative, however, saying it adds another layer of bureaucracy as
they already are investing billions of dollars to fight off
cybercriminals and sharing information among themselves.
In recent months, banks have griped that they are providing more
information to the government than they are receiving from federal
agencies.
"We are working very rapidly to declassify everything we can to
push it out as quickly as we can to all of our partners," said
Phyllis Schneck, deputy undersecretary for cybersecurity at the
Department of Homeland Security.
The new bank group, which is in the early stages of development,
will build on the efforts of an existing industry organization that
already addresses the same issues for the broader
financial-services industry.
"They are trying to provide a support mechanism for deeper
information-sharing and collaboration on top of whatever is already
going on today," said John Carlson, vice chairman of the financial
sector coordinating counsel at Financial Services Information
Sharing and Analysis Center. The new group will operate under the
umbrella of that organization.
Mr. Carlson declined to identify members of the new group, but
people familiar with it said it also includes Bank of New York
Mellon Corp., Citigroup Inc., Morgan Stanley, State Street Corp.
and Wells Fargo & Co.
Banks have long been targets of hackers, and also have racked up
hundreds of millions of dollars in costs to cover purchases made on
counterfeit credit cards resulting from data breaches at
retailers.
In response, banks are continually beefing up their defenses.
J.P. Morgan, for example, is expecting to spend $600 million on
cybersecurity efforts this year.
Top banking executives say cyberattacks often occur on a daily
basis.
While banks have asked for greater information-sharing with the
government to assist their efforts, firms still have a number of
concerns. Despite the new law, banks fear legal issues that could
emerge if they share threat information with the government.
Although the law provides liability protection to companies for
sharing certain kinds of information, the banks are worried that
such disclosures could open them up to shareholder lawsuits.
Other bank executives have questioned whether information that
they are providing to the government is stored securely.
"There are still a lot of questions about the new law," said
Nubiaa Shabaka, executive director in the legal and compliance
division of Morgan Stanley at a legal financial-services conference
in June.
Bank executives said the technical capabilities of the
government's cyber-sharing effort has improved in recent months.
For example, a new automated system can warn banks more quickly
about potential threats without requiring users to log into a
specific portal and open documents.
"It is incumbent on the government to demonstrate that what it
has set up is not only efficient operationally and reliable from a
liability standpoint, but also that it is valuable," said Alan
Raul, leader of the data security practice at law firm Sidley
Austin LLP.
The government has provided additional guidance about the new
law since it was enacted in December. The updated guidance has
stressed that companies aren't required to share information about
cybersecurity threats with the government and provided more
technical details about how the companies can share such
information.
"The sharing is only really just beginning," Ms. Schneck
said.
(END) Dow Jones Newswires
August 09, 2016 12:20 ET (16:20 GMT)
Copyright (c) 2016 Dow Jones & Company, Inc.
Bank of America (NYSE:BAC)
Historical Stock Chart
From Apr 2024 to May 2024
Bank of America (NYSE:BAC)
Historical Stock Chart
From May 2023 to May 2024