On Thursday, the White House released its long awaited
The document includes five "pillars" that will help secure cyberspace: defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future and forge international partnerships to pursue shared goals.
According to three experts in bank cybersecurity, financial institutions should pay particular attention to the first and third pillars, which involve changes to regulation, liability for breaches and software vulnerabilities, new tax incentives and grants, harmonized breach notification rules and a potential federal backstop for cybersecurity insurance.
The U.S. designates the financial services sector as one of
Heightened national security concerns
The National Cybersecurity Strategy frames private enterprises' security as important to national security, according to Tracy Kitten, director of the fraud and security practice at consulting firm Javelin Strategy & Research. Specifically, the document names the governments of China, Russia, Iran, and North Korea as threats to firms' cybersecurity.
Kitten likened the cybersecurity threats that U.S. banks and credit unions face from nation states today to the distributed denial of service (DDoS) attacks they faced in 2012 and 2013 from Iranian government-linked hackers.
Ransomware also received numerous mentions in the cybersecurity strategy, with the White House designating it as a "threat to national security." Kitten said that whereas ransomware had long been considered a business threat, it has elevated to being a national security issue in recent years due in part to highly visible examples — like
The White House is "concerned about cyber attacks coming from nation states with a lot of geopolitical risks being heightened," Kitten said.
Cybersecurity regulations already strong
While critical infrastructure as a whole has seen little cybersecurity regulation. Federal prudential regulators have established requirements for financial institutions to provide them timely information about data breaches and put forward standards for evaluating cybersecurity risk. Myriad state laws also specify data security and infrastructure protections banks must have in place.
However, most sectors of critical infrastructure have not gotten that treatment, and the strategy document acknowledges that cybersecurity requirements may be a burden in some cases.
"Different critical infrastructure sectors have varying capacities to absorb the costs of cybersecurity, ranging from low-margin sectors that cannot easily increase investment without intervention, to those where the marginal costs of improving cybersecurity can be absorbed," the White House strategy reads. "In some sectors, regulation may be necessary to create a level playing field so that companies are not trapped in a competition to underspend their peers on cybersecurity."
According to Julien Bonnay, U.S. head of technology and cybersecurity at consulting firm Capco, "banking is not one of those sectors" because
Financial institutions are going above and beyond what regulations require of them in terms of cybersecurity, according to Bonnay. Instead, market forces are driving banks' and credit unions' cyber budgets up.
"Banks tend to benchmark themselves against peers both to understand how regulatory constraints are implemented but also not to be lagging against peers," Bonnay said.
By contrast to the dynamics in other sectors, banks tend to be "diligent" in understanding and often exceeding requirements to safeguard customer and employee data, according to John Walsh, Americas banking and capital markets leader at consulting firm EY.
"Leading FIs base cybersecurity budgets and strategies not only on regulatory expectations and compliance, but on a sophisticated approach to understanding the threats, associated risks, and preparing for the future," Walsh said.
Although banks and credit unions compete to offer more secure products than competitors, many lack policies about sharing data and threat information across departments, according to Javelin's Kitten.
"You don't have communication across the enterprise, from the self-service ATM channel to the call center," Kitten said. "Even fraud and cyber teams don't often communicate well, unless the institution has a cyber fusion center, and we know that a lot of institutions — even leading institutions — are still very behind when it comes to the fraud, cyber fusion center deployment."
Using AML to fight cybercrime
As part of its strategy for fighting back against ransomware, the White House strategy calls for undercutting the financial access criminals have to cash out on their attacks.
"The United States subjects financial institutions offering covered services in cryptocurrencies to Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) controls, and the Department of the Treasury, the Secret Service, DOJ, the FBI, and private sector partners are collaborating to trace and interdict ransomware payments," the document reads. Part of that effort will include know-your-customer (KYC) rules.
Financial institutions play an important role in interdicting ransomware payments regardless of their involvement in cryptocurrencies, and although stronger KYC and AML are unlikely to directly prevent cybercrime, they would reduce access attackers have to funds, according to Capco's Bonnay.
