Cyber-attacks on financial institutions are becoming more frequent, complex and sophisticated, with the potential for far-reaching, systemic impacts, according to a white paper published by DTCC and Oliver Wyman.
In fact, financial services firms are targeted by cyber-attacks 300 times more frequently than businesses in other industries. To put that into numbers: The typical U.S. business is attacked 4 million times per year; the typical U.S. financial services firm is attacked 1 billion times per year. And all those attacks tally up a big cost to financial services firms, averaging $18 million per firm, per year.*
In keeping with its goal of reducing risk, as well as providing reliability to the global financial system, DTCC launched its Client Cybersecurity Program (CCSP). The program defines a cybersecurity baseline that members must meet to demonstrate that they have proper safeguards against cyber risks.
As part of the launch, DTCC introduced a Client Cybersecurity Program web site which provides more in-depth information about this initiative.
We sat down with Helene Kramer, DTCC Executive Director, Technology Risk Management, to learn more about the CCSP.
DC: How does the CCSP work?
The CCSP is one of DTCC’s newest initiatives on cybersecurity and is managed by the Technology Risk Management (TRM) Department. The Program is an enhanced endpoint security framework to ensure that all our members, using the Securely Managed and Reliable Technology (SMART) network or other connectivity, are adequately protected against cyberattacks.
The CSSP establishes cyber due-diligence expectations around member access to DTCC via a Cybersecurity Confirmation. It is focused on ascertaining that each member firm or prospective new clients have defined and regularly maintain a comprehensive cybersecurity program and framework that considers potential cyber threats that impact the organization and protects the confidentiality, integrity, and availability requirements of the member firm’s systems and information.
While it is an individual responsibility of our members to protect their own environment, the CCSP establishes a collaborative effort between DTCC and members to strengthen cyber defense.
DC: What are the benefits to our clients and the industry as a whole?
As we know, the financial industry is interconnected now more than ever, and it is critical for the industry to continuously innovate its practices to manage cyber risks in the ever-changing threat landscape. The CCSP establishes a collaborative effort between DTCC and our clients, helping to make sure clients are following best practices to mitigate cyber-attacks. An attack on one or more institutions or critical infrastructures could have a contagion effect across the financial system, especially as interconnectedness continues to grow. Raising the cyber resilience of individual firms makes the entire financial services ecosystem safer and more secure.
DC: How are we working with clients and other key stakeholders on this initiative?
DTCC will be issuing an Important Notice with the new rule filing to all members of our SIFMU subsidiaries - DTC, FICC and NSCC. Our Relationship Management team will work closely with each member to identify senior executives from each firm who are accountable in overseeing their organization’s cybersecurity program. The clients will be responsible for confirming their cybersecurity program to DTCC by attesting to the Client Cybersecurity Confirmation Form.
DC: What are the benefits to DTCC?
DTCC stands at the center of the global securities trading activity and the vision of this program will also benefit DTCC as it confirms its members’ programs and best practices in managing cyber risks. Considering some of the most sophisticated attacks that we have witnessed in the recent past targeting various financial institutions, we are reminded how important it is to implement programs aimed at detecting and mitigating risks, especially in the area of cybersecurity.
Essentially, the CCSP is another step for us to continuously improve DTCC’s cybersecurity resiliency. Strengthening DTCC’s endpoint security framework to combat cyberattacks is of course, one of the benefits we can achieve from the program.
It is also worth mentioning that the CCSP gives us a better understanding of the heightened cybersecurity risk that may be posed by our members. The Cybersecurity Confirmation would reduce cybersecurity risks to DTCC by requiring all its members and applicants to confirm that they have defined and maintain a cybersecurity program that meets the standard industry best practices and guidelines.
* “Laughing All The Way To The Bank: Cybercriminals Targeting U.S. Financial Institutions”, Forbes, August 28, 2018.