Building a Cybersecurity Framework
Businesses increasingly rely on the Internet to run the systems that carry goods to market, provide gas for cars and engage in trade. Collectively, these diverse systems represent the nation’s cyber-critical infrastructure. Linking banking infrastructure to the Internet brings considerable benefits, but dependence on this critical infrastructure also brings vulnerability due to unforeseen disruptions. Unfortunately, threats against the nation’s cyber-critical infrastructure are numerous, and can include sophisticated criminal activity, both domestic and foreign.
Because of the importance of our cyber-critical infrastructure, and the seriousness of the threats, the president issued an executive order in February directing federal departments and agencies to use existing authorities to provide better cybersecurity for the nation. These efforts will by necessity involve increased collaboration between the government and private sector, including banks.
Creating a framework
The executive order directed the National Institute for Standards and Technology (NIST) to collaborate with stakeholders to develop a voluntary framework for reducing risks to critical infrastructure consisting of standards, guidelines and best practices. The prioritized, flexible, repeatable and cost-effective approach of the framework will help manage cybersecurity-related risk, while protecting business confidentiality, individual privacy and civil liberties.
The cybersecurity framework is being developed in a transparent and collaborative way. NIST issued a request-for-information (RFI) and conducted a workshop to engage stakeholders. The agency collected, categorized and posted RFI responses and will conduct a second workshop to analyze RFI responses and identify common practices and themes. NIST is seeking open public comment and review throughout the process and the financial services industry, with deep expertise regarding privacy and security, should respond.
In June, the Federal Financial Institutions Examination Council (FFIEC) announced the formation of a working group to further promote coordination across the federal and state banking regulatory agencies regarding these issues. This Cybersecurity and Critical Infrastructure Working Group will enhance communication among the FFIEC member agencies and build on existing efforts to strengthen the activities of other interagency and private sector groups, such as the FFIEC’s Information Technology Subcommittee of the Task Force on Supervision, the Financial and Banking Information Infrastructure Committee, the Financial Services Sector Coordinating Council and the Financial Services Information Sharing and Analysis Center. These efforts are important in light of the growing sophistication and volume of cyber attacks and the global importance of protecting critical financial infrastructure.
The financial services industry has the opportunity to lead the cybersecurity discussion in protecting privacy and safeguarding personal, non-public information. Financial institutions and their service providers offer deep expertise in implementing standards related to administrative, technical and physical safeguards, including security and confidentiality of customer records and information; protecting against any anticipated threats or hazards to the security or integrity of such records; and defending against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.
NIST can benefit from the experience of financial services companies and their providers in this arena. The stakes could not be higher and the time to act is now. Here is what bankers can do:
- Review your best practices for security, including information security risk assessments, information security strategies, security controls, and monitoring techniques;
- Identify and share with NIST your best outcome-oriented metrics used to evaluate the status, position and progress of your information protection program;
- Review the annotated outline of the initial draft, Cybersecurity Framework, and offer commentary.
Increased public-private collaboration to develop a cybersecurity framework is essential to protecting the digital infrastructure that drives our nation’s commerce.
Mr. Hadley is CIO of Akron, Ohio-based Segmint Inc., a marketing technology company that helps businesses make their customer data instantly actionable. He is a former special advisor to the FFIEC inter-agency task force on e-banking. He can be reached at [email protected].