Banking Exchange Magazine Logo

How federal cybersecurity framework applies to banks

Treasury official explains 5 NIST core elements

How federal cybersecurity framework applies to banks

In response to the National Institute of Standards and Technology cybersecurity framework, following Executive Order 13636, a Treasury official recently spoke at length about how it applies specifically to the financial sector.

“The NIST Framework has five basic or core elements: identify, protect, detect, respond, and recover,” said Cyrus Amir-Mokri, Treasury assistant secretary for financial institutions. He spoke at a seminar in March sponsored by the Securities Industry and Financial Markets Association.

“Briefly, as it applies to the financial system, one way to understand the framework is along three broad concepts: front-line resilience; crisis management; and recover and continuity…These three elements map onto the NIST Framework as follows. The elements of identify, protect, and detect correspond to front-line resilience. The elements of detect and respond are essential to crisis management. Finally, the core element recover corresponds to recovery and continuity,” Amir-Mokri said.

He expanded on these three elements as follows:

Front-line protection: “Front line protection consists of the series of activities that help foil threat actors from either penetrating into a system or from causing damage in the event that they are able to penetrate…It is important for system design to rapidly detect such intrusion and be designed to prevent lateral movement and ready access to the whole network once a threat actor has penetrated. Most of this effort relies on the expertise of information technology and security professionals,” he said.

Also important, he emphasized, is the need for information sharing. This goes both ways between public and private entities, as well as between private entities themselves. The Financial Services—Information Sharing and Analysis Center, in particular, is critical to this.

“We are mindful of the role that third parties play in providing information technology services to financial firms, whether they act as consultants, suppliers, or even participants in the delivery of financial services,” he said.

Incident Management: Each firm ought to have protocols for managing and responding to a significant incident. Given the interconnectivity of the financial system and the structure of markets, however, we in government and in the financial sector must also think about incident management not just in terms of a single firm, but in terms of the financial system as a whole,” he said.

Furthermore, he said, “As we continue to work on and refine our communications protocols, it is important to bear two things in mind. First, within firms, communications between information technology personnel and business decision-makers needs to be seamless. For example, information technology experts need to understand from business decision makers what levels and kinds of impairment in network function may require interruption of services. Similarly, business decision makers need to understand from information security experts what kinds of functions are realistic in the face of a cyberattack. Second, and for largely similar reasons, in times of crisis, it is critically important for the lines of communication between the private sector and government to be active and clear.”

Recovery: “Recovery consists, first, of restoring systems and services in the event a cyberattack leads to disruption of services, data corruption, or destruction, or entire systems failure. This aspect of recovery is largely driven by information technology expertise. However, there may be scenarios in which information technology cannot restore the data that was corrupted or destroyed. In the context of the financial system, such a situation may require protocols for dispute resolution and other post-crisis management of loss,” he said.

John Ginovsky

John Ginovsky is a contributing editor of Banking Exchange and editor of the publication’s Tech Exchange e-newsletter. For more than two decades he’s written about the commercial banking industry, specializing in its technological side and how it relates to the actual business of banking. In addition to his weekly blogs—"Making Sense of It All"—he contributes fresh, original stories to each Tech Exchange issue based on personal interviews or exclusive contributed pieces. He previously was senior editor for Community Banker magazine (which merged into ABA Banking Journal) and for ABA Banking Journal and was managing editor and staff reporter for ABA’s Bankers News. Email him at [email protected]

back to top


About Us

Connect With Us


Webinar: From KYC to IDV

How three leading banks are utilizing cutting-edge
digital tools to onboard, win, and wow customers

Time/Date: June 23, 2021 11:00 a.m. ET

Digital adoption, already moving at warp speed, accelerated seven years into the future during the COVID-19 pandemic. As the number of bank branches continues to fall, with at least one study predicting all branches will disappear by 2034 (Fox Business) and foot traffic declining (Vox), today’s most innovative banks are charting a new, digital-first path to win over customers while increasing security, meeting KYC compliance requirements, and winning customers to drive revenue.

In this webinar, you’ll hear from John Baird, Founder & CEO of Vouched, Tyler Crawford, COO of Bankers Healthcare Group, Anand Sathiyamurthy, CPO of Flagstar Bank and Daniel Sheehan, Chairman & CEO of Professional Bank as they describe their vision for digital transformation and how customer expectations are changing to digital first. They’ll also explore how fostering an innovation mindset creates new ways to tackle complex KYC problems and allows them to quickly compete in new markets and win customers.


This webinar is brought to you by:
Vouched Logo