FSOC: A Call For Cybersecurity Action
More Information Sharing Needed in Wake of BreachesOngoing cyber-attacks waged against the financial infrastructure have exposed gaps that cybercriminals are exploiting. As a result, cyber-intelligence sharing, as well as oversight of third parties, should be priorities for banking institutions, according to the Financial Stability Oversight Council's just-released annual report.
The FSOC, which is chaired by the Secretary of the Treasury, was established in 2010 by the Dodd-Frank Wall Street Reform and Consumer Protection Act to identify risks to the financial stability of the United States and respond to emerging threats. Companies identified by the council as being systemically important to the financial system, even those that fall outside bank regulatory oversight, may be subject to regulation, supervision and examination by the Federal Reserve.
The council says regulators and the Treasury Department need to take steps to ensure that adequate cybersecurity precautions are being taken by banking institutions, market utilities, service providers and other third parties that could be targeted by cyber-attacks.
This is the first time the FSOC, in its annual report, has specifically noted the risks posed to financial services by outside parties. And while distributed-denial-of-service attacks were named as catalysts for enhanced information sharing in the FSOC's 2013 report, this year marks the first time the council has given recommendations for regulatory involvement in cross-border cyber-intelligence sharing.
The council recommends that the Treasury Department work with banking regulators and other appropriate government agencies, such as the Federal Financial Institutions Examination Council, as well as private financial firms, to improve information sharing about cyber-threats and other risks facing the U.S. financial system.
The FSOC also says the Finance and Banking Information Infrastructure Committee, banking institutions and financial-sector coordinating bodies should establish, update and test their crisis communication plans to address cyber-incidents and enable coordination with international regulators to assess risks and share information.
Third-Party Risks
In the wake of the Target Corp. breach, which exposed an estimated 40 million U.S. credit and debit accounts, the FSOC report highlights emerging concerns posed by third parties and new challenges that have surfaced because of the interconnectedness of commerce.
"The vulnerabilities posed by cross-sector dependencies and interconnected systems across firms, markets, and service providers can lead to significant cybersecurity risks," the FSOC states. "These risks could impact economic security, demanding a coordinated and collaborative government-wide commitment and partnership with the private sector to promote infrastructure security and resilience."
Michael Coleman, director of regulatory affairs for the National Association of Federal Credit Unions, praised the report for emphasizing the need for third parties to beef up their security measures.
"NAFCU recognizes that cybersecurity is a sector-wide concern and, as such, continues to urge that merchants who handle financial data be subject to the same stringent regulatory requirements that credit unions and other financial institutions are under the Gramm-Leach-Bliley Act," Coleman says. "In general, NAFCU supports industry information sharing groups as one of the steps to monitor cybersecurity and data security issues and share guidance, policies, and procedures."
FSOC's Recommendations
In its report, the council also recommends banking regulators:
- Focus on cybersecurity awareness campaigns;
- Assess how banking institutions and other regulated entities are following regulatory requirements and non-regulatory principles, such as the National Institute of Standards and Technology Cybersecurity Framework, to enhance security; and
- Continually gauge cyber-related vulnerabilities and identify gaps in oversight that need to be addressed.
The FFIEC, too, has highlighted the need for more information sharing. In May, it announced plans for new cybersecurity assessment and examination processes to which banking institutions will soon be expected to adhere (see FFIEC Cyber Assessments: What to Expect ).
From an information sharing perspective, Coleman says the recommendations provided by the FSOC and FFIEC make sense on paper. And the reality is, he adds, that most banking institutions already support information-sharing processes.
But institutions and banking groups such as the NAFCU fear that too much regulatory oversight of information sharing and cybersecurity risk assessments could put undue burden and expense on the shoulders of smaller banks and credit unions, Coleman says.
"While we support regulators providing guidance similar to the voluntary NIST framework, we do not believe increased regulation and added compliance costs to credit unions is the solution," Coleman says. "Credit unions and other financial institutions already have a solid track record of security under Gramm-Leach-Bliley. Cybersecurity and data security are very specific to the institution and cannot be addressed through a one-size-fits-all standard or rule. Rather, NAFCU would support additional non-mandatory guidance that would serve to help raise credit union awareness and give credit unions the tools to strengthen their policies."
But an information security officer who works for a Midwest-based community institution, who asked not to be named, says banking institutions should embrace the recommendations noted by the FSOC.
"Financial institutions need to be constantly looking at the tools, guidance and collaborative opportunities available to them and make every effort to assess risk and put the appropriate mitigating controls and practices in place," the executive says. "We must have procedures in place to deal with the discovery of cybersecurity incidents. During the vetting process, we must require vendors to complete an IT security questionnaire by asking questions that pertain to cybersecurity measures third-party vendors employ."
Stan Orszula, who works in the corporate services practice at the law firm Quarles & Brady, says banking institutions and other entities that touch financial services and payments should be bracing for more regulatory oversight.
"I certainly think the regulators are concerned about banks', especially community banks, abilities to defend themselves against cyber-attacks," he says. "This is consistent across all the agencies, and I think you'll see it manifest itself at the community bank level, where banks will be expected to spend significant amounts of time and resources overseeing vendors."
Information Sharing Barriers
Among the leading cybersecurity concerns noted by the council in its report are domestic and international legal barriers that hinder cyber-intelligence sharing.
"The council recognizes the importance of removing legal barriers to information sharing between public- and private-sector partners to enhance overall awareness of cyber-threats, vulnerabilities and attacks, including through Congress' passage of comprehensive cybersecurity legislation," the FSOC states.