How federal cybersecurity framework applies to banks

In response to the National Institute of Standards and Technology cybersecurity framework, following Executive Order 13636, a Treasury official recently spoke at length about how it applies specifically to the financial sector.

“The NIST Framework has five basic or core elements: identify, protect, detect, respond, and recover,” said Cyrus Amir-Mokri, Treasury assistant secretary for financial institutions. He spoke at a seminar in March sponsored by the Securities Industry and Financial Markets Association.

“Briefly, as it applies to the financial system, one way to understand the framework is along three broad concepts: front-line resilience; crisis management; and recover and continuity…These three elements map onto the NIST Framework as follows. The elements of identify, protect, and detect correspond to front-line resilience. The elements of detect and respond are essential to crisis management. Finally, the core element recover corresponds to recovery and continuity,” Amir-Mokri said.

He expanded on these three elements as follows:

Front-line protection: “Front line protection consists of the series of activities that help foil threat actors from either penetrating into a system or from causing damage in the event that they are able to penetrate…It is important for system design to rapidly detect such intrusion and be designed to prevent lateral movement and ready access to the whole network once a threat actor has penetrated. Most of this effort relies on the expertise of information technology and security professionals,” he said.

Also important, he emphasized, is the need for information sharing. This goes both ways between public and private entities, as well as between private entities themselves. The Financial Services—Information Sharing and Analysis Center, in particular, is critical to this.

“We are mindful of the role that third parties play in providing information technology services to financial firms, whether they act as consultants, suppliers, or even participants in the delivery of financial services,” he said.

Incident Management: Each firm ought to have protocols for managing and responding to a significant incident. Given the interconnectivity of the financial system and the structure of markets, however, we in government and in the financial sector must also think about incident management not just in terms of a single firm, but in terms of the financial system as a whole,” he said.

Furthermore, he said, “As we continue to work on and refine our communications protocols, it is important to bear two things in mind. First, within firms, communications between information technology personnel and business decision-makers needs to be seamless. For example, information technology experts need to understand from business decision makers what levels and kinds of impairment in network function may require interruption of services. Similarly, business decision makers need to understand from information security experts what kinds of functions are realistic in the face of a cyberattack. Second, and for largely similar reasons, in times of crisis, it is critically important for the lines of communication between the private sector and government to be active and clear.”

Recovery: “Recovery consists, first, of restoring systems and services in the event a cyberattack leads to disruption of services, data corruption, or destruction, or entire systems failure. This aspect of recovery is largely driven by information technology expertise. However, there may be scenarios in which information technology cannot restore the data that was corrupted or destroyed. In the context of the financial system, such a situation may require protocols for dispute resolution and other post-crisis management of loss,” he said.