Today, U.S. Deputy Secretary of Commerce Bruce Andrews spoke about the importance of understanding cybersecurity risk for financial institutions at the Mid-Atlantic Executive Cybersecurity Conference. Addressing a crowd of 150 regional banking leaders, Deputy Secretary Andrews highlighted the work the Department of Commerce is doing to help American companies mitigate cybersecurity risk. He also stressed how critical it is for senior leadership to invest in cybersecurity solutions.

Remarks as Prepared for Delivery

Thank you, Daniel. It’s great to see all of you here this morning. I want to personally welcome you to the National Institute of Standards and Technology. NIST is truly one of the crown jewels of the Department of Commerce. Thanks to the extraordinary men and women who work here and conduct research in its labs, NIST is setting the standard for excellence in our department. Every day, NIST keeps our businesses and our nation on the cutting edge of technology, science, and innovation. And in today’s constantly changing world, staying on the cutting edge means confronting cybersecurity challenges.

Everyone here knows that globalization and advances in technology have driven unprecedented increases in innovation, competitiveness, and economic growth. The digital world is embedded in our businesses, in our financial institutions, and in our daily lives. The number of devices connected to the Internet is expected to triple between now and 2020, to over 50 billion devices. The benefits to society and our economy are potentially enormous – but this also means that the number of targets for hackers is only getting larger.

The national and economic security of our nation depends on the reliable functioning of critical infrastructure like our financial networks. Cybersecurity threats exploit the increased complexity and connectivity of these systems, placing our country’s security, economy, public safety, and health at risk. Like the rest of the world, our economy is in the middle of a digital revolution – and, as a result, the financial services sector is increasingly more vulnerable to cyber-attacks. Because of this growing risk, banks of all sizes – from the largest institutions with assets greater than one trillion dollars to the smallest community banks – are making trusted and secure digital connections a top priority.

The reasons why are clear: Failure to do so can result in both financial liability and loss of reputation, even if your organization was not the direct target of an attack.   But more importantly, protecting customer information is good business. It’s critical that your customers feel safe banking with you. And if we are to realize the vast potential of the digital economy, people need to feel more secure than they do today when they go online.

Trust underpins everything we do on the Internet. Trust is the core currency of the information age.  It’s essential to securing the continued confidence of customers, the continued expansion of businesses, and the continued growth of the digital economy. That is why it is absolutely critical that we work together – across the public and private sectors – to develop technological and policy solutions that address growing cyber risks and increase trust.

The privacy and security of Internet users – your customers – is a top priority for the Obama Administration. Here at the Department of Commerce, we are working on multiple levels to ensure that businesses have the tools they need to confront cyber risks and that the Internet continues to grow as a platform for innovation and prosperity. For example, President Obama asked us to convene stakeholders from across industry and the expert community to develop a voluntary Cybersecurity Framework. NIST reached out to key stakeholders, including the Financial Services Sector Coordinating Council and the technology policy division of the Financial Services Roundtable.

I know that the Sector Coordinating Council and Financial Services Information Sharing and Analysis Center worked diligently to ensure that smaller organizations were represented in their responses to NIST. Overall, more than 3,000 people from across industry, academia, and government contributed to this effort. They suggested specific issues to address and provided detailed comments on each draft. The final framework provides a common language for any organization to understand, manage, and express cybersecurity risk, both internally and externally. It serves as a bridge between business leaders at all levels, starting with the boardroom and the C-Suite.

Although the framework was originally intended for critical infrastructure, it is now being used by a broad range of sectors and by organizations of all sizes. Today, I am proud to report that the Cybersecurity Framework has been a resounding success – and that it includes several recommendations that came directly from the financial services sector. For example, the Sector Coordinating Council recommended that we use a risk-based methodology for integrating privacy that consistent with other regulatory practices adopted by your sector.

The tenets laid out in the Cybersecurity Framework are just as important to businesses as investments in physical security like fences, locks, and vaults. The good news is that the senior leadership and boards of many companies are prioritizing and devoting more resources to cyber security. In fact, a recent PricewaterhouseCoopers survey found that the financial services sector has increased information security budgets by 14 percent. To be effective, organization-wide risk management programs – cybersecurity and otherwise – require the strong commitment, direct involvement, and ongoing support of senior leadership.

I cannot overstate how important it is that you institutionalize risk management in your day-to-day operations. I know that this may be a bigger challenge for smaller banks, given limited resources and the specialized skills needed to shore up cybersecurity capabilities. Smaller bankers also face lower reimbursement rates for breaches than those of larger institutions. But at NIST, we want to help. We created an information security outreach program specifically designed to help small- and medium-sized enterprises better protect the data of their customers, employees, and business partners. This program can provide your institutions with information about practical and cost-effective security steps you can take to secure your information, systems, and networks. By making the SME community better aware of threats and vulnerabilities, we are enabling smaller banks to make sound, risk-based decisions regarding their cybersecurity investments.

One of the other ways we are helping banks of all sizes is through our National Cybersecurity Center of Excellence. Established by NIST, this public-private partnership brings together experts from across industry, government and academia to design, implement, test, and demonstrate integrated cybersecurity solutions and promote their widespread adoption. Simply put, this Center is making it easier and faster for businesses to adopt standards-based advanced technologies to better protect themselves from cyber threats. For example, the Center just released a draft of the first Cybersecurity Practice Guide for the Financial Services sector. Financial institutions deploy a wide array of information technology devices, systems, and applications across a wide geographic area, but controlling the cybersecurity resilience of those systems and applications can be a challenge. This new guide includes an example solution to track the location and configuration of networked devices and software using open source and commercially available technologies.

The Center – along with the Cybersecurity Framework – makes clear that the most effective way to combat growing threats to our cyber space is through a strong partnership between industry, government, and civil society. Working together on cybersecurity is a win-win scenario that will make us more resilient to cyber-attacks and bolster and protect our country’s economic prosperity. To that end, I ask for each of you here today. NIST plans to release a new request for information related to the framework – and I encourage all of you to respond. Specifically, we want to know: How are you using the framework to improve your cybersecurity risk management? How are you sharing your best practices for utilizing the framework? Which parts have been the most valuable for you so far? What should long-term governance of the framework should look like? Should we update the framework?

Our plan is to work with our partners and stakeholders to keep the framework up-to-date with evolving changes in technology and threats, so that it continues to meet the needs of business. You can help us by providing your comments and feedback. We will also use your responses to develop an agenda for a cybersecurity workshop we are planning for next spring. Working together, I am confident that we can find the technological and policy solutions needed to protect your businesses from cyber threats and help companies across America recover from attacks. 

The financial services sector represents a vital component of our nation’s critical infrastructure, and we cannot afford to let your institutions become victims of cyber-attacks. Each of you here today understands the urgency of these threats. Your decision to participate in today’s conference proves that you are willing to make the changes necessary to protect yourselves. By investing in your cybersecurity, you are sending a clear signal to your customers: that you are working to protect their privacy, secure their assets, and keep their trust.

I applaud you for your commitment, and I look forward to working together to find ways to address growing cyber risks. Thank you.