“Network security is only effective 24 percent of time,” Luis Aguilar, commissioner at the Securities and Exchange Commission (SEC) told an audience of mostly financial industry pros, government officials and tech firms at the SINET Innovation Summit in New York on Thursday.
Citing a bevy of recent research statistics that he said underscore the “scope and urgency” of cybersecurity threats, Aguilar said it was “mindboggling” that so many companies fall short when it comes to the basic measures of protection, like taking out cyber insurance.
Despite taking a multifaceted approach that includes new rulemaking and greater enforcement action, as well as the adoption of Regulation Systems Compliance and Integrity (SCI), Aguilar noted that the commission had fallen short, too. “SCI didn't go far enough,” he said.
“We fell short of providing the fix, like OPM did,” he explained, referring to the recent breaches at the Office of Personnel Management.
Like other regulators and law enforcement agencies, the SEC has found tracking down perpetrators to be a challenging, circuitous path because many cybercriminals hide overseas outside the reach of U.S. authorities, and often well outside of detection. “We can't just go in and kick down doors, take their computers,” he said. “We have to get permission from law enforcement in different countries and jurisdictions."
Aguilar called for more formalized information-sharing between private sector companies and the government. The sharing done today is typically informal with security pros and execs passing on threat information casually over lunch or through phone calls. But threat information sharing “is too important to be relegated to a game of telephone,” he contended.
SINET, the Security Innovation Network, fosters innovation and collaboration between the public and private sectors to battle cybersecurity threats.