The finance sector is already making major strides on sharing information about cyber-security threats, in line with US President Barack Obama</strong>’s recent executive order, but greater efforts are required on employee education, experts say.</p> Last month, President Obama signed an executive order to promote greater information sharing on cyber-threats, both within the private sector and between government and the private sector. The order will encourage the establishment of information-sharing ‘hubs’ and calls for the creation of a framework for sharing information between the private sector and the government which maintains privacy and civil liberty protections but provides access to classified cyber-security threat information.</p> The executive order sits alongside proposed US legislation to introduce liability protections for firms that share information about cyber-threats and plans for a new Cyber Threat Intelligence Integration Center, which will serve as a single entity for sharing intelligence about cyber-threats across the US government.</p> “We have to build stronger defences and disrupt more attacks. We have to make cyber-space safer. We have to improve cooperation across the board,” said Obama, speaking at a White House Summit on Cybersecurity and Consumer Protection held at Stanford University.</p> Dr Starnes Walker, founding director of the University of Delaware’s Cyber Security Initiative</strong>, said the announcement bolstered the role of government in supporting the development of standards and “creating an environment to encourage best practices, to help communicate technology solutions, and to alert industry to emerging threats”. President Obama’s announcement follows a series of high-profile cyber-attacks on information held by companies in the US, notably Sony Pictures, but also retail chains, and a number of banks and financial services firms.</p> As a frequently-targeted sector, the US finance industry has collaborated on cyber and physical threat intelligence and analysis and sharing – under the auspices of the Financial Services Information Sharing and Analysis Center (www.fsisac.com</a>) – since 1999. The centre officially went global in 2013 and in March alone held meetings and workshops in Bangladesh, Malaysia, Singapore and the UK.</p> Eric Hess, managing counsel at Hess Legal Counsel LLC</strong>, which specialises in the investment banking and securities sectors, regards the hubs called for by President Obama as an “intelligent extension” of the progress made in the finance sector.</p> But Hess cites employee education as a key area in which firms in the finance sector could improve their defences against threats to information security. “Education is always best when it’s tailored. But rather than firms investing in their own training, the best education is often by outside professionals who can add interest and perspective. Until companies pay more attention to education, the weakest link in an organisation’s information security plan will be their employees,” he said.</p> In March, a senior official at the US Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations, said cyber-security was a priority in the US securities industry regulator’s examination activities and that training flaws had already been identified.</p> “We found that firms were generally conducting periodic risk assessments to identify cyber-security threats and vulnerabilities," said Jane Jarcho, national associate director of investment advisor and investment company exams at the SEC</strong>. "Most customer losses were the result of a firm employee not following procedures, not the failure of firms to have such policies in place."</p> Walker said training on cyber-threats should be customised to meet needs at different levels within firms. “Training should be tailored for the general employee, the C-suite, and board members, to educate each on how to ensure their networks, intellectual property, critical infrastructure and business operations are well protected. This training and education should be an on-going, continual education program as the threat will continually evolve. Likewise, the assembly of industry coalitions in sectors can help to formulate recommendations on the effectiveness of education and suggest the sharing of training modules,” he said. </p>