Major regulators, industry authorities and the White House are finally getting serious about cybersecurity. They are taking steps to help those financial services firms that are late to the game and offering support for those firms that already have strategies to fend off cyber-attacks.
- The core is a set of instructive cybersecurity activities and references, officials say. The activities have been organized by five functions – identify, protect, detect, respond and recover – that offer a high-level view of a financial services firm’s management of cyber risks;
- The profiles are intended to help a firm align cybersecurity activities with business requirements, risk tolerances, and resources, officials say. Firms can use the profiles to understand their current level of cybersecurity, set priorities, and measure progress toward an improve state of cybersecurity.
- The tiers section provides a way for firms to review their approaches and processes for managing cyber-risk, officials say. The tiers range from partial (Tier 1) to adaptive (Tier 4) and feature an “increasing degree of rigor in risk management practices.” The hierarchy of cybersecurity risk management is based upon business needs. In addition, firms achieve optimal levels of cybersecurity the more they integrate into a firm’s overall risk management practices, officials say.
Underpinning the framework, the Department of Homeland Security (DHS) has established the Critical Infrastructure Cyber Community (C3) Voluntary Program as a public-private partnership to improve more awareness of the Cybersecurity Framework. The C3 Voluntary Program will help firms along with federal, state, local, tribal, and territorial partners connect to DHS and other federal government programs and resources, officials say. The goal is to let participants share lessons, get assistance, and learn about free tools and resources.
More guidance on cybersecurity is on the way from the SEC, FINRA and SIFMA.
Shortly after the White House’s framework announcement, the SEC announced that it will host a roundtable on March 26 about cybersecurity and the challenges it raises for market participants and public companies. The roundtable will be held in the agency’s Washington, D.C. headquarters, but the public will have access through a live feed via the SEC’s website. More information about the agenda and participants will be published over the coming weeks.
For its part, FINRA officials have begun a sweep of selected firms and their management of cyber-security threats. FINRA is focusing on how IT and systems can be attacked from multiple sources. The sweeps will also encompass the “potential harm to investors, firms, and the financial system as a whole that these threats pose,” according to FINRA.
FINRA says its policy goals in performing these assessments are to:
- Better understand the types of threats that firms face;
- Gauge the risk appetites, exposure and major areas of vulnerabilities of firms and their IT systems;
- Gather more information about firms’ approaches to managing cyber-threats, including risk assessment processes, IT protocols, application management practices and supervision;
- And share observations and findings among firms.
On another front, Kenneth E. Bentsen, Jr., president and CEO of SIFMA, praised the Obama Administration and NIST for moving in the right direction about cybersecurity, adding that it’s “a top priority for our sector.”
The NIST framework is “a meaningful step forward in protecting the nation as it establishes a voluntary set of standards that can be applied across all industries to help reduce cyber risks to our nation’s critical infrastructure,” Bentsen said in a statement. “We appreciate NIST’s open and inclusive process in developing its framework, which further demonstrates the deep commitment of both the administration and the industry to a productive public-private partnership on cybersecurity.”
SIFMA will be working with its members to promote the framework and its implementation. “The financial industry already employs many of the standards identified in the framework and is continuously working to improve its defenses through exercises such as SIFMA’s Quantum Dawn 2 drill, which simulated a systemic attack on the markets and enabled firms and government agencies to test their response plans,” Bentsen said.
Bentsen also urged Congressional action to strengthen the public-private partnership. “We strongly encourage Congress to make cybersecurity a priority and pass legislation that facilitates improved information sharing and enables the industry and government agencies to work together in the most effective way possible,” he said.
SIFMA itself is taking action and will hold an educational event, “Cybersecurity Standards: Exploring the NIST Framework,” on March 18 at its conference center in New York. The event will feature representatives from NIST, DHS, the U.S. Department of Treasury, the national security staff of the White House, and others who helped craft the framework.
Leave a Reply