Friday, February 20, 2015

Summit on Cybersecurity and Consumer Protection: Reflections and Key Take-Aways

Last Friday, President Barack Obama and the White House held a Summit on Cybersecurity and Consumer Protection with the nation's top tech companies and cybersecurity experts. CUNA Mutual Group's Jay Isaacson Vice President, Business Protection was in attendance. What follows is Jay's account of the event and his key take-aways with a particular focus on the impacts to the credit union industry. 

From the moment I walked on the Stanford campus there was a feeling of interest, enthusiasm, and excitement for a day focused on a critical issue that faces all businesses (large or small) domestically and globally.

A line of attendees were already gathered at the entrance by the
6:45 a.m. opening which gave me the impression the people
 here today understand that cyber threats are a vexing issue
that no one is immune to and see the immense value in
learning more about how this risk can be better managed.
Mix in a dose of healthy skepticism about the government's
true intentions behind wanting more data and information,
and I think this captures the environment.
Over half the attendees were Stanford students and the remainder was a mix of public sector, university faculty (Stanford and other schools), and private sector (no shortage of journalists). I was told there were 1,500 invitees.

John Hennessy, President of Stanford University, kicked off the day speaking about the importance of the cybersecurity issue and how thrilled he was to be host of this historic event.

Lisa Monaco (National Security Council) and Jeff Zients (National Economic Council) provided introductory remarks. Lisa made a point of comparison between cybersecurity and terrorism (which was echoed many times later in the day), and said that both of these risks require communication, threat intelligence, and collaboration across industry verticals, sectors, private and public channels, and international support. Jeff highlighted that cybersecurity is also an economic issue and by building better cybersecurity practices (hygiene), it better positions U.S. companies to compete on the global stage (over time this strong practice will engender trust).

Kenneth Chenault, CEO American Express spoke on the first panel about the core values of American Express and the one core value that he kept coming back to as it related to this topic was ‘trust’ (a perspective that was shared by all of the CEO’s on the panel). The value of trust is something that had strong resonance to me and it is a perspective that I think would be widely shared by credit union leaders.

The first panel was moderated by Secretary Jeh Johnson,
US Department of Homeland Security. Panelists included:
Kenneth Chenault, Chairman and CEO, American Express;
Anthony Early, Jr, Chairman and CEO of Pacific Gas & Electric;
 Mark McLaughlin, President and CEO of Palo Alto Networks;
Bernard Tyson, President and CEO of Kaiser Permanente,
and Elizabeth Sherwood-Randall, Deputy Secretary,
US Department of Energy. 
Chenault also noted that customers hate passwords (a sentiment that was also rehashed throughout the day), and he made a very interesting point in that current regulation only allows AMEX to send text messages to 10% of their current cardholder base (consumers must opt in to this feature). Of the customer group to whom they have sent text messages to in order to confirm the legitimacy of their transactions, 36% of cardholders responded back in less than 60 seconds--an impressive response rate to an enhanced security feature! He used this point as an opportunity to highlight a need to reevaluate existing regulations for data security purposes.

Speaking specifically of financial institutions, he highlighted the importance of data sharing and noted that FIs have one of the most mature information sharing tools out there which has enhanced sharing and improved data security efforts (the tool highlighted was FS-ISAC). He noted that AMEX was hit over 100,000 times last year with some type of attack. He closed his comments asking what we as a country want our values to be with respects to the cybersecurity issue, which I thought was an interesting question and one that set the day up well.

The remaining panelists reiterated the key points of trust and the value of information sharing with their industry peers ("we are competitors, but on cyber/data security issues we stand together," was a common perspective reiterated). Mark McLaughlin, President and CEO of Palo Alto Networks, had a question from the moderator that asked him to assess the importance of information sharing for varying sized organizations. He noted it was important for all companies, but thought it was particularly important for smaller organizations since they simply don’t have the same level of people, IT tools, and financial resources that a larger firm can bring to this issue.

The second panel was moderated by Secretary Penny Pritzker,
US Department of Commerce. Panelists included: Ajay Banja,
President and CEO MasterCard; Peter Hancock, President and
CEO of AIG; Renee James, President of Intel; Brian Moynihan,
Chairman and CEO of Bank of America, and Nuala O’Connor,
President and CEO, Center for Democracy & Technology.
The second panel was conducted completely via Q&A from the moderator and highlights included:
  • Discussion of the NIST framework and how NIST creates a high level framework that helps define cybersecurity best practices--however NIST is a starting point and will need to evolve over time given the sophistication of cyber-attacks (I agree that NIST creates a high level framework and starts to build a common language around cyber risk management). The companies on this panel have adopted NIST and supported the framework. They see this as NIST 1.0 and that it will need to evolve to 2.0, 3.0, etc.
  • Renee James, President of Intel, highlighted that her firm and the technology industry is building in greater levels of security capabilities on hardware, but the industry has work to do on this front.
  • Ajay Banja, President and CEO MasterCard, talked about the distaste that consumers have for remembering passwords and in some ways that may be an antiquated model. Innovation is coming along with EMV and more advanced security (he specifically highlighted a partnership between MasterCard and First Technology Federal Credit Union to make this point. First Technology is rolling out retinal scanning and biometrics to confirm identity and verify transactions.

Tim Cook, CEO of Apple, then took the stage. Overall, Mr. Cook's comments focused on Apple’s enduring commitment to protecting the privacy of their customers and while not directly saying so, it appeared his commentary was focused on concerns about the type of information the government is truly after. His was a short but impassioned speech and I think it captured a view that Mr. Cook shares with other tech focused companies out in Silicon Valley. He also briefly mentioned Apple Pay and the efforts they have made to make payments more secure and easier for consumers.

“If those of us in positions of responsibility fail to do everything in our power to protect the right of privacy, we risk something far more valuable than money--we risk our way of life. Fortunately, technology gives us the tools to avoid these risks, and it's my sincere hope that by using them and by working together, we will,” said Cook.

President Obama’s remarks closed out the session. Ultimately, he again made the point that the government can play a valuable role in the “wild west” of cyber space and that is a role connecting government threat intelligence with private sector threat data to help everyone improve their understanding of real time cyber risks. It was clear from Cook's commentary that some skepticism remains in private industry.

Key themes and take-aways: 

  • Cybersecurity threats are growing in number and complexity, which makes this risk a critical topic for any organization. It also validates the need for the summit and puts more importance on continued dialogue and action after the summit.
  • Cybersecurity is a unifying mission for companies that doggedly compete against one another in our economy.
  • Information sharing is a critically important component to an organization's defense against cyber-attacks. An information sharing network should be robust with connection points across the industry, and the public sector can play a role in terms of disseminating real time threats.
  • Privacy continues to be of utmost importance and organizations have a duty to protect their customers Personally Identifiable Information (PII). Some have argued that information sharing could be in conflict with this. Generally, my view is that a great deal of information that can help credit unions can be shared without releasing any PII. Emphasis of sharing should focus on types of attacks and vectors utilized.
  • We are at a time period of rapid innovation for technology (particularly payment technology), which is exciting but also emphasizes the importance of finding talented employees to bring this innovation to life.
  • We are still very early in the Internet age and we are still shaping what it will become. There is a clear opportunity to make the Internet better.

How this impacts credit unions:

  • NIST framework is gaining traction with government and regulators and is something that credit unions should begin to familiarize themselves with to assess their cyber risk management and preparedness.
  • Information sharing is a key piece to the NIST framework and was a big focus of this session. Credit unions should look for opportunities to do this while protecting member PII.
  • Payment innovation is forthcoming and it is important for credit unions to understand and assess these new options becoming available (EMV, tokenization, biometrics) to remain relevant with their members (particularly younger members).
It was an honor for me to be a part of this event and share my experience with you here. My team and I will continue to stay connected to what’s happening in the cyber landscape and share our learnings with credit unions.