Financial Sector Must Step Up Cybersecurity, Treasury's Lew Says

By Yin Wilczek      

July 16 --In a call for the U.S. financial sector to be more transparent in reporting data breaches, Treasury Secretary Jacob J. Lew July 16 called on hedge funds, asset managers, exchanges, banks and financial market utilities to do more to prop up their cybersecurity defenses.

“In particular, it is imperative” that financial sector firms collaborate with the government and with other firms to combat cybersecurity threats, Lew said at the Delivering Alpha conference in New York. The conference is held by CNBC and Institutional Investor.

Firms also must disclose cybersecurity breaches where necessary, he added. “There cannot be a code of either silence or secrecy about the steps necessary to protect our basic security.”

Lew added that “disclosing security breaches is often perceived as something that could harm a firm's reputation.” He added, “This has made many businesses reluctant to reveal information about cyber incidents. But this reluctance has to be put aside.”

Lew said Deputy Treasury Secretary Sarah Bloom Raskin will work with federal and state financial regulatory agencies to reduce cyber risks to the financial system. In addition, Raskin “will be looking beyond traditional financial services to explore the regulatory, security, and consumer protection aspects of financial technology,” he said.

Priority in Wake of Retail Breaches

Cybersecurity has become a top regulatory concern in the wake of several high profile breaches, including those involving payment card hacking events at Target Corp. and Neiman Marcus Group Ltd. .

In April, the Securities and Exchange Commission Office of Compliance Inspections and Examinations announced that it will examine more than 50 registered broker-dealers and investment advisers on cybersecurity preparedness (13 PVLR 673, 4/21/14). The Financial Industry Regulatory Authority launched a similar effort in February (13 PVLR 291, 2/17/14).


Views on SEC Cybersecurity Examinations--Yonina Z. Siegal, General Counsel, Cordium US

Meanwhile, participants at a March SEC cybersecurity roundtable said that account takeovers are a top risk for both investment advisers and broker-dealers (13 PVLR 550, 3/31/14). Other participants identified “stealth” attacks--where firms aren't aware their data has been stolen--as an emerging threat.

Data Sharing With Government Needed

In his remarks, Lew urged financial services firms to share more information about their cybersecurity incidents directly with the government and through the Financial Services Information Sharing and Analysis Center, which describes itself on its website as the “only industry forum for collaboration on critical security threats facing the global financial services sector.”

Lew also called on the firms to use the cybersecurity framework, which was issued Feb. 12 by the National Institute of Standards and Technology, for their systems and to evaluate vendors (13 PVLR 281, 2/17/14).

“Outside vendors, including the businesses that provide the hardware and software for your technology systems and the service providers that handle your payment processing and other back-office functions, should also use this framework,” Lew said.

“Just as you consider your counterparties when you take on financial risk, you should also consider your counterparties in the area of cyber risk,” he said.

Firms must disclose cybersecurity breaches where necessary. “There cannot be a code of either silence or secrecy about the steps necessary to protect our basic security.”

Treasury Secretary Jacob J. Lew

Call for Congressional Action

The Treasury secretary further stressed that Congress must pass legislation to encourage information sharing between the government and the private sector and to provide liability protection.

There is a need for legislation “with clear rules to encourage collaboration and provide important liability protection,” Lew said.

“It must be safe for companies to collaborate responsibly, without providing immunity for reckless, negligent or harmful behavior,” he said. “And we need legislation that protects individual privacy and civil liberties, which are so essential to making the United States a free and open society.”

Lew said he discussed cybersecurity during meetings with Chinese officials in Beijing the week of July 7 and told them that “government-sponsored, cyber-enabled theft of intellectual property for commercial gain is illegal and unacceptable.”

In May, the U.S. charged five Chinese military officials with economic espionage linked to computer hacking (13 PVLR 905, 5/26/14).

Securities Association Meeting

Also July 16, Lew met in New York with members of the Securities Industry and Financial Markets Association and other financial services representatives to discuss cybersecurity issues.

A SIFMA spokeswoman confirmed to Bloomberg BNA July 16 that its members met with Lew and Raskin to discuss the Treasury and industry's cybersecurity efforts following his remarks at the Discovering Alpha conference. She declined to provide further details.

In a July 16 statement, SIFMA President and Chief Executive Officer Kenneth Bentsen Jr. said that cybersecurity is a “top priority” for the securities industry, which he said is doing everything it can to prepare and defend against cybersecurity breaches.

“SIFMA believes a robust public-private partnership is the most effective way to combat cyber threats.”

Kenneth Bentsen Jr., President and CEO,
Securities Industry and Financial Markets Association

“SIFMA believes a robust public-private partnership is the most effective way to combat cyber threats,” Bentsen said. “Cybersecurity legislation is essential to ensure we are as effective as possible.”


With assistance from Ian Katz in Washington

To contact the reporter on this story: Yin Wilczek in Washington at

To contact the editor responsible for this story: Phyllis Diamond at

Lew's prepared remarks are available at

Lew's call to action for the financial sector is available at