He also said cybercriminals are injecting command and control beacons into systems, and the sole purpose of the programs is to watch and conduct strategic reconnaissance. While these programs are usually aimed at critical infrastructure organizations, they are also being used against the financial sector, he added.

Malware is also far more advanced than it was in the past, Cressey said.

"You're seeing some really funky stuff like polymorphic software – malware that sits on one computer and as it jumps to another computer, the DNA of that malware changes," he said.

Data manipulation is also an increasingly serious problem for financial institutions. Cybercriminals don't hack into a system to steal data, but rather manipulate it.

The financial services industry is predicated on a foundation of trust in its data, he said, calling data manipulation an existential threat to the global economy.

Mobile, BYOD, insiders and breaches that occur within a company's supply chain are also providing new cybersecurity threats, Cressey said.

The government is unlikely to provide any answers or protection, because it can't go on the offensive. Unlike military threats that can be destroyed with a missile, cyberthreats don't go away.

"When you launch the equivalent in cyberspace, it lands, it attacks but it doesn't necessarily go away," he said. "The code, the attack capability, might be captured by your intended target. Maybe they'll take that code and play with it a little bit, reverse engineer it, turn it back around and send it our way, or maybe send it to an allies destination. Nothing goes away in cyberspace."

The problem has handcuffed Washington from creating effective deterrence and offensive policies.

Cybersecurity is the responsibility of private industries, he continued, stating that the government will not take care of it. In fact, Cressey cautioned that companies can't rely on cybersecurity compliance to prevent attacks.

Cybersecurity is no longer an IT issue, he said, but instead a fiduciary risk that should be actively addressed by C-suite executives and boards.

The answer lies in how companies respond to threats.

"If you do a better job of managing your cyber-risk with the existing tools that are out there, you'll create a narrative that, if you are breached, you're able to explain that you took reasonable care and followed reasonable processes to minimize the impact of that breach," he said. "That will help you and make your general counsel feel better, and that will also help you with your board and your shareholders."