Big banks are revving up efforts to combat cybercriminals targeting the financial-services industry.
Eight of the largest U.S. banks are forming a group that seeks to tackle the growing cyberthreat. It includes J.P. Morgan Chase & Co., Bank of America Corp. and Goldman Sachs Group Inc., among others.
While still in its early stages, the big banks expect the group members will share more information with each other about threats, prepare comprehensive responses for when attacks occur and conduct war games designed for the issues facing the biggest institutions.
The big banks are currently part of a wider group of banks that looks to share information about cyberrisks. But with 7,000 members, the biggest banks felt they needed an outlet that reflected the fact they are more likely to be targets of hackers than their smaller brethren and have more complex systems, according to people familiar with the matter.
The financial-services industry ranked third in number of cyberattacks last year, after health care and manufacturing, according to a U.S. cybersecurity report released by IBM Corp. in May. Two years ago, J.P. Morgan, the largest U.S. bank by assets, was targeted by cybercriminals in a breach that exposed names, addresses and other information of 76 million customer households, although no money was taken.
Banks have intensified efforts to protect themselves this year despite the adoption in December of the Cybersecurity Information Sharing Act, a federal law that aims to make it easier for private companies to share cyberthreat information with the government. Financial institutions have expressed concern about the federal initiative, however, saying it adds another layer of bureaucracy as they already are investing billions of dollars to fight off cybercriminals and sharing information among themselves.
In recent months, banks have griped that they are providing more information to the government than they are receiving from federal agencies.
“We are working very rapidly to declassify everything we can to push it out as quickly as we can to all of our partners,” said Phyllis Schneck, deputy undersecretary for cybersecurity at the Department of Homeland Security.
The new bank group, which is in the early stages of development, will build on the efforts of an existing industry organization that already addresses the same issues for the broader financial-services industry.
“They are trying to provide a support mechanism for deeper information-sharing and collaboration on top of whatever is already going on today,” said John Carlson, chief of staff at the Financial Services Information Sharing and Analysis Center. The new group will operate under the umbrella of that organization.
Mr. Carlson declined to identify members of the new group, but people familiar with it said it also includes Bank of New York Mellon Corp., Citigroup Inc., Morgan Stanley, State Street Corp. and Wells Fargo & Co.
Banks have long been targets of hackers, and also have racked up hundreds of millions of dollars in costs to cover purchases made on counterfeit credit cards resulting from data breaches at retailers.
In response, banks are continually beefing up their defenses. J.P. Morgan, for example, is expecting to spend $600 million on cybersecurity efforts this year.
Top banking executives say cyberattacks often occur on a daily basis.
While banks have asked for greater information-sharing with the government to assist their efforts, firms still have a number of concerns. Despite the new law, banks fear legal issues that could emerge if they share threat information with the government. Although the law provides liability protection to companies for sharing certain kinds of information, the banks are worried that such disclosures could open them up to shareholder lawsuits.
Other bank executives have questioned whether information that they are providing to the government is stored securely.
“There are still a lot of questions about the new law,” said Nubiaa Shabaka, executive director in the legal and compliance division of Morgan Stanley at a legal financial-services conference in June.
Bank executives said the technical capabilities of the government’s cyber-sharing effort has improved in recent months. For example, a new automated system can warn banks more quickly about potential threats without requiring users to log into a specific portal and open documents.
“It is incumbent on the government to demonstrate that what it has set up is not only efficient operationally and reliable from a liability standpoint, but also that it is valuable,” said Alan Raul, leader of the data security practice at law firm Sidley Austin LLP.
The government has provided additional guidance about the new law since it was enacted in December. The updated guidance has stressed that companies aren’t required to share information about cybersecurity threats with the government and provided more technical details about how the companies can share such information.
”The sharing is only really just beginning,” Ms. Schneck said.