An interview with Rich Baich, Chief Information Security Officer, at Wells Fargo. We spoke to Rich about "A successful public-private partnership: The financial industry working together.”
David Grana, Head of North American Media, Clear Path Analysis, What are public-private partnerships and how do the participants benefit from them?
Rich Baich: A public-private partnership is a cooperation between private sector companies and governments. It can involve sharing intelligence on a project or a problem of some sort. We do this to try to understand each other’s capabilities in order to create a more holistic approach to mitigate the risks associated with communicating and transmitting data over the internet. The benefits include prioritizing risks by providing constant feedback. This allows organizations to take action quickly and provides governments with information which can help in the drafting of new legislation in the space.
David: Do we currently have a number of public-private partnerships that are in place here in the US?
Rich: Yes we have quite a few. I am the chair for the Financial Services Sector Coordinating Council (FSSCC): www.fsscc.org. It is a non-profit group, whose members are financial institutions. FSSCC coordinates with all the financial service members to develop critical infrastructure strategy initiatives and partner with the government on those efforts.
Through this public-private partnership, we look to strengthen the resiliency of the financial markets. We do that through the shared goal of maintaining a robust and resilient sector, looking at it from a financial perspective, as well as looking at it from a policy doctrine perspective. Wells Fargo also participates in a fee-based membership group called the Financial Services Information Sharing Analysis Center (FS-ISAC): www.fsisac.com. The group operationalizes a lot of the connectivity between government and the private sector. We work closely with Treasury, the Department of Homeland Security and industry associations, including SIFMA and the American Bankers Association, to help drive policy and doctrine, and operationalize and share intelligence.
David: When public-private partnerships are formed, are they always for a specific purpose?
Rich: If we are talking specifically about cybersecurity, then yes. Cybersecurity is broken down in the U.S. by sectors, such as the financial services industry, energy, communications, healthcare, etc.
The groups were generally divided vertically, but we are starting to see dependencies. For example, all industries are dependent on power. What good does it do for the financial services industry to be able to protect itself if the power grid goes down? We are now seeing the opportunity for the fusion and co-mingling of these public-private partnership models, so that they can come together. If I had to predict the future, maybe there is going to be a critical infrastructure coordinating council where they all come together.
David: Why is it important for the government to participate in these partnerships and in the war against cyber crimes and hacking?
Rich: The government is responsible for the laws and legislation, which we need in order to enable businesses to function. We also need governments to protect organizations and allow them the opportunity to understand how they can operate according to current laws. It is the government’s responsibility to create the environment that enables commerce and operational rules. It’s also important for governments to be involved, because they can collaborate with other governments to create international rules. Cyber events can occur in multiple jurisdictions, so it is important to develop laws that can address them.
David: Are we starting to see cybersecurity cooperation on an international level?
Rich: Yes, we are. In my role as the chair of the Financial Services Sector Coordinating Council and in close coordination with the Department of Treasury, one of my goals during my tenure is to find other countries that have a similar organization in their country so that we can connect. The resiliency of our financial markets is not just a
U.S.-centric concern. Treasury has been a strong partner in ensuring international coordination between governments as well as the sector as a whole.
David: How do you address the public’s concerns around “Big Brother” having too much information?
Rich: The Big Brother concept is not concerning to me because I believe the industry is collecting information and using it in a responsible manner to prevent a disaster. The challenge is around getting people to understand what can and is being done with that information. Public-private partnerships are trying to figure out how to use this information to make the world a safer place.
David: How far along are we in the public-private partnership space?
Rich: It really depends on the industry. The most advanced right now is the financial sector. For example, the Financial Services Sector Coordinating Council is an umbrella, and under it we have the Financial Services Information Sharing and Analysis Center with over 7,000 members. Other industries may not be as mature. Progress is being made every day, although I don’t feel that we will ever be at an end game because of the ever-changing environment.
David: What are some of the efforts that Wells Fargo is specifically taking to be able to open up the industry dialogue and move along the process of setting standards and being able to find practical ways of addressing these cybersecurity concerns?
Rich: At Wells Fargo, cybersecurity is a critical component of our vision. Our customers require a high degree of trust to protect theirinformation assets, and as such, our information security team’s mission is to ensure that we are securing our assets. We are not only important to our national critical infrastructure, but also the entire global system. And because the majority of that national critical infrastructure is owned and operated by private companies, both the government and the private sector share responsibility to reduce risks to that infrastructure.
In addition to participating in public-private partnerships, such as the Financial Services Sector Coordinating Council, we invest tremendous amounts of money to support information sharing. We participate in cybersecurity policy initiatives with industry and government, and coordinate closely with our government relationship leaders and security teams. We help to drive and provide awareness back to our government so that they can understand the pressing issues and priorities that we are facing in cybersecurity.
In 2017, we created a position that is 100% dedicated to the public- private partnership. This role manages our bank’s participation in programs that are dedicated to improving the cyber resiliency of the financial core, including real time information sharing, risk analysis and contingency planning. Wells Fargo is also a member of the National
Cybersecurity Alliance, which is the nation’s leading non-profit public-private partnership promoting cybersecurity and privacy education and awareness across a broad range of stakeholders.
This interview is an excerpt from the Financial Crime & Operational Security, North America 2018 report. You can download the full report for free online.