U.S. Treasury Department Deputy Secretary Sarah Bloom Raskin described the dangers that cyberattacks pose for the global financial system. She urged international regulators and leaders in the financial services industry to agree on peacetime norms and to develop cyber defenses predicated on a "common, risk-based" approach.
In her remarks to the Public Company Accounting Oversight Board International Institute on Audit Regulation, Ms. Raskin referred to a number of international efforts to create boundaries and rules intended to "make the technological frontier more secure." She noted the G20's affirmation in 2016 that international law applies to nation-state conduct in cyberspace, and that countries should not use their cyber capabilities to steal trade secrets and other intellectual property.
Ms. Raskin proposed prohibiting a country from attempting to damage the critical infrastructure of another state or impair essential public services. Ms. Raskin stated that countries should cooperate with requests from other nations to "investigate cybercrimes and mitigate malicious cyber activity emanating from their territory."
In the short term, Ms. Raskin urged market leaders to fortify their cybersecurity frameworks using the G-7 Fundamental Elements of Cybersecurity for the Financial Sector, a set of recommendations endorsed and published by G-7 finance ministers and central bank governors in October 2016. She also stated that corporate boards should arm themselves with mechanisms to assess assertions by management regarding the organizations' cyber defenses. Adopting such a mechanism would be of particular value to board members who are not technologists or cybersecurity experts, she stated.
Commentary / Joseph V Moreno
Deputy Secretary Raskin's decision to raise the issue of cybersecurity at a PCAOB gathering is consistent with the traditional role of auditors as gatekeepers of the global financial system. Like financial fraud, threatened cyberattacks have the ability to shake the confidence of investors and consumers in major financial institutions. The notion that banks should adopt "risk-based" measures to protect the integrity of their data and systems – i.e., efforts that are tailored and resourced in accordance with the degree of risk they are expected to address – is also consistent with anti-fraud measures. Auditors and audit committees are now on notice that they are expected to be responsible for internal controls relating to cyber defense measures, as well as for identifying potential management overrides of those controls. To the extent that they can, major financial institutions should partner with government regulators and industry leaders to identify these risks and work together to address them.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
