NEW YORK (The Street) --- If you bank with JPMorgan Chase (JPM), buy insurance from Anthem Blue Cross (ANTM) or filed a tax return, you may have already been affected by a cyber-attack. And there's more bad news: Regulators are concerned the worst is yet to come.
A "cyber 9/11," as New York Financial Services Superintendent Benjamin Lawsky called it, is a threat banks and financial institutions must take seriously, constantly upgrading security measures to prevent, detect and shut down hacker intrusions, the Securities and Exchange Commission and the Financial Stability Oversight Council said in recent reports.
"Recent cyber attacks have heightened concerns about the potential of an even more destructive incident that could significantly disrupt the workings of the financial system," the Financial Stability Oversight Council warned in its annual report in May. "Financial sector organizations should be prepared to mitigate the threat."
The threat, writ large, is a "disruptive series of attacks that would damage our financial and energy infrastructure," said Mary Jane Wilson-Bilik, a partner in the Washington, D.C., office of Sutherland Asbill & Brennan. "The constant data attacks undermine the reputation of key corporations, the enterprise's value and one's sense of security."
Among the most recent attacks was a breach of computer systems at the U.S. Office of Personnel Management, which may have compromised personal identity information for as many as 4 million current and former federal employees, the agency said. Its leaders are working with both the FBI and the U.S. Department of Homeland Security.
"The sophistication and intelligence of cyber attackers is not be underestimated," said Wilson-Bilik, who cited FBI Director James Comey's description of an "an evil layercake of bad actors, with terrorist groups and hostile nations on the top, followed by criminal gangs and individual bad guys at the bottom."
Both sovereign national and independent actors have been implicated in recent cyber-attacks: Widely publicized data breaches at Sony (SNE) were followed in 2015 by attacks on healthcare companies Community Health Systems (CYH), Anthem (ANTM) and Premera Blue Cross.
A cyber-attack at JPMorgan last year exposed customer contact information including e-mails, names and addresses for about 76 million households and 7 million small businesses, the New York-based bank said in a regulatory filing in October. Information, such as account numbers, passwords and dates of birth, appeared to have been uncompromised, JPMorgan said. A bank spokesperson declined to comment further.
The company said in its last annual report that it had encountered "cyber threats of an unprecedented scale," in 2014. "We continue to discover and block new and unique malware, viruses and phishing attempts to obtain access to our data," executives said in the report. "Importantly, cyber-attacks to date have not resulted in material harm to our clients or customers."
JPMorgan said it spent more than $250 million last year on securing digital information. The bank has set up three global security operations centers to monitor and detect threats and doubled the number of cybersecurity personnel over the past two years.
It also plans a rigorous and systematic evaluation of its entire infrastructure and will work closely with government agencies, as both the Financial Stability Oversight Council and the Securities and Exchange Commission recommended.
In an April report on cybersecurity, the SEC focused on funds and financial advisors, offering specific recommendations on how to reduce risk.
"Regulators are reacting to an exponential change in the frequency and severity of cyber attacks in the U.S. that threaten not only our personal data but also our critical infrastructure," Wilson-Bilik said. "As institutions become more data rich and data dependent, they become more attractive targets for hackers. The stakes are enormously high."
Wilson-Bilik summed up the steps recommended by the financial stability council and the SEC as follows:
- Adopt a coherent framework for managing cybersecurity compliance (such as the framework developed by the U.S. Department of Commerce's National Institute of Standards and Technology) and develop an integrated information security program.
- Perform a risk assessment of the organization's information assets that prioritizes and corrects risks to systems and data.
- Implement technical and physical controls to address cybersecurity risks (such as dual authentication and user access controls, encryption and system segregation.)
- Establish an incident response plan, conduct a mock breach to test the effectiveness of the plan and correct any material deficiencies.
- Develop a risk-based approach to managing vendors, auditors and other third-parties with access to systems, including ongoing due diligence and contract revisions.
- Conduct employee and vendor training on the enterprise's information security program.
"Companies and their boards of directors have improved their understanding of the risks of a cybersecurity attack and are beginning to address the issues," Wilson-Bilik said. Still, "much more needs to be done to bridge the gap between IT, legal and governance to reduce the real risk of a significant systemic outage."