Crime lore has it that when the prolific stick-up artist Willie Sutton was asked why he robbed banks, he glibly responded, "Because that's where the money is." And in the 21st century, Sutton's maxim is alive and well in the cyber realm.
Greg Schaffer, acting Deputy Undersecretary at the Department of Homeland Security, said as much Wednesday in testimony before a House subcommittee.
"The fact is the financial services sector is where the money is so this sector is targeted in a way that other sectors may not be," Schaffer told members of the Financial Services Committee's Subcommittee on Financial Institutions and Consumer Credit. "In terms of direct access to cash, this sector is targeted in a way that others may not be."
So how concerned should investors and wealth managers be?
Amid a backdrop of more-or-less constant warnings and reports of high-profile data breaches, members of industry and government officials alike characterized the public and private response to the cyber threat as one of vigilance, while at the same time underscoring the fact that the threats are both relentless and constantly evolving.
"It is really quite hard to identify a security issue today that is more pressing than cybersecurity. The reality is that we are increasingly under attack in a dangerous cyber environment," Schaffer said. "This is not conjecture -- this is happening on a daily basis."
Financial institutions are estimated to be the subject of some 22% of all cyber attacks, making the industry among the most heavily targeted alongside the retail and hospitality sectors.
The witnesses stressed the importance of coordination between members of the financial sector and government officials, an ongoing area of concern that lawmakers and the White House have been working to address through an array of legislative proposals.
For financial houses, that partnership can sometime entail sharing an uncomfortable amount of information with federal agencies, which in turn invites a host of privacy concerns.
Nevertheless, Greg Garcia, Bank of America's partnership executive for cybersecurity and identity management, told the subcommittee that frictions between the public and private sectors have been waning as the threats escalate.
"I think the partnership framework is getting more and more mature every year, and it can only get better from here," Garcia said.
Similarly, Schaffer and officials from the FBI and Secret Service described several partnership programs under way at their respective agencies seeking to enlist the cooperation of both the private sector and other corners of government.
At the FBI, more than 400 incidents of corporate hacking are currently under investigation, with many attacks emanating from Eastern Europe.
"The largest threat to the financial services industry and institutions is from the criminal realm" said FBI Assistant Director Gordon Snow. "It's important to make a distinction and the distinction would be those that are doing organized criminal groups for profit and the hacktivists," he added, referring to hackers motivated by a political or social cause, such as the recent and high-profile activities of the group Anonymous.
Many of those financially motivated attacks result in data breaches.
A.T. Smith, an assistant director at the Secret Service, said that 2010 represented a high-water mark for the sheer volume of incidents where corporate or other institutional systems were compromised, but that in many of the breaches a fairly small amount of sensitive information was pilfered.
When a financial institution is compromised, investors receive varying degrees of notice, depending on where they live. That's because, despite the concerted efforts of several lawmakers, there currently is no national data breach notification law.
Instead, 46 states, the District of Columbia and Puerto Rico now have laws on the books mandating the notice that companies must provide customers in the event of a data breach, while Alabama, Kentucky, New Mexico and South Dakota have no laws at all. The compliance burden that results from that patchwork of state-specific laws has prompted many large businesses to advocate for a federal law.
Businesses and government entities alike are also moving to address the cyber threat preemptively. That entails aggressive and targeted education and outreach campaigns. "We continually warn our customers about phishing," BofA's Garcia said, referring to targeted emails that look legitimate but attempt to trick recipients into clicking on malicious links or providing personal information.
Similar efforts are under way in the federal government. In his legislative proposal for a comprehensive cybersecurity bill, President Obama has argued that education should be a cornerstone.
The Department of Homeland Security since 2004 has designated October as National Cybersecurity Awareness Month, and oversees the ongoing Stop.Think.Connect campaign to promote Internet safety while partnering with industry members in outreach initiatives such as the Stay Safe Online initiative.
All of these efforts stem from the recognition that with Internet-based technologies so thoroughly intertwined with the operations behind the financial industry and other sectors that trade on sensitive information, cybersecurity cannot be left only to the experts.
"I do think that this is an issue that we cannot just focus on security professionals," Schaffer said. "This is an issue that has to be shared with data owners, the folks who are making decisions about where to invest."