Cybersecurity Is Key Priority for FSOC in 2015
Cybersecurity was a critical area of focus of the Financial Stability Oversight Council’s (“FSOC”) recently released 2015 Annual Report (the “Report”). The Report, which provides both a consolidated view of important challenges facing the financial system and a road map of FSOC’s key priorities in the upcoming year, identified cybersecurity as a growing concern and warned that cyber attacks are increasingly creating operational risk to the financial sector. FSOC asserted that, as cyber threats continue to evolve, major topics of emphasis include:
(1) Enhancing cybersecurity information sharing between the private sector and government, particularly with respect to the sharing of timely and actionable cyber threat information;
(2) Strengthening U.S. infrastructure security and resilience through the use of the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) among financial services sector companies; and
(3) Having the private sector and government maintain robust plans for responding to significant cyber incidents, such as through the establishment of a national plan for cyber incident response for the sector that includes identifying and articulating the role of law enforcement, the Department of Homeland Security, and financial regulators.
FSOC also urged that, while the financial sector has “in many ways been an industry leader in adopting cybersecurity measures”, financial sector organizations must be vigilant. FSOC then provided technical and administrative best practices for financial sector organizations to mitigate potential damage from future cyber incidents, including:
(1) Establishing robust system controls for third-party vendors, such as the NIST Cybersecurity Framework;
(2) Protecting administrative access, e.g., requiring two-factor layered authentication for privileged accounts and sensitive systems, and detecting compromised administrative access through continuous and routine monitoring; and
(3) Developing capabilities and procedures to resume operations and restore computer networks and technology-enabled operations in response to known or unforeseen threats that could cause catastrophic disruption.
FSOC stressed throughout the Report that mitigating the risks to the financial system posed by malicious cyber activities requires strong collaboration among financial service organizations, agencies, and regulators.