Critical Infrastructure Protection:
Treasury Needs to Improve Tracking of Financial Sector Cybersecurity Risk Mitigation Efforts
GAO-20-631: Published: Sep 17, 2020. Publicly Released: Sep 17, 2020.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Version:
Contact:
(202) 512-9342
marinosn@gao.gov
Michael Clements
(202) 512-7763
ClementsM@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
The financial services sector, a critical component of the nation's infrastructure that holds over $108 trillion in assets, is an increasingly attractive target for cyber-based attacks. The sector includes banks, mutual funds, and securities dealers
The Treasury Department and other federal agencies are taking steps to reduce risks and bolster the sector's efforts to improve its cybersecurity. We recommended that the Treasury work with other federal agencies and sector partners to better measure progress and to prioritize efforts in line with sector cybersecurity goals.
Ensuring the nation's cybersecurity is a topic on our High Risk List.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Version:
Contact:
(202) 512-9342
marinosn@gao.gov
Michael Clements
(202) 512-7763
ClementsM@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
What GAO Found
The federal government has long identified the financial services sector as a critical component of the nation's infrastructure. The sector includes commercial banks, securities brokers and dealers, and providers of the key financial systems and services that support these functions. Altogether, the sector holds about $108 trillion in assets and faces a variety of cybersecurity-related risks. Key risks include (1) an increase in access to financial data through information technology service providers and supply chain partners; (2) a growth in sophistication of malware—software meant to do harm—and (3) an increase in interconnectivity via networks, the cloud, and mobile applications. Cyberattacks that exploit risks can occur against either public or private components of the sector. For example, in February 2016, hackers were able to install malware on the Bangladesh Central Bank's system through a service provider, which then directed the Federal Reserve Bank of New York to transfer money to accounts in other Asian countries. This attack resulted in the theft of approximately $81 million.
Several industry groups and firms are taking steps to enhance the security and resilience of the U.S. financial services sector through a broad range of cyber risk mitigation efforts. These efforts include coordinating within the sector through groups such as the Financial Services Sector Coordinating Council and the Financial Systemic Analysis and Resilience Center, conducting industrywide incident response exercises, sharing threat and vulnerability information, developing and providing guidance in conducting risk assessments, and offering cybersecurity-related training.
The Departments of Homeland Security and the Treasury and federal financial regulators are also taking multiple steps to support cybersecurity and resilience through risk mitigation efforts. Among other things, federal agencies provide cybersecurity expertise and conduct simulation exercises related to cyber incident response and recovery. Treasury, as the designated lead agency for the financial sector, plays a key role in supporting many of the efforts to enhance the sector's cybersecurity and resiliency. For example, Treasury's Assistant Secretary for Financial Institutions serves as the chair of the committee of government agencies with sector responsibilities, and Treasury coordinates federal agency efforts to improve the sector's cybersecurity and related communications.
However, Treasury does not track efforts or prioritize them according to goals established by the sector for enhancing cybersecurity and resiliency. Treasury also has not fully implemented GAO's previous recommendation to establish metrics related to the value and results of the sector's risk mitigation efforts. Further, the 2016 sector-specific plan, which is intended to direct sector activities, does not identify ways to measure sector progress and is out of date. Among other things, the sector-specific plan lacks information on sector-related requirements laid out in the 2019 National Cyber Strategy Implementation Plan . Unless more widespread and detailed tracking and prioritization of efforts occurs according to the goals laid out in the sector-specific plan, the sector could be insufficiently prepared to deal with cyber-related risks, such as those caused by increased access to data by third parties.
Why GAO Did This Study
For decades, the federal government has taken steps to protect the nation's critical infrastructures. The financial services sector's reliance on information technology makes it a leading target for cyber-based attacks. Recent high-profile breaches at commercial entities have heightened concerns that data are not being adequately protected.
Under the Comptroller General's authority, GAO initiated this review to (1) describe the key cyber-related risks facing the financial sector; (2) describe steps the financial services industry is taking to share information on and address risks to its sector; and (3) assess steps federal agencies are taking to enhance the security and resilience of the sector. GAO analyzed relevant reports and information to determine risks and mitigation efforts and compared agency efforts against federal policies and guidance. GAO also interviewed officials at 16 private sector entities, two self-regulatory organizations, and eight federal agencies, including the Department of the Treasury.
What GAO Recommends
GAO is making recommendations to Treasury to track and prioritize the sector's cyber risk mitigation efforts, and to update the sector's plan with metrics for measuring progress and information on how sector efforts will meet sector goals and requirements, including those contained within the National Cyber Strategy Implementation Plan. Treasury generally agreed with the recommendations.
For more information, contact Nick Marinos at (202) 512-9342 or marinosn@gao.gov or Michael Clements at (202) 512-7763 or ClementsM@gao.gov.
Recommendations for Executive Action
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: Regarding financial sector cyber risk mitigation efforts, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, track the content and progress of sectorwide cyber risk mitigation efforts, and prioritize their completion according to sector goals and priorities in the sector-specific plan. (Recommendation 1)
Agency Affected: Department of the Treasury
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: Regarding the financial sector-specific plan, we recommend that the Secretary of the Treasury, in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, update the financial services sector-specific plan to include specific metrics for measuring the progress of risk mitigation efforts and information on how the sector's ongoing and planned risk mitigation efforts will meet sector goals and requirements, such as requirements for the financial services sector in the National Cyber Strategy Implementation Plan. (Recommendation 2)
Agency Affected: Department of the Treasury
Explore the full database of GAO's Open Recommendations »
Oct 9, 2020
-
Aviation Cybersecurity:
FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics RisksGAO-21-86: Published: Oct 9, 2020. Publicly Released: Oct 9, 2020.
Sep 22, 2020
-
Cybersecurity:
Clarity of Leadership Urgently Needed to Fully Implement the National StrategyGAO-20-629: Published: Sep 22, 2020. Publicly Released: Sep 22, 2020.
Sep 21, 2020
-
Information Security and Privacy:
HUD Needs a Major Effort to Protect Data Shared with External EntitiesGAO-20-431: Published: Sep 21, 2020. Publicly Released: Sep 21, 2020.
Sep 16, 2020
-
Veterans Affairs:
VA Needs to Address Persistent IT Modernization and Cybersecurity ChallengesGAO-20-719T: Published: Sep 16, 2020. Publicly Released: Sep 16, 2020.
Aug 18, 2020
-
Cybersecurity:
DHS and Selected Agencies Need to Address Shortcomings in Implementation of Network Monitoring ProgramGAO-20-598: Published: Aug 18, 2020. Publicly Released: Aug 18, 2020.
May 27, 2020
-
Cybersecurity:
Selected Federal Agencies Need to Coordinate on Requirements and Assessments of StatesGAO-20-123: Published: May 27, 2020. Publicly Released: May 27, 2020.
May 13, 2020
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security ControlsGAO-20-411R: Published: May 13, 2020. Publicly Released: May 13, 2020.
Apr 24, 2020
-
Information Security:
FCC Made Significant Progress, but Needs to Address Remaining Control Deficiencies and Improve Its ProgramGAO-20-265: Published: Mar 25, 2020. Publicly Released: Apr 24, 2020.
Apr 13, 2020
-
Cybersecurity:
DOD Needs to Take Decisive Actions to Improve Cyber HygieneGAO-20-241: Published: Apr 13, 2020. Publicly Released: Apr 13, 2020.
Feb 11, 2020
-
Office of Congressional Workplace Rights:
Weaknesses in Cybersecurity Management and Oversight Need to Be AddressedGAO-20-199: Published: Feb 11, 2020. Publicly Released: Feb 11, 2020.
Looking for more? Browse all our products here