Statue of Alexander Hamilton outside the US Treasury building
Banks and other financial services companies need to ask themselves 10 questions in preparing for the increasing inevitability of a cyber attack, said Deputy Treasury Secretary Sarah Bloom Raskin.
Speaking to the Texas Bankers’ Association last week, Raskin said the US Department of the Treasury works with Homeland Security in coordinating the government’s response to cyber threats faced by the financial sector.
Cyber risk is something “we already have the framework to understand,” she said, adding that it “falls squarely within the governance and oversight responsibilities of executive leaders and boards.”
The questions address the main areas of protection, communication and recovery:
1. Is cyber risk part of our current risk management framework?
2. Do we follow the NIST Cybersecurity Framework? (The National Institute of Standards and Technology released the Framework for Improving Critical Infrastructure Cybersecurity in February.)
3. Do we know the cyber risks that our vendors and third-party service providers expose us to, and do we know the rigor of their cybersecurity controls? (This means knowing all vendors and third-parties with access to your systems and data; ensuring that those third parties have appropriate protections to safeguard your systems and data; conducting ongoing monitoring to ensure adherence to protections, and documenting protections and related obligations in your contracts.)
4. Do we have cyber risk insurance? And if we do, what does it cover and exclude? (More than 50 carriers now offer some type of coverage for organizations of all sizes, Raskin said, adding that the underwriting process can help assess an institution’s risk levels.)
5. Do we engage in basic cyber hygiene? This includes knowing the devices connected to your networks, knowing what is running–or attempting to run–on your networks; knowing who has administrative permissions to change, bypass, or override system configurations and reducing that number to those who need those privileges. It includes patching software on a timely basis, and conducting continuous, automated vulnerability assessments and remediation. (The Center for Internet Security, which launched the Cyber Hygiene Campaign in April, has said estimates show that engaging in basic cyber hygiene can prevent 80 percent of all known attacks.)
6. Do we share incident information with industry groups? Attacks against one institution–as in the case of JP Morgan Chase this summer–tend to target others. (The primary information-sharing center for the financial services sector is the Financial Services Information Sharing and Analysis Center, known as the FS-ISAC, to which Treasury gives declassified threat and vulnerability information.)
7. Do we have a cyber-incident playbook and who is the point person for managing response and recovery?
8. What roles do senior leaders and the board play in managing and overseeing the cyber incident response? This means knowing when and which matters get escalated to the CEO, and whether the full board or a committee–like risk or audit–is initially tasked to oversee the response from a governance perspective. (Raskin added that Treasury is developing an exercise regime designed to test communication and decision-making during cyber incidents.)
9. When and how do we engage with law enforcement after a breach? (“If you need help making those connections, our team will facilitate those introductions,” Raskin said.)
10. When and how do we inform our customers, investors, and the general public? (Having draft messages for various scenarios is an important part of your bank’s playbook, given the possibility that events may be serious and fast-moving, Raskin said.)
