The Biden administration’s timely and unusually broad
executive order issued May 12 arrived in the wake of attacks against major
corporations and most directly affects the federal government and the private
companies with whom it contracts. That includes a relatively small number of
banks, but the order’s requirements are likely to ripple and impact banks more
broadly, and some may face inquiries from examiners about whether their systems
are up to snuff.
In a fact sheet issued with the order, the administration
notes the highly publicized attacks against SolarWinds, Microsoft Exchange and
the Colonial Pipeline as “sobering” reminders about the malicious cyber
activity from nation-states and cyber criminals. In fact, Microsoft disclosed
May 27 that the Russia-based cyber attacker that compromised SolarWinds and
numerous government computer networks is pursuing a new wave of attacks against
organizations in the U.S. and abroad.
“These incidents share commonalities, including insufficient
cybersecurity defenses that leave public and private sector entities more
vulnerable to incidents,” the statement notes, adding the order is the “first
of many ambitious steps” the administration is taking to modernize national
cyber defenses.
And the administration is moving expansively. Executive
orders are typically aimed at executive branch agencies and departments, but
the recent one covers all federal government agencies, including independent
ones overseeing banks such the Federal Reserve, FDIC and OCC.
ABA VP and Senior Counsel Denyette DePierro says the order
will directly affect private companies contracting with federal government.
“The primary focus of the EO is not financial services but the universe of
third parties that provide products, services and software to the federal
government, that do not have bank-like substantive cybersecurity processes,”
DePierro says. That includes the relatively small group of banks facilitating
federal services, such as transactional accounts or debt cards to distribute
government benefits, she adds.
DePierro says that banks are already adequately regulated
and supervised, and must abide by substantial cybersecurity, privacy and
information security requirements not present in other industries. In addition,
she explains, many banks have already adopted the National Institute of
Standards and Technology’s Cybersecurity Framework as their primary cyber risk
management tool, and the NIST framework will serve as their executive order cyber
standard.
However, many banks are still seeking to meet those
standards, and the comprehensive order is likely to cover areas where practice
is evolving. Given the federal government’s massive footprint, those
institutions will likely feel the order’s ripple effect, assuming its
provisions are enforced. Troy La Huis—principal and digital security services
leader at Crowe, which ABA endorses for risk management, compliance and
governance consulting—notes that less-enforced orders don’t typically demand
the same attention, and thus far the cybersecurity order’s enforcement
mechanisms remain unclear.
Another key issue is whether federal banking regulators
implementing the order themselves will in turn apply its requirements to the
banks they regulate. That remains to be seen, La Huis says. “But if its
provisions are important enough for the government agencies, then it’s likely
they will in turn seek to enforce them within the financial community.”
Given the nuts and bolts of the regulatory process, examiners
may start asking about how banks cyber security measure up against the order’s
standards as soon as next year, La Huis says. One potentially challenging area
for banks, he added, is a requirement in Section 3—on “Modernizing Federal
Government Cybersecurity”—to develop a plan to implement “zero trust
architecture” that incorporates the migration steps outlined by NIST.
Zero-trust architecture seeks to minimize the threat of
cyber attackers infiltrating an organization and usurping user credentials to
take control of a network by limiting what users can access. However,
implementing it can be costly and typically requires locking down significant
parts of the network. Many banks are just starting to consider it.
“Based on our discussions, banks’ chief information security
officers are putting this one on the road map,” says Sekhara Gudipati, senior
manager on La Huis’ team at Crowe. And should examiners indeed start asking
banks about their zero-trust policies and procedures and the relevant technologies,
he adds, “that’s when the seriousness and pressure comes” to implement it.
Other portions of the order may benefit banks. Section 4—on
“Enhancing the Software Supply Chain Security”—describes the process by which
the federal government will develop security guidance for critical software
within 270 days of the order’s issuance. By March 2022, the Office of
Management and Budget must take steps to require the federal agencies comply
with the guidance.
ordan Rae Kelly, head of cybersecurity for the Americas at
FTI Consulting, highlights Section 4 as particularly impactful for the private
sector and especially banks, since it is essentially creating an “Energy
Star”-type label that software developers must adhere to. First used by the
public sector, private-sector companies will also be able to use it to gauge
software security.
The financial sector tends to be the “tip of the spear” in
terms of investing in cybersecurity, Kelly says. “And what’s going to happen
here is the EO will make it even easier to make those choices.”
DePierro says there is “industry optimism” that as large
government contractors, including cloud, telecom and other technology companies
are required to meet the executive order’s cyber standards, it may ease banks’
own third-party due diligence efforts.
“As federal-government third parties, companies are more
likely to become NIST-compliant without banks having to beg, cajole and
harangue them into adopting NIST standards and bank-like security,” DePierro
says.
Another area that could impact banks is Section 2 on
“Removing Barriers to Sharing Threat Information.” This section seeks to remove
contractual barriers that may prevent sophisticated technology service
providers the government uses from sharing threats they uncover with the
appropriate federal department or agency.
La Huis, who has worked with financial institutions since
2004, says banks’ anti-money laundering and cyber fraud functions traditionally
share little information, despite the frequently overlapping bad actors they
are defending against. The order’s directive could be a catalyst for banks or
their examiners to push removing those barriers, at least so AML and cyber
fraud work more closely together.
“This may not be a huge lift, but it could quite possibly
lead to re-organization, possibly convergence, among those units within banks,”
La Huis says.
Other provisions could affect mainly smaller banks, with $10
billion in assets or less. Section 7, for example, requires the federal
government to take all possible steps to detect early on the cybersecurity
vulnerabilities and incidents in its networks, while Section 8 calls for the
government to improve its investigative and remediation capabilities.
In both those instances, La Huis says, smaller banks with
fewer resources have been slower to adopt comparable measures in their own
institutions, and examiners may inquire about their plans.
Section 6 requires the government establish a board to
review and assess the impact of significant cyber incidents impacting the
federal government. If such breaches involve a private-sector firm such as
Solar Winds, which government contracts, it raises the issue of what data the
board should be privy to. One of the next ambitious steps the Biden
administration alludes to in its fact sheet may address that issue.
Private companies, including banks, tend to hold that
information close to the vest, given the reputational damage it could cause.
However, the topic has been discussed candidly in recent security-related
conferences, Kelly says. While government officials participating in panels
have declined to express views one way or the other, “they’ve made it clear
there are challenges we continue to encounter without having mandatory breach
reporting.”
Click here for the
original article.