Cybersecurity experts from industry, government, and academia came together on September 7th and 8th for the MIT-Federal Reserve conference, “Measuring Cyber Risk in the Financial Services Sector.” Panelists and keynote speakers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL), The Federal Reserve, The White House, and other organizations discussed the status of efforts to quantify and track risk across the financial system.
MIT professor and CSAIL Director Daniela Rus gave opening remarks to welcome colleagues to the event. “MIT CSAIL has a long history of leadership in cybersecurity,” says Rus, who referenced the contributions made by MIT professors Shafi Goldwasser and Silvio Micali to the field. She emphasized that the next innovations in security will come from interdisciplinary collaboration, bringing together computer scientists with social scientists, policymakers, industry leaders, and regulators. “We must take a cross-disciplinary approach because our lives are becoming increasingly dependent on data-driven decisions,” she adds.
A fireside chat followed between Tom Barkin, President of the Federal Reserve Bank of Richmond, and Andrew Lo, MIT Professor and director of the Laboratory for Financial Engineering at the Sloan School of Management and CSAIL principal investigator. Founding Director of the MIT Internet Policy Research Initiative and CSAIL principal investigator Daniel Weitzner moderated the discussion.
During the chat, Barkin stated that people "need to have confidence that they will be able to access their money” even when systems are under attack. The Federal Reserve is assessing how it can improve its cyber defense metrics based on this understanding. Likewise, firms often lack a way to collect, measure, and convert granular elements of an attack into business-level cyber risk metrics. Lo and Barkin both emphasized improving these measurements, with Lo observing a lack of knowledge about the scope and risk of cyber attacks. “Financial markets are great at managing risk when you can quantify," observes Lo. He recommended experts "start with metrics." Then, companies can start trading securities based on these measures and create insurance against attacks. Lo concluded by advocating for cryptographic strategies to share information while protecting privacy.
Later, Principal Deputy National Cyber Director at The White House’s Office of the National Cyber Director Kemba Eneas Walden discussed the importance of quantifying cyber risk. In her keynote remarks, she acknowledged that despite the significant challenges with current cyber risk metrics, advancing both at the firm and the systemic levels is essential in the financial services sector and across all critical infrastructure. Walden also praised efforts to bring government, industry, and academia together to share developments in cybersecurity, highlighting ongoing Federal initiatives to better understand cross-sector risk and strengthen underwriting in the burgeoning cyber insurance industry through work led by the Departments of Homeland Security and Treasury. Her office maintains its commitment to using empirical metrics at the highest levels of government.
While there is a need for camaraderie, Lo highlighted the challenge of sharing information related to transparency and privacy with colleagues across industries. In his keynote, he proposed secure multi-party computation as an older, but helpful starting point to solving the issue because it “allows us to share very personal info in very private ways.” Building upon Goldwasser and Micali’s previous innovations to the method, Lo helped develop the Secure Cyber Risk Aggregation and Measurement (SCRAM), a cryptographic platform designed to run secure and private computations. SCRAM computes cyber risk statistics without requiring firms to disclose their attack and loss data.
The event continued into Thursday, featuring speakers from Bank of America, Google, Columbia University, and J.P. Morgan Chase during the two days. Taylor Reynolds, Research Director at MIT Internet Policy Research Initiative, and Nagarjuna Venna, MIT Sloan instructor and co-founder of BitSight, contributed to presentations on the second day. Together the experts discussed existing frameworks for security risk management, such as NIST and FAIR, in addition to conversing about cyber insurance, the potential of business-level cyber risk metrics, and other concepts. The experts agreed on improving models and datasets so that the whole industry can quantify cyber more effectively.
There is cautious optimism about the potential of joint efforts to advance security measures in anticipation of a major cyber attack. “It is not as though the sky is falling,” says Venna, in response to concerns about the state of the field. Others, like Fidelity Investments’ Head of Cybersecurity Operations & Analytics Sean Downey, indicated that using data from other companies would improve security measures across the industry. Nicole M. Clement, Senior VP of Global Information Security at Bank of America, also promoted interfirm teamwork on this front. David Stone, Office of the Cloud CISO at Google, mentioned using metrics available in the cloud to push cybersecurity efforts forward.
Competitive interests provide an obstacle in the way of further collaboration, though. Some companies are currently hesitant to share cyber risk measures with other firms, but cybersecurity professionals are hopeful this attitude will change with the rollout of encrypted data processing that doesn’t require disclosure of sensitive data. “Firms each build this data individually in silos, but we can get much better measures if we collaborate,” notes Reynolds.
MIT organizers hope this event will expand consortium among the financial services sector. The conference was sponsored by the Federal Reserve Board of Governors, the Federal Reserve Bank of Richmond, and MIT.
