Financial Services as Critical Infrastructure: Four Goals for Security
The financial services sector is a vital component of the critical infrastructure of governments worldwide. It encompasses a vast number of businesses, from multinational organizations to small firms servicing local communities. It also incorporates physical institutions alongside an ever-increasing array of electronic services knitted together by a network of systems with myriad entry points. But because of its immensity, the financial services sector is subject to a wide array of security issues, ranging from natural disasters to man-made events and cybersecurity attacks.
In the U.S., the Department of Homeland Security (DHS) published a 2015 Financial Services Sector-Specific Plan as part of its overall National Infrastructure Protection Plan. The first plan for the financial services sector was published in 2010, and there have been a number of accomplishments in the intervening period. These include the creation of a public-private cybersecurity exercise program that enables incident response processes to be tested and improved, a significant expansion of cybersecurity information-sharing capabilities, the establishment of joint working groups to advance specific tasks, the formalization of processes for coordinating technical assistance activities and expanded collaboration with cross-sector and international partners.
The financial services plan emphasizes information sharing and resilience among the community of private organizations, government agencies and international partners based on shared awareness of threats and vulnerabilities and a coordinated rapid response to any significant incidents that occur. The four primary goals that have been set for the financial services sector include:
1. Information Sharing
Information sharing remains a top priority for not only those in the financial services sector but also other spheres that make up the nation’s infrastructure. This prioritizes structured information-sharing processes and routines. All financial-sector organizations are encouraged to participate in information-sharing programs that have been set up by the government, including those regarding threats and incident response efforts.
2. Best Practices for Critical Infrastructure
The government is encouraging greater usage of the National Institute of Standards and Technology Cybersecurity Framework. Due to the highly interconnected nature of the financial sector, a weakness in one party may increase risk for the entire industry. The DHS is therefore emphasizing the development and use of best practices to manage third-party risk. To help financial organizations to identify the risks they face and determine their level of cybersecurity preparedness, the Federal Financial Institutions Examination Council has developed a cybersecurity self-assessment tool, which every financial services firm should look into.
3. Incident Response and Recovery
The DHS also encourages collaboration to improve incident response and recovery capabilities. The document urges all organizations in the financial services sector to regularly test their incident response plans through exercises that improve and develop strong organizational relationships with incident responders, both on an individual and collaborative basis.
4. Policy Support
Lastly, the DHS plan urges private-sector organizations to participate in policy and regulatory development initiatives that aim to enhance critical-infrastructure security and resiliency. The government believes input from those in the private sector is imperative for the development of new technologies that enhance the nation’s financial services infrastructure.
Ensuring security in the financial sector is essential, and it requires a collaborative effort from everyone involved. However, although financial networks are vital for a thriving economy, they’re just one piece of the puzzle. The industry’s efforts shouldn’t be made in isolation — they should be part of a larger plan that involves other parts of the critical infrastructure, including electricity, communications and transportation networks.