i currently serve on that board of directors. we recognize that congress shares our concerns regarding the nation's current cybersecurity's infrastructure, with respect to our industry we feel it's important to keep the following in mind. we recognize the need for expanded information sharing with government agencies including greater private sector access from threat data. access to threat information must be administered in a manner that can provide broader protection without compromising ongoing investigations or the privacy of individual americans. we believe that he government agencies should leverage information to facilitate two way and public/private sector information sharing to help the institutions protect themselves and ultimately the customers. the treasury department as our

sector specific agency and the regulatory agencies through the financial and banking information infrastructure committee, should determine what is considered what is critical infrastructure, a one size fits all is not the right solution. as the amount and -- our nation's universities must focus on developing the next crop of talented information security professionals so that the financial servicess -- services industry and the nation can protect from attacks. the u.s. should seek strong cooperation to punish those responsible for cyber crimes. a single uniform federal brief

notification standard would reduce administrative over site and establish clear guidelines and reduce customer confusion, we have played a leadership role in developing policies, procedures and technology to protect customer data. and we look forward to maintaining that role as the nation upgrades the cyber defenses. thank you, for this opportunity to testify today on behalf of cifma. >> and i thank you. mr. woodhill, welcome and you are recognized for five minutes. >> thank you, mr. chairman, vice chairman, congress woman maloney and members of the sub committee. when i asked how to be a good witness for you, my good friend, former chairman of the energy and commerce committee told me i needed to do two things, be brief and then be gone. before i'm gone. i'll tell you what the most

problem is, the decisive solution, thank you for the opportunity, on behalf of the potential and victims of the -- i was recruited in december of 2009 to be the advocate of the cyber crime, by hiring the most prominent analyst in the space. i'm here today because your money is not safe in the bank. not if you are an american church, school district, small business, or political campaign fund. not if you bank online, using microsoft windows, many of you, on this committee have heard from victims in your district. the shocking thing to victims is that their organizations being vulnerable is an official financial services industry policy known as shared

responsibility, your personal accounts are safe and protected by federal reserve-e. but the consensus of the cyber law experts is that shared responsibility will not holdup long-term. to date there have been over 500 victims, sometimes the bank makes restitution and sometimes the loss is split with the victim. but in hundreds of cases, the bank has evoked shared responsibility and stuck the bank with the entire loss. and more than one bankruptcy ens ensued. no matter whose pocket this money comes out of, the stolen monies are funding enemy r and d. the thefts must stop. this crime wave did not have to happen. the regulators issued guidance that would have stopped the crime, even back then, necessary

solutions could be implemented. but they were not a adopted in great numbers so there were more detailed supplemental guidance. if the tools were available. why did security bank spend more on lawyers to defend a lawsuit then the $300,000 it would have cost to reimburse tnc? the answer is simple, the banks still have not gotten the memo. why not? examples from medicine and public health show that even when life and death are at stake, it takes 20 years to get new information through a medical specialty. as for educating the general public about health threats, experience shows it just cannot

be done. fortunately account take over can be stopped by the processors. the 13 processors that run online banking. just as it has been stopped by the largest banks who are their own processors. weighing the alternatives and moving the risk of the crime to the responsibility of the processors is the victims first choice. it's fast and government is not in the loop. but there are other solutions that would work. if banks were required to fully disclose the risks of online banking, then those customers could -- moving online could accept the risks, turn off online banking or move their accounts to where they are safe. i think banks would quickly turn to or processors for protection than admit money is not safe in the bank. another alternative is the public funds, taxpayer monies, simply refused to risk taxpayer

dollars by putting the money in banks with the history of losses then the banks would do the same thing. regulation-e could be extended to all accounts but i oppose this, but it's more free market orients to do otherwise. whatever the congress does. we urge it to do it soon before there are more victims and more trust lost in the banking system, we must work to make cyber space a safe neighborhood. thank you for inviting me to testify. >> and thank you, also for your testimony and being with us today, i thank the entire panel and we will turn to questions and within my five minutes i'll start from the left and move down as far as i go. um, ms. cantly, you note in your testimony one of the recommendations deals with the issue of making changes to the

suspicious activity report, can you briefly dig into that a little bit and tell you what changes need to be made there? >> yeah, and i would say those have been implemented, when the account takeover task force -- >> is your mic? okay. i cannot hear. >> we have put this in place, when we lookeds the suspicious activity report, we noted that account takeover is not clearly labeled as a form of suspicious activity. and we recommended that it be appropriately labeled. >> so what is being done with that information? >> now, when financial institutions have a situation of account takeover, and they report it on this suspicious activity report, then we use that to do the analysis and

also -- >> what did they do before they had that little check off box? >> i beg your pardon? >> what was done before you had the check off box? >> before that it was not clear what was the method of attack. mr. garrett so we felt it was appropriate so that the industry could reflect the volume and size of account takeover appropriately and we felt the suspicious activity reporting process would be a good method for that. >> okay, thanks. mr. clancy, and others may want to come in on this. there's talk of the sharing of information between the institutions and the government as well, right? and in order to do so, have to have a high level of trust there and usually in life you want to earn trust before you execute on it. do you want to just briefly talk

about ways to do that, to evidence the trust and to enhance ways to share that information between the levels? >> well, thank you, mr. garrett. >> and check your mic again. >> thank you, mr. garrett. >> thanks. >> so trust as you mention is slow to build and fast to be lost. the way we look at it is we started with anonymous reporting where you can remove the details of who was impacted but give the facts so that others can take action based on the facts. with the community, there are limitations and what we have seen as we did it is we started to get a small volume of activity but when a core small group of us got together who knew each other proncfessionall and socially, we said this is what really happened with that report. we started off with people with one to one personal relationships and now the

community shares with full attribution, and we share with the broadest in our community and now we have additional rings. we have an inner circle, that is a clearing house and exchange group, who are sharing information about attacks on us. as you get to know the people you share w you bring more people in the network and the network grows, much like social meade yampt the more friends you have the more friends you get. >> okay, speaking of social media, i read about in the paper a big thing about facebook. you want to briefly, since you are here, tell us, in your information that you have, with regard to that transaction and it was reported, what was the problem, was there any cybersecurity aspect to that

whatsoever, what is being done to make sure it does not happen again? and the people ininvolved have they been taken care of? >> thank you, congressman, i think you note, my expert opinion is here in cybersecurity. not in the trading. but the facebook ipo showed us a design flaw. >> okay. >> in the methods that are used to operate the ipo. it was designed -- it's been used successfully for years. and now we have engineered a fix for that design. we are taking a look at the processes we use to develop the software and test the software to see if we can improve those. the -- in terms of cybersecurity and any potential involvement with the facebook ipo, based on the information i have, which is substantial, there was no cybersecurity element in that

ipo. >> okay. thank you, as additional questions, but my time has expired i'll now yield to the gentlelady from new york. >> thank you, i would like to ask anybody on the panel, when there's a cyber attack, how do you find out about it? do your customers tell you about it? does your internal division tell you? does government tell you? how do you find out about it and then what do you do? do you report it to government so we are coordinating? do you report it to other companies? how does it work now, we are hearing that half of the small and large companies are being attacked, how do you find out about it and then what do you do about it? >> the short answer to your question is yes, all those sources. the realty is that financial institutions are constantly monitoring their environment for indication of attack, so, as

arel would tell you at citi and i'll defer to him in a second, but there are significant investments in monitoring tools to look at the environment to determine if there are attacks under way. >> now, these tools that you put in place, are they standards that are required by government? are they standards that the private sector is putting in place? are there any required standards or how are the standards being put in place, what are they? are some companies going far above that with new technologies to protect the information? >> the primary standard that is in place is an expectation from the regulatory agencies and it's within the goba, and the grand leach act, to have a strong risk assessment and management process in place. regulation typically does not specify the exact tools that need to be used and that i think is good, because it recognizes that the environment is evolving

fairly rapidly and a tool that worked yesterday may not work tomorrow. so, it is largely up to the financial institutions to determine their best risk management practices. but i would quickly add that through the collaborations that we talked about earlier and frankly most of us, at this table have worked together over the last five to ten years in terms of collaborative efforts, you know, we do go through the process of identifying best practices that we would use and share information on tools that have been effective and try and enhance the industry beyond just our own institutions. and i'll let aerel comment on that. >> i think you answered that really well actually. so, i do not add much. >> thank you, i would like to ask mr. clancy from the trust and clearing corporation, you

mentioned that three of dtccs subsidiary companies have received notice that they are being considered as important utilities and recognizing that the new risk management stories for the designated fmu's are being developed, what is your expectation to the extent that these standards will address information security issues? >> thank you. my expectation is that their focus is very much to financial aspects so market, risk and liquidity risk and the like. i'm not certain they will get into the subsidiary issues. that is something -- so my expectation is that it will be addressed, from our perspective we looked at the risk that they

pose to the u.s. financial system and global system and try to elevate our control in those threats. >> in a general sense when a cyber attack occurs, do you tell your customers or if private information is extracted on some of your clients, what is the standard that you have? i guess, mr. weiss, in informing people, but keeping it private, how do you address this? are there laws requiring disclosurer what happens? >> absolutely, if there's a breech of personally identifiable information, there's regulation that requires that we provide that notification to customers. >> and just basically what are the three things we have to do to make our country more secure? it is very unnerving to me to think that there are individuals and countries that have entire desks devoted into getting into

private information in our financial markets and elsewhere and what are the steps that the private industry is taking to protect this and i guess ms. cantley, you play a key role with the coordination, is it working and how can we do better protectioning our companies and individuals and countries from this type of attack? >> first off, we have a high amount of public/private information center. i think we can do more. we would like the government to share more threat caters that they have with us on a timely basis so we can act on those and prevent cyber crime in our industry. we also would like to be in a position to share information safely with the government without having to go through the scrubbing steps, so we would

appreciate the opportunity for that to be exempted from the freedom of information act. we would like some work done in the telecommunications industry, currently carriers are required to deliver everything to the end user, the government knows that some of the traffic on our networks is malicious and if they could give that to the telecommunications carriers and they are allowed to dump that traffic before it gets to the end point, that would be great and working on legal and diplomatic levels, when we say that person is a criminal, that person is arrested and tried and appropriately sentenced. >> thank you. thank the gentlelady from all of that. gentleman from arizona is now recognized. >> thank you, mr. chairman, this is an occasion where it's a area

of great interest. first, let's say city, or a major institution of region alimony center bank is finding its systems under attack. you know, someone is trying to somehow go up and down. how quickly does that get shared with others? do you share it through government? do you share it through the industry? do you share it through the working groups? how quickly does that information get disseminated? >> actually, it gets shared very rapidly. not automated, there are humans that need to create the e-mails and messages, but it happens quickly. so, in that case, through organizations and the techniques and trust that mark talked about earlier about developing it over the past decade, we have been able to create the central rings

of trust and be able to share it out quickly so we can collaborate. >> you hit it there, we have a idea in our head, that there's an automated system that shares that there's a threat. that is not how it works? >> it's the first step that we have taken, to share the information, and develop the threat indicater so welcome share it with the broader audience at large. we have been building on automated methods so that we can share the information at network speed, so we take the humans out of the loop and get there. and it requires significant investment and a lot of work to get there. but we started down that journey. >> to that point, how quickly is that moving? >> it's moving, but it's, again, it's going to take us time to get there. >> i just don't have an answer

when. i can get back to you. >> from some of the different organizations, you spoke of that are out there, is this one of the yaeareas they work on is automated the notification and warning systems and it's not only the warning but here is how the block the attack? >> yes, there are systems that exist today that do that automated blocking and many institutions have them in place across multiple sectors what aerel is talking about and what the fsi is working on is coming up with a standard template so it will feed the systems and come down the path. so we have a sub committee that is addressing that to move it forward. as aeral mentioned that will require a capital investment and this is an area wre the

government could assist us, because we would like to cooperate together in moving that forward faster. >> and this is for anyone that would know the answer. how is the technology disparity between a money center institution, a, you know, financial trading platform and my local community bank? you know, how far behind is the local community bank, is it more flexible or are they more exposed what do you see across the financial world? >> if i could, congressman, let me try to address that. one thing i would like -- the point i would like to make is that effectively all of the systems represented at this table, and the systems that helped the congress they are all under attack all the time at some level. in contrast to the situation just a few years ago.

today internet attacks are a bit like weather, we have more rain and less rain, sometimes there's a hurricane that comes at us, generally speaking they are all under attack. i think to get to the point of your question, the larger institutions that have more sophisticated staff, typically it will be less vulnerable to sophisticated attacks, i think the smaller institutions, the local community institutions are at a disadvantage when it comes to defending against extraordinary attacks that perhaps have taken areas to develop and this is an area where government could assist quite effectively. >> and if there's infrastructure within sort of the organizations for that data information solution fix, patch fix, to be quickly disseminated all up and down the food chain? >> there's two points, there's the dissemination piece, which i think the groups are working on and there's the consumption

piece, what we found is that even the large complicated institutions wed significant problems consuming the threat data at the volume and frequency that it arrives. and the service provider route, whatever firms provide the financial products are good ways to do that. >> mr. chairman, i see i'm out of time, i look forward to another round. >> gentleman is recognized from massachusetts. >> thank you, mr. chairman, and i thank the witnesses for attending and helping the committee with its work. one of the other hats i wear is i'm the cochair of the task force on terrorist financing and i work a lot with the financial crimes enforcement nets work, they do a terrific job on our behalf. internationally on behalf of

treasury and the american people, and they do a good job, but they are working in a more limited environment than all of you. is -- if, first of all, i want to try to understand, i know that for the exchanges where you have more resources than some of the smaller institutions that mr. graff was talking about, to protect themselves, where are we in terms of where we need to be with some of these smaller institutions? some of the local banks, you know, we as government have put out there certain bench marks where we want there to be minimal coverage and protection for some of the smaller institutions, but number one, is that enough? do we need to do more to require those smaller institutions to provide greater protection to their customers? and is there also -- is there

also a delta in terms of what we require the exchanges to do and where you think we need to be? perhaps you do even more -- i'm sure that most of the big exchanges do more than the government requires. and so, i'm trying to get a fix on where we are with the smaller and larger institutions and where we need to be. ms. kantly. >> thank you, speaking on behalf of attempts to address the smaller institutions, the fsisac thinks it's important and part of the effort has been focused on education and we have held a number of seminars there. another important step that we took because we think it's critical to deal with the fact that most of these small and medium institutions use the same processors. so, we built on the guidance

that was updated last year and in some of our recommendations got more tough on things that needed to be provided in the products that the institutions can take advantage of. i would like to point out to the committee that i do not think that additional regulation is the answer to this problem. i think the guidance that we have from the ffiec is very good, and it's applicable to all institutions and provides a method of dealing with all the attacks in a cost effective means for institutions of all size. >> what i'm trying to get at i'm reading the "new york times" this morning and it has a front page story about the president has act s-- accelerated with wa

we have with cyber attacks. there's always attacks, sometimes we have a shower and sometimes we have a hurricane. what i'm concerned about is that a state actor or a quazi state actor could bring the economy down or the financial services sector down and that would cause great problems at any time, but especially right now where we are trying to build up a recovery, are we anticipating that? are we knee r meeting that challenge? >> mr. weiss? >> i think one of the basic tenants that we recognized a long time ago, that all of the banking institutions were elements of the chain and any of the links were a potential weakness and