NEW YORK -- As cyberthreats continue to mount, financial services firms need to work more closely with law enforcement.
Most firms don't reach out to law enforcement unless they have to, hampering authorities' ability to fight cybercrime, according to one expert.
Special Agent Leo Taddeo, who oversees the bureau's cyber and special operations division, told attendees at a cybersecurity conference held by FINRA and SIFMA this week that they were a critical line of defense against cyberattacks.
"Most businesses don't call law enforcement unless they have to," Taddeo said, noting that some refrained from seeking assistance because of privacy concerns.
Taddeo asked attendees to imagine living in a neighborhood in which burglary was rampant, yet few victims reported crimes. "How fast do you think law enforcement will be able to resolve the problem?"
The challenges increase as cyberattacks become more widespread and sophisticated, he said. Reporting incidents helps law enforcement to better understand the motives of perpetrators and their methods of attack.
Taddeo said that while Sony executives may have been focused on preventing the theft of their films, once the attack did occur, perpetrators targeted their emails instead. The breach revealed negative comments made about artists who make Sony's films.
"If you sever the relationship between the company and the artists, you have no movies to make," he said. "You can replace the loss of one movie with the next.
If you lose your ability to make movies, it's fatal."
Taddeo said the bureau's agents "are constantly surprised by what the adversary considers to be a crown jewel."
LAW ENFORCEMENT'S ROLE
"What do you get when you call us?" he asked. "We have dedicated response teams composed of computer scientists, lawyers, analysts and FBI agents."
Lawyers especially can bring value to financial services firms, helping to work around legal issues such as privacy concerns, Taddeo said. He also said that financial services firms should not be worried that an FBI investigation into a data breach would put them out of business. "I want to dispel a myth that if you call the FBI you'll soon have agents putting crime scene tape around your offices," he said.
Taddeo added that the bureau will explain what its agents need and ask for it, noting that it is rare for FBI computer scientists to operate on a firm's network. He noted that the bureau does use subpoenas sometimes, but not in most cases.
WHAT FIRMS CAN DO
Taddeo said that the financial services sector was ahead of other economic sectors in terms of understanding the dangers posed by cyberthreats. However, there is still room for improvement in terms of how prepared firms are for a cybersecurity incident.
"Many network operators don't have an accurate idea what their network looks like, what's connected to what, and what software is on their system," he said.
Too often key members of a firm aren't aware of their responsibilities, or that of relevant third parties, such as vendors or outside legal counsel. Taddeo said that it's necessary to work out responsibilities and roles before an attack occurs.
"You don't want to meet your team on game day," he said.
He added, "In many cases, when we show up, we hear, 'We'd love to work with you, but we need to check with our lawyers.' In the meantime, the attacker could still be bouncing around your systems."
Knowing this information in advance can greatly cut down response time and mitigate the damage from a data breach, Taddeo said.