Treasury Wants to Collect More Cyber Risk Details From BanksAgency Wants to Gather More Data to Support Security of Financial Infrastructure
The U.S. Treasury Department is proposing to collect more information from banks and financial markets about the cybersecurity risks they face, according to notices posted in the Federal Register.
The goal is to better secure the country's financial infrastructure at a time of increasing concern over how a targeted attack might affect it.
The Federal Reserve Bank of New York recently released findings from a study that found if a cyberattack targeted one of the five most active banks in the U.S., it could have a major ripple effect throughout the financial system (see: Cyberattack on a Major Bank Would Have Ripple Effect: Study).
U.S. financial firms experience up to 300 times more cyber incidents in a year than organizations in other sectors, according to a report by the Boston Consulting Group.
Notice in Federal Register
In a notice published in the Federal Register on Wednesday, the Office of Cybersecurity and Critical Infrastructure Protection, which is a part of the Treasury Department and has responsibility for protecting the country's financial infrastructure from attacks, proposes to collect more information from the private sector to understand the potential cyber risks to U.S. financial services. The notice doesn't specify what data that Treasury Department is looking to collect as part of this proposed process.
"This information collection will support [Office of Cybersecurity and Critical Infrastructure Protection's] efforts to identify cybersecurity and operational risks to and interdependencies within U.S. financial services sector critical infrastructure and to work collaboratively with industry and interagency partners to develop risk management and operational resilience initiatives," according to the notice.
The Treasury Department will accept public comments about its proposal through March 23 before finalizing its plans.
Changing the Rules
Over the last week, the Treasury Department and the Office of the Comptroller of the Currency, which is an independent agency within the Treasury, published separate notices asking the public and other federal agencies to comment on whether the collection of more information is needed for the proper functioning of the agencies.
Under rules outlined in the 1995 Paperwork Reduction Act, the Treasury and the Office of Cybersecurity and Critical Infrastructure Protection can only collect data from a limited number of private firms at a time. If the new proposed guidelines are approved, Treasury officials say, the department would be able to collect more data and have greater insights into what's happening across the financial sector.
"Part of our mission … is looking at the implementation of best practices," Elizabeth Irwin, a cyber policy adviser at the Treasury Department, told NextGov.
Many U.S. banks and financial institutions already report information about cybersecurity and risk to a number of regulatory agencies, including the Federal Financial Institutions Examination Council and the Federal Reserve, says Chris Pierson, CEO of cybersecurity firm Blackcloak. He’s a member of the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee.
"On the surface it seems like this request [to collect more information] might be duplicative if information already is available to regulators," Pierson tells Information Security Media Group. "At a strategic level, gaining insight into the cybersecurity stance of the entire financial ecosystem is a worthwhile endeavor, even if something like this should already have been completed a decade ago and the data to do so already exists."
In a 2015 report, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency noted that a shared understanding of the sector is important for protecting against cyberthreats.
"Effectively reducing the sector's physical and cybersecurity risk requires a shared understanding of the critical services the sector provides, the specific security and resilience risks it faces, and the collaboration mechanisms used among the sector’s security and resilience stakeholders," according to the report.
New Security Threats
The updates from the Treasury Department also come after two Democratic congressmen sent letters to nine federal financial regulatory agencies, including the Treasury Department and the Office of the Comptroller of the Currency, asking them to shore up cyberdefenses in the sector due to increasing security threats from Iran (see: Congressmen Call for Enhanced Financial Sector Security)
"We urge you, our nation's financial regulators, to work in coordination with law enforcement and regulated entities to increase sharing of appropriate cyber threat information," the two congressmen wrote. "We request that your institutions communicate a strategy to further mitigate existing cyber vulnerabilities within our financial institutions by March 2020."