In an interview earlier this month, Brian Moynihan, CEO at Bank of America, discussed the doubling of cybersecurity spending by the bank since he began as CEO. He noted that, “I became CEO 11 and a half years ago, and we probably spent three to $400 million [per year] and we’re up over a billion now.”
A recent barrage of cyber-attacks across a variety of key industries in the U.S. has placed a new sense of urgency on protecting against cybercrime. Back in May, Cathy Bessant, Chief Operations and Technology Officer at Bank of America, gave a stark warning about cyberattacks on U.S. financial institutions saying, “There’s no question that the rate and pace of attacks, and the nature of attacks, has grown dramatically.”
Earlier this year, China Tech Threat published a report showing that cyber-attacks against financial organizations are growing in frequency and severity and U.S. banks are the most targeted.
Last month, President Joe Biden signed an executive order aimed at strengthening U.S. cybersecurity defenses. While this is a step in the right direction, U.S. cyber policy remains lack luster and confusing.
For example, the approach, which restricts some PRC-owned IT firms but not others, is needlessly complex and invites exploitation. Federal policy restricts some purchases from Huawei, Lenovo, Hikvision, and others for security reasons but does not communicate the threats and mitigation in a way that is actionable for banks or end users.
As our report recommends, U.S. financial organizations should be proactive to conduct cyber resilience audits, remove elements with vulnerabilities, and adopt NATO’s risk reduction strategy to avoid sourcing IT from authoritarian countries. Anne Neuberger, deputy national security advisor, called on corporate leaders in an open letter earlier this month to strengthen their technology defenses. “The private sector also has a critical responsibility to protect against these threats,” Neuberger wrote.