A Government Accountability Office (GAO) review has found that the Treasury Department and other federal agencies are taking steps to reduce cyber risks threatening the financial services sector. However, GAO says Treasury is failing to track or prioritize these efforts.
The financial services sector, a critical component of the nation’s infrastructure that holds over $108 trillion in assets, is an increasingly attractive target for cyber-based attacks. The sector includes banks, mutual funds, and securities dealers.
A Boston Consulting Group report found that financial services firms are 300 times more likely than other companies to be targeted by a cyber attack.
Key risks include an increase in access to financial data through information technology service providers and supply chain partners; a growth in sophistication of malware; and an increase in interconnectivity via networks, the cloud, and mobile applications.
Cyberattacks that exploit risks can occur against either public or private components of the sector. For example, in February 2016, hackers were able to install malware on the Bangladesh Central Bank’s system through a service provider, which then directed the Federal Reserve Bank of New York to transfer money to accounts in other Asian countries. This attack resulted in the theft of approximately $81 million.
GAO found that several industry groups and firms are taking steps to enhance the security and resilience of the U.S. financial services sector through a broad range of cyber risk mitigation efforts. These efforts include coordinating within the sector through groups such as the Financial Services Sector Coordinating Council and the Financial Systemic Analysis and Resilience Center, conducting industrywide incident response exercises, sharing threat and vulnerability information, developing and providing guidance in conducting risk assessments, and offering cybersecurity-related training.
The review found that the Department of Homeland Security (DHS) and the Treasury and federal financial regulators are also taking multiple steps to support cybersecurity and resilience through risk mitigation efforts. Among other things, federal agencies provide cybersecurity expertise and conduct simulation exercises related to cyber incident response and recovery.
Treasury, as the designated lead agency for the financial sector, plays a key role in supporting many of the efforts to enhance the sector’s cybersecurity and resiliency. For example, Treasury’s Assistant Secretary for Financial Institutions serves as the chair of the committee of government agencies with sector responsibilities, and Treasury coordinates federal agency efforts to improve the sector’s cybersecurity and related communications.
However, GAO found that Treasury does not track efforts or prioritize them according to goals established by the sector for enhancing cybersecurity and resiliency. Treasury also has not fully implemented GAO’s previous recommendation to establish metrics related to the value and results of the sector’s risk mitigation efforts. Further, GAO says the 2016 sector-specific plan, which is intended to direct sector activities, does not identify ways to measure sector progress and is out of date. Among other things, the sector-specific plan lacks information on sector-related requirements laid out in the 2019 National Cyber Strategy Implementation Plan.
GAO warns that unless more widespread and detailed tracking and prioritization of efforts occurs according to the goals laid out in the sector-specific plan, the sector could be insufficiently prepared to deal with cyber-related risks, such as those caused by increased access to data by third parties.
The watchdog made two recommendations to Treasury. First, that it tracks the content and progress of sectorwide cyber risk mitigation efforts, and prioritizes their completion according to sector goals and priorities in the sector-specific plan. Second, Treasury should update the financial services sector-specific plan to include specific metrics for measuring the progress of risk mitigation efforts and information on how the sector’s ongoing and planned risk mitigation efforts will meet sector goals and requirements, such as requirements for the financial services sector in the National Cyber Strategy Implementation Plan. GAO wants the work to be carried out in coordination with DHS and other federal and nonfederal partners.
Treasury stated that it generally agreed with the two recommendations but expressed caution about its level of authority to implement them. Treasury said it has limited ability to track, monitor, and to both devise and measure progress toward metrics on sector risk mitigation efforts. In particular, Treasury stated that this was because it cannot require that financial regulators or sector firms provide it with data on efforts that are underway or information on how those efforts reduce risks. The department stated that some financial services sector entities would need legal assurance that the information they share with Treasury on cyber risks and mitigation efforts will not be released in response to Freedom of Information Act requests. It also stated that further information requests might be seen by firms as a further layer of regulatory compliance that would undermine trust in Treasury and that, due to requirements under the Paperwork Reduction Act, it cannot issue an information collection request to 10 or more firms without going through an approval process.
Treasury added that the next update to the sector-specific plan should occur after DHS CISA updates the National Infrastructure Protection Plan.
GAO said Treasury already performs coordination steps on cyber risk mitigation efforts throughout the financial services sector that could facilitate its ability to measure progress. For example, it led a study of cybersecurity vulnerabilities in the financial services sector, for which Treasury collaborated with regulatory, government, and critical infrastructure partners on resilience initiatives related to identified vulnerabilities. The watchdog also said Treasury, in its role as sector-specific agency, is also ideally positioned to secure voluntary agreement from these groups to provide only a focused amount of information on that set of efforts that would enable them to be tracked and prioritized against sector goals.
