Last Friday, President Barack Obama and the White House held a Summit on Cybersecurity and Consumer Protection with the nation's top tech companies and cybersecurity experts. CUNA Mutual Group's Jay Isaacson Vice President, Business Protection was in attendance. What follows is Jay's account of the event and his key take-aways with a particular focus on the impacts to the credit union industry.
From the moment I walked on the Stanford campus there was a feeling of interest, enthusiasm, and excitement for a day focused on a critical issue that faces all businesses (large or small) domestically and globally.
John Hennessy, President of Stanford University, kicked off the day speaking about the importance of the cybersecurity issue and how thrilled he was to be host of this historic event.
Lisa Monaco (National Security Council) and Jeff Zients (National Economic Council) provided introductory remarks. Lisa made a point of comparison between cybersecurity and terrorism (which was echoed many times later in the day), and said that both of these risks require communication, threat intelligence, and collaboration across industry verticals, sectors, private and public channels, and international support. Jeff highlighted that cybersecurity is also an economic issue and by building better cybersecurity practices (hygiene), it better positions U.S. companies to compete on the global stage (over time this strong practice will engender trust).
Kenneth Chenault, CEO American Express spoke on the first panel about the core values of American Express and the one core value that he kept coming back to as it related to this topic was ‘trust’ (a perspective that was shared by all of the CEO’s on the panel). The value of trust is something that had strong resonance to me and it is a perspective that I think would be widely shared by credit union leaders.
Speaking specifically of financial institutions, he highlighted the importance of data sharing and noted that FIs have one of the most mature information sharing tools out there which has enhanced sharing and improved data security efforts (the tool highlighted was FS-ISAC). He noted that AMEX was hit over 100,000 times last year with some type of attack. He closed his comments asking what we as a country want our values to be with respects to the cybersecurity issue, which I thought was an interesting question and one that set the day up well.
The remaining panelists reiterated the key points of trust and the value of information sharing with their industry peers ("we are competitors, but on cyber/data security issues we stand together," was a common perspective reiterated). Mark McLaughlin, President and CEO of Palo Alto Networks, had a question from the moderator that asked him to assess the importance of information sharing for varying sized organizations. He noted it was important for all companies, but thought it was particularly important for smaller organizations since they simply don’t have the same level of people, IT tools, and financial resources that a larger firm can bring to this issue.
- Discussion of the NIST framework and how NIST creates a high level framework that helps define cybersecurity best practices--however NIST is a starting point and will need to evolve over time given the sophistication of cyber-attacks (I agree that NIST creates a high level framework and starts to build a common language around cyber risk management). The companies on this panel have adopted NIST and supported the framework. They see this as NIST 1.0 and that it will need to evolve to 2.0, 3.0, etc.
- Renee James, President of Intel, highlighted that her firm and the technology industry is building in greater levels of security capabilities on hardware, but the industry has work to do on this front.
- Ajay Banja, President and CEO MasterCard, talked about the distaste that consumers have for remembering passwords and in some ways that may be an antiquated model. Innovation is coming along with EMV and more advanced security (he specifically highlighted a partnership between MasterCard and First Technology Federal Credit Union to make this point. First Technology is rolling out retinal scanning and biometrics to confirm identity and verify transactions.
Tim Cook, CEO of Apple, then took the stage. Overall, Mr. Cook's comments focused on Apple’s enduring commitment to protecting the privacy of their customers and while not directly saying so, it appeared his commentary was focused on concerns about the type of information the government is truly after. His was a short but impassioned speech and I think it captured a view that Mr. Cook shares with other tech focused companies out in Silicon Valley. He also briefly mentioned Apple Pay and the efforts they have made to make payments more secure and easier for consumers.
“If those of us in positions of responsibility fail to do everything in our power to protect the right of privacy, we risk something far more valuable than money--we risk our way of life. Fortunately, technology gives us the tools to avoid these risks, and it's my sincere hope that by using them and by working together, we will,” said Cook.
Key themes and take-aways:
- Cybersecurity threats are growing in number and complexity, which makes this risk a critical topic for any organization. It also validates the need for the summit and puts more importance on continued dialogue and action after the summit.
- Cybersecurity is a unifying mission for companies that doggedly compete against one another in our economy.
- Information sharing is a critically important component to an organization's defense against cyber-attacks. An information sharing network should be robust with connection points across the industry, and the public sector can play a role in terms of disseminating real time threats.
- Privacy continues to be of utmost importance and organizations have a duty to protect their customers Personally Identifiable Information (PII). Some have argued that information sharing could be in conflict with this. Generally, my view is that a great deal of information that can help credit unions can be shared without releasing any PII. Emphasis of sharing should focus on types of attacks and vectors utilized.
- We are at a time period of rapid innovation for technology (particularly payment technology), which is exciting but also emphasizes the importance of finding talented employees to bring this innovation to life.
- We are still very early in the Internet age and we are still shaping what it will become. There is a clear opportunity to make the Internet better.
How this impacts credit unions:
- NIST framework is gaining traction with government and regulators and is something that credit unions should begin to familiarize themselves with to assess their cyber risk management and preparedness.
- Information sharing is a key piece to the NIST framework and was a big focus of this session. Credit unions should look for opportunities to do this while protecting member PII.
- Payment innovation is forthcoming and it is important for credit unions to understand and assess these new options becoming available (EMV, tokenization, biometrics) to remain relevant with their members (particularly younger members).
It was an honor for me to be a part of this event and share my experience with you here. My team and I will continue to stay connected to what’s happening in the cyber landscape and share our learnings with credit unions.