Cybersecurity Regulations Under the Trump Administration: Financial Services, part 1

By Karen Bertoli | 3 January 2017

Zenedge speaks with a financial market cyber security and compliance expert about her outlook under the Trump administration in this first of a multi-part series on cyber-security issues for key industry verticals.

ZENEDGE Chief Marketing Officer Karen Bertoli Interviews Joanna Fields Chief Executive of Aplomb Strategies.

Ranking among his highest stated priorities, President-Elect Donald J. Trump’ vision for our national cyber security is, to be fair, emerging, and details of its shape and implementation are dependent upon his cabinet selections, which also are currently being determined. 

How he will balance his desire to dismantle regulations, which he believes are hampering innovation and economic growth, with what he perceives as a mandate to increase cyber security, will be fascinating, especially in light of recent successful attacks on San Francisco’s public transit authority, the Democratic National Committee, and formal accusations by the United States that Russia attempted to interfere with the U.S. election process.

We should expect, according to Mr. Trump’s website, “an immediate review of all U.S. cyber defenses and vulnerabilities, including critical infrastructure, by a Cyber Review Team of individuals from the military, law enforcement, and the private sector.” The Cyber Review Team -- which he has not yet publicly named -- will be tasked with providing “specific recommendations for safeguarding different entities with the best defense technologies tailored to the likely threats, and will be followed up regularly at various Federal agencies and departments."

Trump’s Justice Department, in addition to establishing protocols and training for government employees and staying current on the methods of cyber attack, will create joint task forces to coordinate federal, state and local law enforcement responses to cyber threats. The Secretary of Defense and Chairman of the Joint Chiefs of Staff also will provide recommendations to enhance U.S. Cyber Command, to develop both the offensive and defensive cyber capabilities he believes the nation needs to deter attacks. Publicly acknowledging the development of this offensive capability is a particularly tantalizing event that we will be watching closely. 

In this first of a multi-part series on cybersecurity issues and initiatives that could impact key industry verticals, Zenedge spoke with financial market compliance and security expert Joanna Fields, Founder and Chief Executive of Aplomb Strategies Inc., a market structure consulting firm, about her hopes and expectations for cyber security policies under the Trump administration.

In a best-case scenario, Fields says the Trump administration could focus on removing some of the bureaucracy under which the financial services industry operates, and one of the best possible outcomes would be a single entity managing the requirements, she says, which would free up resources to respond more aggressively to cyber crimes.

In addition to the federal agencies, including the U.S. Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), Commodity Futures Trading Commission (CFTC), Office of the Comptroller of the Currency (OCC) and Federal Trade Commission (FTC), 47 states each have different cyber reporting requirements. (FinCEN just put out new cybersecurity requirements as well.)

 “This seems ripe for change,” Fields says. “He made a recent announcement that he intends to cut so much waste around government jobs it will make everyone’s head spin, so if he can reduce any regulatory inconsistency, redundant rule making efforts and increase effective communication across governmental agencies, it could be interesting.”

A good first step, Fields says, would be to define a cyber governance structure with an emphasis on best practices.

“Most cybersecurity events are not obvious,” Fields says. “There could be a break in, some malware introduced into a complex firm’s ecosystem, but it could then remain dormant for months, and then one day there’s noticeable activity.  There generally is not a cinematic moment, where an alarm bell goes off, while at the same time the Chief Information Security Officer (CISO) receives an email stating the system has been breached.  More often than not, a cybersecurity breach is identified through a number of anomalies and pattern of practice behaviors.  While at the same time, some of the recent regulatory requirements have proposed to include a requirement to report a breach within 72 hours.”  Fields’ concern is that some firms could be more focused on responding to regulatory reporting requirements than stemming the problem for consumers.

“Think of the number of resources,” she adds. “You have all these things you have to do. You know what the most important thing is? Respond immediately: stem the tide and do what’s best for customers.”

Fields also discounts the value of prescriptive measures, which frequently prove onerous, adding that while regulators may have valuable general knowledge on cybersecurity topics, only the CISO would have deep enough knowledge of the company’s particular technology and vulnerabilities to be effective. 

“CISOs should look to the regulators for guidance, best practices, and industry standards, and developing clear channels to communicate an issue to regulators and law enforcement officials.   But writing policies for procedures, penetration test requirements? That’s a very dangerous place to be. Some of the regulators might know a lot about these things, but most won’t know about individual industry cybersecurity requirements.”

Fields’ advice would be to consolidate cybersecurity regulations at the federal level and appoint a technologist for each of the different disciplines in the financial services industry, including networking, order routing, mobility, and Internet of Things. And then do the same, not just for the financial services industry, but for other important vertical markets, such as healthcare.

“Most public companies have a lot of accountants and lawyers at the board level, but very few have mandated that an outside independent person with a technology background sits on the board,” Fields says. “Where are the technicians and the people who actually understand what’s happening -- and not just from the server perspective? If you are a public company and have customer information, making sure that you have the right technology person sitting on your board would be a step in the right direction.”

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development