Industry Group Shares Alerts

It seems logical that one way for financial institutions to protect their systems is to share real-time alert information about security attacks, and various techniques for stopping them. Surprisingly, until recently there was no formal way for the financial services industry to do that.

Enter the Financial Services Information Sharing and Analysis Center (FS/ISAC). Originally created in 1999 in response to a Presidential Directive issued in 1998 that urged critical infrastructure industries to share information about security vulnerabilities, the FS/ISAC has gained momentum in just the last two years and recently launched a significantly enhanced "Next Generation" set of services to help financial services companies tap into urgent threat and vulnerability analysis.

No doubt the rise in cyber threats like worms and viruses, and the increase in terrorist activity, has played a role in the increased presence and value of the FS/ISAC. But there is also a growing recognition of the potency of pooling information, even if that means giving it to your competitor.

"That's the power of this thing — institutions sharing with institutions," says Rhonda MacLean, corporate security executive at Bank of America Corp. and until May, the chair of the Financial Services Sector Coordinating Council. The FSSCC is an organization of associations working in the financial services industry that has been formed to promote the FS/ISAC to banks and other financial services companies, among other responsibilities. "Our collective knowledge is irreplaceable."

The nearly 30 financial services associations that are members of the FSSCC worked feverishly during MacLean's two-year tenure to expand the knowledge base and the information delivery capabilities of the FS/ISAC. Increasing membership penetration among all sectors of the industry remains a top priority for the incoming chair, Don Donahue, who is also chief operating officer of New York-based Depository Trust and Clearing Corp., as well as president of two of its subsidiaries, Depository Trust Co. and National Securities Clearing Corp.

In 2002, when MacLean took over the FSSCC, only about 40 institutions had joined to receive information about threats through the FS/ISAC. Now there are about 400 fee-paying members, as well as more than 8,000 institutions that, via what is likely a temporary arrangement, receive early warnings about threats at no cost.

One limitation is that the associations cannot realistically be in communication with their members 24 hours a day, seven days a week, and particularly not on weekends, which is when most worms and viruses break out, Donahue says. "We certainly feel that direct communication with all financial services companies is where we need to get to," he says. "We believe we will phase out the third-party communication vehicle in the near future."

The FSSCC is urging larger banks and financial services companies to become members of the FS/ISAC at several major funding levels, which for an annual fee grants them not only early warnings of threats, but also access to bi-weekly information-sharing teleconferences, two conferences a year, and multiple ways to access the FS/ISAC database of vulnerabilities. Involvement of these major companies is essential to the operations of the FS/ISAC.

BAI is taking a lead role in working with the FSSCC associations to actively and consistently communicate the value proposition and solicit membership in the FS/ISAC. "Our ability to protect the infrastructure of the financial services sector is increased geometrically if all financial institutions, insurance companies, brokerage firms, mutual fund companies and exchanges are part of this network," says Thomas P. Johnson Jr., BAI's president and chief executive. "The FSSCC is playing a critical role to make this happen."

MacLean said Bank of America has received a great deal of value from being a founding member of the FS/ISAC. In one of the information-sharing sessions, for example, an institution relayed that it had found optical scanners attached to modems in its international wire-transfer room. Information pertaining to the wire transfers was being scanned and transmitted before the documents could be shredded.

Bank of America now has its wire room checked for wireless communication devices. "If I had stayed up all night I never would have thought of that one," MacLean said. "The criminals are getting sophisticated and they share information. It's high time that institutions started sharing too. We've got to stay ahead of these guys."

For more information, see FSISAC.com.

— Chris Costanzo