What banks need to know about the White House's cybersecurity strategy

President Biden Travels To Virginia Beach
The White House on Thursday released a strategy document outlining its plan to bolster the nation's cybersecurity amid heightened geopolitical tensions with countries it says are looking to threaten U.S. critical infrastructure with ransomware and other cyberattacks.
Al Drago/Bloomberg

On Thursday, the White House released its long awaited National Cybersecurity Strategy, outlining goals and actions it plans to take to improve U.S. national security by strengthening the cybersecurity of both government and critical infrastructure, which includes banks and credit unions.

The document includes five "pillars" that will help secure cyberspace: defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future and forge international partnerships to pursue shared goals.

According to three experts in bank cybersecurity, financial institutions should pay particular attention to the first and third pillars, which involve changes to regulation, liability for breaches and software vulnerabilities, new tax incentives and grants, harmonized breach notification rules and a potential federal backstop for cybersecurity insurance.

The U.S. designates the financial services sector as one of 16 critical infrastructure sectors, and although new regulations on cybersecurity will mainly affect less regulated industries, banks can expect greater regulatory scrutiny around the five areas of focus the White House identified.

Heightened national security concerns

The National Cybersecurity Strategy frames private enterprises' security as important to national security, according to Tracy Kitten, director of the fraud and security practice at consulting firm Javelin Strategy & Research. Specifically, the document names the governments of China, Russia, Iran, and North Korea as threats to firms' cybersecurity.

Kitten likened the cybersecurity threats that U.S. banks and credit unions face from nation states today to the distributed denial of service (DDoS) attacks they faced in 2012 and 2013 from Iranian government-linked hackers. DDoS attacks are on the rise, according to a recent report by an industry consortium.

Ransomware also received numerous mentions in the cybersecurity strategy, with the White House designating it as a "threat to national security." Kitten said that whereas ransomware had long been considered a business threat, it has elevated to being a national security issue in recent years due in part to highly visible examples — like that of Colonial Pipeline in 2021 — and because ransomware is increasingly used to hide more nefarious activities, as with Petya and NotPetya in 2017.

The White House is "concerned about cyber attacks coming from nation states with a lot of geopolitical risks being heightened," Kitten said.

Cybersecurity regulations already strong

While critical infrastructure as a whole has seen little cybersecurity regulation. Federal prudential regulators have established requirements for financial institutions to provide them timely information about data breaches and put forward standards for evaluating cybersecurity risk. Myriad state laws also specify data security and infrastructure protections banks must have in place.

However, most sectors of critical infrastructure have not gotten that treatment, and the strategy document acknowledges that cybersecurity requirements may be a burden in some cases.

"Different critical infrastructure sectors have varying capacities to absorb the costs of cybersecurity, ranging from low-margin sectors that cannot easily increase investment without intervention, to those where the marginal costs of improving cybersecurity can be absorbed," the White House strategy reads. "In some sectors, regulation may be necessary to create a level playing field so that companies are not trapped in a competition to underspend their peers on cybersecurity."

According to Julien Bonnay, U.S. head of technology and cybersecurity at consulting firm Capco, "banking is not one of those sectors" because underspending on cybersecurity is generally not a problem for banks and credit unions.

Financial institutions are going above and beyond what regulations require of them in terms of cybersecurity, according to Bonnay. Instead, market forces are driving banks' and credit unions' cyber budgets up.

"Banks tend to benchmark themselves against peers both to understand how regulatory constraints are implemented but also not to be lagging against peers," Bonnay said.

By contrast to the dynamics in other sectors, banks tend to be "diligent" in understanding and often exceeding requirements to safeguard customer and employee data, according to John Walsh, Americas banking and capital markets leader at consulting firm EY.

"Leading FIs base cybersecurity budgets and strategies not only on regulatory expectations and compliance, but on a sophisticated approach to understanding the threats, associated risks, and preparing for the future," Walsh said.

Although banks and credit unions compete to offer more secure products than competitors, many lack policies about sharing data and threat information across departments, according to Javelin's Kitten.

"You don't have communication across the enterprise, from the self-service ATM channel to the call center," Kitten said. "Even fraud and cyber teams don't often communicate well, unless the institution has a cyber fusion center, and we know that a lot of institutions — even leading institutions — are still very behind when it comes to the fraud, cyber fusion center deployment."

Using AML to fight cybercrime

As part of its strategy for fighting back against ransomware, the White House strategy calls for undercutting the financial access criminals have to cash out on their attacks.

"The United States subjects financial institutions offering covered services in cryptocurrencies to Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) controls, and the Department of the Treasury, the Secret Service, DOJ, the FBI, and private sector partners are collaborating to trace and interdict ransomware payments," the document reads. Part of that effort will include know-your-customer (KYC) rules.

Financial institutions play an important role in interdicting ransomware payments regardless of their involvement in cryptocurrencies, and although stronger KYC and AML are unlikely to directly prevent cybercrime, they would reduce access attackers have to funds, according to Capco's Bonnay.

For reprint and licensing requests for this article, click here.
Cyber security Technology
MORE FROM AMERICAN BANKER