Cybersecurity and resiliency used to be discussed by company employees in the server room. Now, they’re regular topics of boardroom conversation and have emerged as top concerns for financial institutions, regulators, and others in government. As technologies proliferate, numerous security solutions have emerged. Although many of these solutions cost millions of dollars to deploy, there’s one that has become an essential and inexpensive tool to mitigate some of these risks: a strong, trusted, and effective information-sharing community.
Financial services firms have learned over the years that they are interconnected and interdependent. Although it may seem paradoxical, financial services firms that aggressively compete on products and service offerings also collaborate and actively share information about vulnerabilities, threats, and incidents with each other. The success or failure of one firm can affect the success or failure of the entire industry. When it comes to cybersecurity and resiliency, financial services firms have learned that protecting customers and the financial sector is best done through active, voluntary information sharing. There truly is strength in sharing.
The Financial Services Information Sharing Analysis Center (FS-ISAC) has found a way to create a trusted community of sharing among security and resiliency practitioners. Together, these financial institutions act as a single community rather than individual actors. It is like the equivalent of a neighborhood watch. If one firm sees something, it says something.
FS-ISAC facilitates the sharing of information, including threat information, best practices, and regulatory issues, among thousands of institutions globally. Today, FS-ISAC boasts a community of trust composed of nearly 7,000 members across 38 countries.
So, how did the concept of information sharing evolve in the financial industry?
Establishing Trust in Critical Infrastructure
The current cyber and physical threat landscape requires a strong sense of trust and the acknowledgment that sharing among competitors will strengthen the resiliency of the entire sector as well as individual firms. This concept of private sector information is rooted in a public sector proclamation. In 1998, President Clinton signed Presidential Decision Directive 63, which stated, “It has long been the policy of the United States to assure the continuity and viability of critical infrastructures. I intend that the United States will take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyberattacks on our critical infrastructures, including especially our cyber systems.”1 The directive also called for “the creation of a private sector information sharing and analysis center (ISAC)…. Such a center could serve as the mechanism for gathering, analyzing, appropriately sanitizing and disseminating private sector information.”
Good things take time, and information sharing is no different. It has taken 18 years for the process of information sharing within a community like FS-ISAC to take hold among global financial institutions.
The U.S. government in the Clinton years believed that voluntary information sharing was an important part of critical infrastructure protection. ISACs were designed to be unique communities in which sector-specific organizations could come together, share information, and disrupt data silos in order to protect the nation’s infrastructure. Despite presidential support, information sharing through ISACs began slowly. Trust must be earned, and businesses were cautious to share any kind of information with what were arguably competitors. This held true for financial institutions as well. Businesses had questions that could not necessarily be answered immediately. Would sharing this type of information affect our competitive advantage? Could we face legal action for sharing? What if we share and no one else does? How do we know this will even work?
The process toward widespread information sharing via these institutions developed slowly; in the early years, there was enthusiasm over just one piece of information being entrusted to the community. Over time, however, member organizations began recognizing the value of the ISAC community. At the same time, the landscape of threats also started changing. The combination of evolving threats and open sharing created what we refer to as “aha” moments.
“Aha” Moments
One of the first true, large-scale collaboration moments came during 2009–2010, a period during which the financial services industry saw a large uptick in account takeover attacks (ATOs). Working with industry and government partners, FS-ISAC members released a joint bulletin describing the methods and tools employed in recent fraud activities perpetrated against small and midsize businesses that had been reported to the Federal Bureau of Investigation. The objective of this bulletin was simple: employ FS-ISAC and member subject matter expertise and apply it to the case information to identify detailed threat detection, prevention, and risk mitigation strategies for financial institutions.
Despite presidential support, information sharing through ISACs began slowly. Trust must be earned, and businesses were cautious to share any kind of information with what were arguably competitors.
Shortly after the bulletin, FS-ISAC members formed the Account Takeover Task Force (ATOTF). Consisting of 120 individuals from 35 financial services firms, 10 industry associations, and processors and representatives from seven government agencies, the ATOTF represented one of the largest collaboration efforts in FS-ISAC history to that date. Similar to the bulletin, the task force sought to provide deliverables for three subgroups: prevention, detection, and response. It was just as important to share information on what may happen as on what did happen – preventing fraud and loss by sharing information and best practices was key. Throughout the lifetime of the ATOTF, it published numerous advisories and best practices papers, offered up speakers and volunteers for education and awareness events, and worked on developing trusted relationships with fellow FS-ISAC members, industry partners, and law enforcement. The resources and expertise they developed proved invaluable to all of the members. Before the ATOTF was formed, 63% of ATO attacks resulted in a loss of funds. In the year after the formation of the task force, although members reported seeing an increased number of ATO attacks, ATO attacks involving a loss of funds dropped to 27%. Members now saw there was monetary value in sharing information.
At this time, FS-ISAC also proposed what became known as “circles of trust,” smaller communities within FS-ISAC where organizations from particular parts of the financial services sector could share information within smaller groups of like-minded firms. Because the financial services sector encompasses such broad and wide-ranging types of organizations, a one-size-fits-all formula for information sharing was not going to work. Today, FS-ISAC houses councils for payment processors, insurance companies, broker-dealers, and other securities groups, community institutions, credit unions, and more. Breaking away from institution type and focusing on job roles and responsibilities, FS-ISAC also has created circles of trust for business resiliency, compliance, and audits as well as threat intelligence. Finally, circles are now formed on a regional basis with unique groups for members in Europe, the Middle East and Africa, and the Asia-Pacific region. As the membership continues to grow and evolve, FS-ISAC will continue to work with the members to develop new and engaging groups to match the threats facing the financial services sector.
The collaboration did not end there. In 2012–2013, banks in the United States began experiencing waves of distributed denial-of-service (DDoS) attacks originating from Iran. Although these attacks were quite disruptive, they resulted in unprecedented levels of information sharing among financial institutions. Similar to the ATOTF, a DDoS team was formed in which members assisted others in dealing with the attacks. As a result, the lessons learned and best practices that were passed along proved to be extremely beneficial to firms that were targeted in the second, third, and fourth waves of attacks. Not only did the attacks show the capabilities of a population willing to share information in near real time, but they also catapulted cybersecurity awareness to the CEO level across the financial services sector for the first time. When the CEOs of our member financial services companies engaged directly, it resulted in even greater collaboration among financial associations, law enforcement, and appropriate government agencies.
Today, FS-ISAC members not only share immense amounts of information and intelligence with their peers but actively seek new ways they can collaborate and facilitate more sharing.
Perhaps most remarkable about the FS-ISAC membership is not their propensity to share information in the face of threats and attacks, but rather their willingness to offer a hand to other members on a wide variety of issues, everything from regulatory compliance to what types of products they use for different processes. This was extremely evident in 2014, when the end of life for Windows XP hit. In 2014, an estimated 95% of ATMs in the U.S. ran on Windows XP, so when Microsoft eliminated support for the operating system that April, financial institutions, community institutions in particular, were left struggling to figure out what this meant when it came to ATM security. Almost immediately, community institutions within the Community Institution Council membership group banded together to develop best practices for anyone facing this situation. As a result of this sharing, not only were no member financial institutions affected by the event, but the most vocal community within FS-ISAC emerged. Since this time, the community institutions have become the largest and most active sharers within FS-ISAC.
Information Sharing Today
Today, FS-ISAC members not only share immense amounts of information and intelligence with their peers but actively seek new ways in which they can collaborate and facilitate more sharing. In recent months, FS-ISAC and its members have launched two initiatives that reflect the evolution of the FS-ISAC in response to the changing threat landscape. “Sheltered Harbor” was launched in late 2016 as a proactive initiative designed to enhance resiliency and provide enhanced protections for financial institutions’ customer accounts and data. Should a financial institution be unable to recover from a cyberattack in a timely fashion, the Sheltered Harbor operating model, based on standards and the concept of mutual assistance, enables customers to access their accounts and balances from another financial institution. Sheltered Harbor members adhere to specifications for common data formats, secure storage (“data vaults”), and operating processes to store and restore data. Current Sheltered Harbor membership covers more than 60% of U.S. retail bank and brokerage accounts.
Also in late 2016, the Financial Systemic Analysis and Resilience Center (FSARC) was established to identify, analyze, and coordinate activities to mitigate systemic risk to the U.S. financial system from current and emerging cybersecurity threats through focused operations and enhanced collaboration between participating firms, industry partners, and the U.S. government. Findings and adaptable mitigation strategies will be shared across the financial sector through FS-ISAC and its members so that the efforts and activities of FSARC will benefit the broader FS-ISAC membership and the financial sector.
Knowing the extent of threats and vulnerabilities found in the financial sector, in 2014, FS-ISAC began supporting other sectors in developing their information-sharing capabilities, operations, and growth through its Sector Services division. This year, the division evolved into the Global Resilience Federation (GRF), an intelligence provider and sharing hub for cyber and physical threat information among not-for-profit ISACs, ISAOs, and CERTs from many different sectors around the world. As an evolution of Sector Services, GRF leverages 18 years of information sharing expertise to create new efficiencies and intelligence that can be used both within and across sectors. Charter members include FS-ISAC, the Legal Services ISAO (LS-ISAO) and the Energy Analytic Security Exchange (EASE).
Information sharing between financial institution members of FS-ISAC and the members of Legal Services ISAO, Oil and Natural Gas ISAC, and Energy Analytic Security Exchange has been instrumental in defending against a variety of threats, including credential harvesting, account takeover, fraud, ransomware, and DDoS attacks. Last year, the analyst team, formerly of Sector Services, also distributed in total more than 5,000 alerts, advisories, and reports to members of these communities. In July 2016, the Cross-Community Sharing Task Force, made up of two members each from FS-ISAC and the other communities, established a cross-sector sharing protocol to increase the efficiency and value of cross-sector sharing. Now, with GRF acting as a community of communities, cross-sector sharing will be more efficient and more effective than ever before.
Looking Forward
FS-ISAC will continue to invest in these invaluable resources for the financial services industry and remain a trendsetter when it comes to information sharing, collaboration, and resilience. We have learned that good things take time, and information sharing is no different. It has taken 18 years for the process of information sharing within a community like FS-ISAC to take hold among global financial institutions. While organizations were, understandably, slow to trust other organizations they had historically viewed as competitors, the fundamental value of threat information, best practices, and regulatory information is essential to the growth of each institution individually. FS-ISAC, more than any other group in the industry, understands the evolution of cybersecurity for everyone from executives and board members to the analysts and IT professionals working on the front lines, and we want to help you understand the threats at hand so you can protect your organization. Today’s threat environment has come to epitomize “live together, die alone.” Collaboration at an industry-wide level is not only a critically important element of defense, it is essential.
About the Author:
Bill Nelson is the President and CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC). FS-ISAC is a nonprofit association dedicated to protecting financial services firms from physical and cyberattacks. Before joining FS-ISAC, Nelson was the Executive Vice President of NACHA, the Electronic Payments Association, from 1988 to 2006. Prior to joining NACHA, he held several treasury management and lending positions within the banking industry.
