Summary
Since 1998, the federal government has taken steps to protect the nation's critical infrastructures, including developing partnerships between the public and private sectors. These cyber and physical public and private infrastructures, which include the financial services sector, are essential to national security, economic security, and/or public health and safety. GAO was asked to review (1) the general nature of the cyber threats faced by the financial services industry; (2) steps the financial services industry has taken to share information on and to address threats, vulnerabilities, and incidents; (3) the relationship between government and private sector efforts to protect the financial services industry's critical infrastructures; and (4) actions financial regulators have taken to address these cyber threats.
The types of cyber threats that the financial services industry faces are similar to those faced by other critical infrastructure sectors: attacks from individuals and groups with malicious intent, such as crime, terrorism, and foreign intelligence. However, the potential for monetary gains and economic disruptions may increase its attractiveness as a target. Financial services industry groups have taken steps and plan to take continuing action to address cyber threats and improve information sharing. First, industry representatives, under the sponsorship of the U.S. Department of the Treasury, collaboratively developed a sector strategy which discusses additional efforts necessary to identify, assess, and respond to sector-wide threats. However, the financial services sector has not developed detailed plans for implementing its strategy. Second, the private sector's Financial Services Information Sharing and Analysis Center was formed to facilitate sharing of cyber-related information. Third, several other industry groups are taking steps to better coordinate industry efforts and to improve information security across the sector. Several federal entities play critical roles in partnering with the private sector to protect the financial services industry's critical infrastructures. For example, the Department of the Treasury is the sector liaison for coordinating public and private efforts and chairs the federal Financial and Banking Information Infrastructure Committee, which coordinates regulatory efforts. As part of its efforts, Treasury has taken steps designed to establish better relationships and methods of communication between regulators, assess vulnerabilities, and improve communications within the financial services sector. In its role as sector liaison, Treasury has not undertaken a comprehensive assessment of the potential use of public policy tools by the federal government to encourage increased participation by the private sector. The table below shows the key public and private organizations involved in critical infrastructure protection. Federal regulators, such as the Federal Reserve System and the Securities and Exchange Commission, have taken several steps to address information security issues. These include consideration of information security risks in determining the scope of their examinations of financial institutions and development of guidance for examining information security and for protecting against cyber threats.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Gregory C. Wilshusen
Government Accountability Office: Information Technology
(202) 512-3317
Recommendations for Executive Action
Recommendation: To improve the likelihood of success of the financial services sector's Critical Infrastructure Protection efforts, the Secretary of the Treasury should direct the Assistant Secretary for Financial Institutions, the banking and finance sector liaison, to coordinate with the industry in its efforts to update the sector's National Strategy for Critical Infrastructure Assurance and in establishing interim objectives, detailed tasks, timeframes, and responsibilities for implementing it and a process for monitoring progress. As part of these efforts, the Assistant Secretary should assess the need for grants, tax incentives, regulation, or other public policy tools to assist the industry in meeting its goals.
Agency Affected: Department of the Treasury
Status: Implemented
Comments: (1a) The agency, in close collaboration with various organizations within the Banking and Finance sector, developed a Sector Specific Plan (SSP). Published in December 2006, the SSP contains the Banking and Finance Sector's strategy for working collaboratively with public and private sector partners to identify, prioritize, and coordinate the protection of critical infrastructure. This SSP established objectives, tasks, timeframes, and responsibilities for protecting the banking and finance infrastructure and is to be continually updated. (1b) Additionally, in order to provide incentives for enhanced security, Treasury's Office of Critical Infrastructure Protection and Compliance Policy (CIP&CP) has been working with organizations within the Banking and Finance Sector to assess vulnerabilities and highlight areas for improvement. As part of this effort, CIP&CP has created a research and development agenda (R&D Agenda) aimed at improving both the state-of-the-are in Critical Infrastructure Protection (CIP) as well as the state-of-the practice as it relates to this sector of the economy. The Agenda's overall goal is to support research and development activities and process improvements that will raise the overall level of the sector's preparedness and resiliency as well as the individual level at each institution.
