Later this month the United States and United Kingdom will launch Operation Resilient Shield, a joint protocol to test the cyber readiness and cooperative capacity of the financial services sector. The simulation will expose major US and UK banks to a variety of cyberattacks to test banks’ security protocols as well as their ability to coordinate with each other and regulators. This, alongside other developments throughout 2015, indicate a global tidal shift toward tighter cooperation between regulators and industry on cyber issues is underway.
Back in January, President Barack Obama and Prime Minister David Cameron announced a number of initiatives aimed at strengthening transatlantic threat information sharing and intelligence cooperation on cyber issues. Among those was a decision to adapt the existing British model of government-industry cyber simulations to include their US counterparts.
In 2011 and 2013 the British government conducted Operation Waking Shark, a series of simulations which tested the resiliency of online payments systems in London’s financial sector against wide-ranging cyberattacks. The results of the simulation highlighted a need for better cross-firm communication in a crisis, sector-wide preemptive incident response plans, and clarity over regulators’ role as crisis information hubs. These three topics are now the focus of Operation Resilient Shield’s “real-world attack scenario.”
While the US and UK have a longstanding collaborative relationship on cyber issues, Operation Resilient Shield will be the first instance of a transatlantic cyberattack simulation. It also represents the next step in advancing cooperation between industry and government in countering future cyberthreats.
In that vein, Operation Resilient Shield is designed to operate as a pilot program opening the door to much broader cooperation in the future. The Bank of England recently recommended expanding future simulations to include major firms in other sectors, specifically the insurance sector. Therefore, the final ambition of these simulations may ultimately be to prepare high-level, government-assisted responses to attacks with wide-scale impacts for firms across many industry verticals.
Resilient Shield also represents a progression toward future global cyberattack simulations. Regulators are pursuing this goal as a means to deter hackers who exploit weaker firms in small markets as a means to gain access to their partners or clients in larger, more developed markets. However, due to privacy concerns and bureaucratic hurdles, such operations are unlikely to occur anytime soon.
Operating in parallel to advancing simulation testing, the recent passage of the Cybersecurity Information Sharing Act in the US Senate further emphasizes the shift towards a tighter cyber-relationship between regulators and industry. The bill – backed by major financial services firms and retailers – would allow companies to share cyberthreat information with the federal government in exchange for liability protection.
Increased corporate-government cooperation and information sharing will offer firms future tactical and legal advantages, but will also present new challenges.
What does this mean for your business?
Raised standards will mean raised expectations. There are several basic actions every firm can take to better prepare themselves for the increased regulatory scrutiny that will inevitably follow deepening government-industry cooperation.
- Have a plan. Courts and the SEC examine a company’s conduct before and after a breach. Being able to demonstrate a sound incident response plan mitigates intrusive regulatory oversight and creeping damages after a breach.
- Establish mechanisms for internal cohesion. Updating the board, even annually, regarding cybersecurity protocols and plans allows for swift action in a crisis and facilitates external communication.
- Hire independent council. The greatest long-term damage from a breach is reputational. Privilege protects a company against premature and under-sourced negative press following a breach. The strongest claim of privilege is through external legal council.
- Establish privacy safeguards. The trend towards increased collaboration further elevates the value of customer privacy. Strong privacy controls will ease international deals and continue to evolve as a brand differentiator.
- Conduct preemptive simulation tests. Contract an independent operator to challenge existing systems, identify security gaps and recommend remediation steps.
