U.S. Department of the Treasury

 

The title of my remarks is “Treasury’s Role in Financial Sector Cybersecurity,” so let’s start at the beginning—specifically, September 2, 1789.  The Act of Congress establishing Treasury states that “it shall be the duty of the Secretary of the Treasury to digest and prepare plans for the improvement and management of the revenue, and for the support of public credit . . .”  The Act specifies, in addition to the Secretary, a number of other officers:  a Comptroller, an Auditor, a Treasurer, a Register, and an Assistant.  They hadn’t yet created the role of Chief Information Security Officer (CISO)—but we have one today.  Because Treasury, too, is an integral part of the financial sector and we recognize that carrying out the Secretary’s first duty, as articulated in the Act establishing Treasury, depends upon a resilient financial system that taxpayers, depositors, and citizens all have complete trust and confidence in. 

 

This audience is well aware of the recent history of malicious cyber activity that has focused the Nation:  Sony Pictures, JP Morgan Chase, Target, Premera, Anthem, and the Office of Personnel Management, to name a few examples.  As many of these incidents and others demonstrate, the cybersecurity challenges we are confronting extend beyond stolen credit card data and identity theft.  Indeed, while we haven’t experienced destructive malware in the U.S. financial sector, we see it as a significant risk to the sector and the Nation’s critical infrastructure.  As the FBI stated, the attacks on Sony rendered thousands of the company’s computers inoperable, forced Sony to take its computer network offline, and disrupted the company’s business operations.  Trust and confidence in a major financial institution could be affected if it suffered this sort of attack.

 

The financial sector is one of our Nation’s critical and vital infrastructures.  The financial institutions gathered here today carry out a range of activities fundamental to the effective functioning of our economy, such as clearing, payments, custody, settlement, deposit taking, and lending.  Through a Presidential Policy Directive, it is the responsibility of the Treasury Department to coordinate the cybersecurity and resiliency of the Nation’s critical financial services infrastructure, in partnership with law enforcement, the intelligence community, homeland security partners, and financial regulators.

 

Treasury’s approach to enhancing financial sector cybersecurity is organized in four primary areas.  First, we promote the adoption of baseline protections and best practices by financial institutions of all types.  Second, we identify and facilitate the sharing of timely, reliable, and actionable information regarding cybersecurity threats, incidents, and responses.  Third, we develop effective arrangements to assist the financial sector to promptly respond and recover from cyber incidents and to maintain the resilience of critical functions.  Fourth, we assist in disrupting illicit cyber activities and actors.  Let me elaborate on each of these areas in turn.

 

 

Earlier speakers and panels at this conference have already discussed baseline protections and best practices, and how to construct and implement an effective cybersecurity program.  I believe it is a basic, shared tenet between all of us here that firms’ policies, procedures, and controls to prevent penetration of their networks and systems, and to prevent damage assuming that there has been access, ought to be calibrated proportionally to address the cybersecurity risks presented by the given businesses and their operations.  I would note that we encourage use of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework in this regard.  It is a thematically organized, risk-based approach to managing cybersecurity that can help identify your firm’s cyber posture and determine its risk profile and tolerance. 

 

We find that one of the NIST Framework’s most significant contributions is in helping to establish a common lexicon for firms and public authorities to discuss cyber risk management.  I see multiple ways in which the NIST common lexicon facilitates effective communication about cybersecurity risks.  As an example, the NIST Framework can help firms better manage risks associated with third-party service providers.  I would note that the Bank Service Company Act provides federal banking agencies with the authority to regulate and examine certain services performed by a third-party service provider to the same extent as if the services were performed by the depository institution itself.[1]  The Dodd-Frank Act has a similar provision for federal supervisory agencies to examine whether services provided to financial market utilities comply with applicable law, rules, orders, and standards.[2]  I see the NIST Framework as helping to facilitate at least two conversations that the firm has to have—one, between a firm and its regulators as part of the supervisory process, and two, between a firm and its third-party service providers as part of conducting due diligence, contracting for service, and setting up back-end safeguards.  To take another example, we know that firms and supervisory authorities in other countries consult and often incorporate the NIST Framework into their own national approaches—so the NIST Framework could help prevent discussions about managing cybersecurity risks from being lost in translation in the cross-border context. 

 

 

The second area where we are devoting substantial attention is information sharing.  This sharing takes a few different forms but often involves the exchange of descriptive information about cybersecurity threats that firms can use to better understand and defend themselves against malicious cyber activity.  Many financial companies, of all sizes, face similar, if not identical, threats that can lead to the next massive data breach or worse.  The more companies who are securely exchanging greater amounts of information about threats with each other and with the government—while of course safeguarding consumers’ privacy and civil liberties—the better off we all are.  That is why we supported the recent passage of the Cybersecurity Act of 2015, which promotes the timely sharing and receipt of cyber threat indicators among private sector entities, and between the private sector and the federal government. 

 

Valuable cybersecurity information also sometimes comes from government, and Treasury has established the Financial Sector Cyber Intelligence Group (CIG) to help identify information government possesses that may be useful to firms and to share that in a timely and actionable fashion with companies in the financial sector.  In addition, the FBI and Department of Homeland Security have also recently undertaken significant efforts to expand their information sharing activities.

 

Many financial services sector companies are on the cutting edge of sharing cyber information among themselves and with government.  The Financial Services Information Sharing and Analysis Center (FS-ISAC) plays an important role in defending the U.S. and global financial sector; it has nearly 7,000 members including all manner of financial companies and their key service providers.  I hope you are already participating in the FS-ISAC’s work and, if not, would strongly consider doing so.  It is critical that more firms participate, especially smaller institutions, given the powerful network effects of the FS-ISAC’s information sharing efforts.  

 

The next frontier of our information sharing regime is moving beyond the sharing of threat indicators to anonymized sharing of deeper, structural vulnerability information, so that we can better understand the relationship between attack vectors and the severity of impact.  If we can share information about the nature of the vulnerabilities or an analysis of how controls were circumvented prior to a successful attack in a particular institution, we can all make sure to shore up defenses of these penetration points in our own institutions.

 

 

The third area of cybersecurity I want to highlight is responding to and recovering from cyber incidents.  Despite the best-intentioned and well-resourced baseline protections, cybersecurity incidents will continue to occur.  The purpose of effective response and recovery arrangements is to help the financial sector maintain the resiliency of its critical functions in order to reassure the public and protect valuable assets.  One way we think about response and recovery—and this is also how we encourage the private sector to consider thinking about it—is in terms of a playbook for significant cyber incidents.  Your firm’s response and recovery playbook should clearly set out the roles and responsibilities of your board, management, incident response teams, and other key individuals internally—as well as how those individuals will notify and coordinate with external parties, such as regulators, law enforcement, business partners, vendors, clients, and customers.  And the playbook should not stay on the shelf—for a playbook to be credible, it should be exercised and updated regularly.

 

At Treasury, we are developing our own response and recovery arrangements in coordination with the regulatory agencies on the Financial Banking and Information Infrastructure Committee (FBIIC) and with the Financial Services Sector Coordinating Council (FSSCC), as well as our other government partners.  Since December 2014, Treasury has completed several public/private, large-scale cybersecurity exercises to test processes for responding to destructive malware attacks.  And following up on the announcement in January 2015 by President Obama and UK Prime Minister David Cameron, we carried out an exercise last fall with our UK counterparts that brought together more than 100 participants from the financial sector and U.S. and UK governments.  

 

There is more to come.  As part of the Cybersecurity National Action Plan announced by President Obama this past February, the Administration will publicly release a policy for national cyber incident coordination and an accompanying severity methodology for evaluating cyberattacks, so that government agencies and the private sector can communicate and respond consistently and effectively to major cyber incidents.[3]

 

The fourth area around which our activities are organized is deterrence, which I’ll touch on just briefly today.  Malicious cyber actors—wherever located—can pose a broad risk to international stability and security, including to the U.S. and global financial systems.  Pursuant to an Executive Order (E.O.) issued by President Obama last April, the Secretary of the Treasury is now authorized to impose targeted financial sanctions on individuals or entities whose malicious cyber conduct has contributed to a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.  Treasury’s sanctions authority is only one part of the Administration’s comprehensive strategy to confront malicious cyber actors—especially those who target our critical infrastructure—and Treasury’s efforts support and are supported by diplomatic engagement, trade policy tools, and law enforcement mechanisms.

 

 

Each of these four areas of focus for Treasury recognizes that the financial sector is becoming more interconnected over time through a wide range of complex inter-relationships across institutions, both public and private, and across borders. The information sharing efforts I described earlier promote inclusiveness in order to harness the power of network effects, which are made more valuable by interconnectivity.  Our response and recovery efforts emphasize the need to be aware of key dependencies in the supply chain, such as third party vendors.  Our sanctions tool supports the Administration’s efforts to address the onslaught of malicious cyber activities directed at the United States and our core interests, often enabled by the Internet.  The people and institutions of the world are increasingly linked, closer by the day, and our efforts must reflect this reality. 

 

In the final portion of my remarks, I want to address the implications of this increasing interconnectivity on risk management principles and practices, because risk management is the organizing theme for this conference after all.  Consider, for a moment, a type of risk that had existed for much of history: slow, uncertain payments and settlement over long distances.  In 1974, a privately owned German bank called Herstatt Bank failed before its foreign exchange transactions with counterparties could be finalized in New York.  Herstatt’s failure, and the settlement risk it starkly revealed in the cross-border context, helped spur the creation of the Basel Committee on Banking Supervision, and in following decades, developments towards real time gross settlement systems, and the launch of the Continuous Linked Settlement (CLS) Bank, the central settlement hub for foreign exchange transactions. 

 

Over the decades, focal points like CLS have arisen across the financial system, representing hubs connected by a complex web of spokes to the institutions they serve (and each other) by utility-like payment systems, such as Fedwire.  These coordinating entities help manage the risks we used to bear mostly on an individual basis as firms and public authorities.  In this sense, greater levels of interconnectivity to these focal points—central clearing and settlement institutions, major banks and exchanges, and the payment systems that connect them—have  helped strengthen the global financial system by increasing speed, enhancing convenience, reducing costs, and mitigating many risks.  But when cyberattacks occur and especially when they succeed in disrupting operations, they can create a sense that interconnectivity is a weakness rather than a strength, and that striking a single point could cause systemic failure.  I believe that both are true—interconnectivity is a source of great strength and vulnerability. And so our approaches to risk management, while embracing the value in our relationships, must keep pace and adapt to address the hazards inherent in a growing set of interdependencies. 

 

Toward that end, I would posit that risk management approaches should embrace the following objectives.  First, they should be broad.  They must look well beyond internal systems to identify weaknesses that may exist both upstream and downstream in the supply chain.  They should clearly identify the critical nodes in the network that represent the highest levels of risk.  Second, they should ensure these critical nodes adhere to the highest control standards.  Business continuity plans that include robust “offline” capabilities, alternative backups for key activities (even if manual), and appropriate liquidity risk management plans in a stress scenario are imperative.  Third, they should involve cross-sectoral coordination efforts.  Rapid and robust information sharing with key partners, as well as conducting exercises and scenario planning with these institutions, including service providers and appropriate public authorities, is of prime importance.  Fourth, they must be sufficiently flexible and adaptable to anticipate the exponential pace of technological change and increasing complexity of our connections.  And finally, for global institutions, they must pay particular attention to the added complexities of cross-border coordination, including differing, and occasionally competing, standards, systems, and regulations.[4]

 

Our collective mission—at Treasury, with our government partners, and with all of you in the private sector—then is to ensure that mission critical nodes of our financial services infrastructure can absorb shocks and maintain the resiliency of our interconnectivity.  As such, we have not only identified critical functions and mapped our financial infrastructure—those are essential prerequisites—but we are also working together with the private sector to ensure that there are clearly substitutable options within, and bridges of redundancy across, the financial infrastructure that would improve our system’s overall resilience.  To that end, over the course of this year, we plan to hold a number of exercises focused on the interactions between operational processes and the actions required to maintain financial stability in the context of a major cybersecurity incident.  And given the importance of cross-border coordination in the face of a severe cyber incident, Treasury and our fellow finance ministries and central banks in the G-7 have launched a working group on financial sector cybersecurity, which I serve on and which is co-chaired by Treasury and the Bank of England, to expand our understanding of cyber-related risks as they relate to the global financial sector, take stock of national approaches to cybersecurity in the financial sector, and explore possible next steps. 

 

 

The firms represented here are investing significant resources in time, money, and energy to address the cyber challenge.  Your firms’ actions—to adopt leading practices, share information, prepare for response and recovery, partner with public authorities—matter a great deal for the overall resiliency of the U.S. financial sector and the international financial system.  Cybersecurity risks, dynamic and evolutionary as they are, require all of us to prepare, learn, and adapt.  Our efforts are part of a meaningful endeavor that citizens and customers rightfully expect and a journey we must continue on to ensure our collective security and prosperity. 

 

Thank you.

 

###

---