Comments to the Joint Meeting
Thank you for that introduction, and thank you all for the opportunity to address this joint meeting. I want to start by also thanking you for the work you do throughout the year to maintain the operational resilience of your organizations, and the financial sector.
As we celebrate the 20th anniversary of the creation of the Financial and Banking Information Infrastructure Committee or FBIIC, and the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security or FSSCC, it is an appropriate time to look back at the reasons why these organizations exist, and consider how we are meeting those goals now, and will continue to meet those goals in the future.
Both the FBIIC and the FSSCC were created in the wake of the September 11, 2001 attack.
We realized in the aftermath of that event that we could do more to protect the critical infrastructure of the financial system from multiple types of threats, not just physical threats. The FBIIC was created to improve coordination and communication among financial regulators, enhance the resiliency of the financial sector, and promote the public-private partnership with FSSCC. The FSSCC, in turn, was created to strengthen the resiliency of the financial services sector against attacks and other threats to the nation’s critical infrastructure by proactively identifying threats, promoting protection, driving preparedness, collaborating with the U.S. government, and coordinating crisis response.
Both organizations have done much in the last twenty years to make the financial system stronger. For example, the Hamilton exercises have brought together the public and private sectors to practice how we would respond to events such as an interruption to major cloud service providers, and an interruption to utilities that provide services to companies in multiple sectors. These have been useful exercises for creating plans to respond together to incidents, and they have given all of us a better understanding of the roles each of our organizations would play.
Another outcome of the work of the FBIIC and FSSCC is the creation of the Sheltered Harbor specifications for protecting information that could be helpful to the recovery of a financial services company in the event of primary systems disruption. Of course the FDIC has a significant role to play when institutions fail, but we have never had to exercise those responsibilities as a result of an operational failure. The existence of data backups and systems for restoring critical services to customers in the event of a severe disruption to primary systems could be key to a bank’s operational survival. I understand that the number of solutions created consistent with that specification continues to grow, and several companies in this room are continuing to mature their capabilities using Sheltered Harbor-compliant repositories. We appreciate your work.
One last example is the Analysis and Resilience Center or ARC that was created to bring the industry together around particular financial sector functions, threats to those functions, and how to increase function resilience. Before the ARC existed, there were not good forums for focusing on these issues. Now, there is a better understanding of where the key interdependencies are and how the participants would keep those functions running in a severe disruption scenario.
As we remember the reasons for the creation of the FBIIC and FSSCC and consider what the groups have accomplished since their creation, it is clear these efforts are as crucial today as they have ever been, perhaps more so. The threats from adversaries are as evident today as they were in 2002. And the reliance of our financial system on information and communication technology that often serves as the gateway for malicious actors is greater than it has ever been. I’d offer that it is a good moment to re-commit ourselves to the missions of these two organizations.
The FDIC will continue to contribute to these missions and has worked with Treasury and other FBIIC organizations to set priorities for our work this year. One of those high priority FBIIC initiatives is to ensure effective implementation of cyber hygiene within the financial services sector to reduce the likelihood and impact of cyber incidents. I’d like to highlight work at the FDIC relative to this FBIIC priority and a current cybersecurity threat.
The threat I’d like to talk about is a successful ransomware attack. This is a serious threat where malicious actors for personal gain are holding up companies, including banks and their service providers, until an amount is paid to the criminals. We must do more to stop these attacks. As we continue to strengthen our defenses against the ransomware threat, we’re also strengthening our defenses against many other cyber threats.
The FDIC recently examined the ransomware attacks against FDIC-supervised institutions and their service providers over a twenty four month period ending in 2021. We wanted to understand the threat better. Particularly, we wanted to learn about the defensive techniques that were most helpful in defending against those attacks.
We identified 36 attacks against banks and service providers. The organizations attacked ranged from larger banks with billions of dollars of assets, as well as the most significant service providers, to much smaller organizations. We categorized the attacks into high, moderate, and low impact. There were several attack characteristics that resulted in a high categorization such as a loss of services for customers, a loss of data, attacker lateral movement, and a ransom being paid. Moderate attacks were those where there was some attacker lateral movement and persistence, but without the loss of data or significant services. Low impact attacks were those where there was little to no impact on the organization.
Two thirds of the attacks we reviewed had a high severity impact. The ransoms paid rose to as high as $8,000,000 per attack.
Let’s think about that for a moment. From the attackers’ standpoint, that is a pretty high success rate. These attacks were motivated by the illicit opportunity for financial gain. If this can be done for profit, it can also be done for espionage purposes or for malicious, destructive purposes. It suggests the significant vulnerabilities that exist.
The examinations didn’t reveal new categories of controls that need to be communicated, but they did reveal that those that spend the time and money to implement particular controls can be effective at defending against these attacks.
An example of a control we know is effective, and that we found prevalent in cases where the company successfully defended against the ransomware attack is wide use of multi-factor authentication. Multi-factor authentication makes it more difficult for malicious actors to elevate their privileges and gain access to accounts that will allow them to plant encryption software in multiple places. This is not a surprise to you, I would guess. But, there are still companies that have not implemented high quality multi-factor authentication as widely in their organizations as is needed.
Another well-known control that we found to be present in cases where an institution successfully defended against a ransomware attack was network segmentation. I’m not a technical expert, but it makes sense that if you ensure there are boundaries between parts of the network that require unique authorization to get beyond, this will thwart those who desire to have access to all of an organization’s IT assets in order to damage them, or hold them hostage.
I won’t go into any more depth than that, but I wanted to give you some sense for the level of detail our examiners reviewed in order to give you an understanding of the basis for improvements we are making to our general IT examination work program.
We are adding to our IT work programs instructions for examiners to look for the controls that we have found are particularly effective relative to this threat. Having the evidence of our review we think will be helpful in explaining the reasons for any recommendations we make.
Thus far our examinations have concluded that banks and service providers as a group are managing their IT environments reasonably well and protecting against cybersecurity threats. But clearly there are vulnerabilities. I expect this review will help us to provide more useful input for those companies that haven’t yet strengthened their environments adequately relative to the cybersecurity threat.
Finally, I’d like to briefly discuss the new computer-security incident notification rule the FDIC promulgated in January of this year with our colleagues at the Office of the Comptroller of the Currency, and those at the Board of Governors of the Federal Reserve System. This rule requires banking organizations to notify the primary federal regulator within 36 hours after the organization has determined a notification incident has occurred. Notification incidents are defined in the rule to be incidents where the organization’s ability to operate has been severely disrupted or degraded.
Sometimes the reason for the bank service disruption or degradation is a problem at the bank’s service provider. For a bank to be able to report to the regulator, the service provider in these instances needs to notify the bank of disruptions quickly. So, the rule also requires bank service providers to notify banking organization customers when bank services are materially disrupted or degraded, or are reasonably likely to be disrupted or degraded for four or more hours, so that the bank can in turn notify its regulator.
After our agencies approved this computer-security incident notification rule, Congress passed and the President signed on March 15, 2022 the Cyber Incident Reporting for Critical Infrastructure Act of 2022. It requires, among other things, that entities that own or operate critical infrastructure report cyber incidents and ransom payments within specified time frames.
The Cybersecurity and Critical Infrastructure Security Agency identifies financial services as a critical sector. CISA, as it is known, will need to write regulations that specify the law’s applicability within sectors.
Relative to this new Act, we have had the first interagency meeting of the Cyber Incident Reporting Council chaired by the Department of Homeland Security to coordinate the implementation of these rules. The Council has a Congressional mandate to coordinate, deconflict, and harmonize existing and future federal cyber incident reporting requirements.
I think it will be a fairly straight-forward thing for us to coordinate with other agencies under the new Cyber Incident Reporting for Critical Infrastructure Act in regard to computer security incident reporting. We intend to work with other agencies to make notification and updates as reasonable as possible so that we receive enough information to be prepared, but allow the bank to deal with what may be a serious cyber incident.
Let me end by again thanking you for the opportunity to share some thoughts in regard to the resilience of our financial system’s critical infrastructure. I deeply appreciate the work you all do, both the FBIIC and the FSSCC organizations, to defend against the threats to our financial system, and to practice preparedness should a significant disruption occur. On this 20th anniversary of the creation of your organizations, we should re-commit ourselves to our missions, and do all that we can to maintain the safety and resilience of the U.S. financial system.
Thank you, and I’d be happy to take any questions you have.