Protecting Our Nations Critical Financial Infrastructure

1
Protecting Our Nations Critical Financial
Infrastructure

• National Investment Company Service Association
• East Coast Regional Meeting
• January 13, 2005

2
September 11, 2001
3
September 11, 2001 The Impact

• Telecommunications in New Yorks financial
  district severely damaged through loss of ATT
  Teleport, West St. CO
• New York financial district largely evacuated
  that day, ruled a no go zone for three days
• Equity markets forced to suspend operations for
  four days (though settlements continued)
• Money transfer systems disrupted, with prolonged
  extensions each day to complete processing
• Commercial paper market disrupted, with 50 of
  financing curtailed on September 11

4
A Cyber September 11th?
5
September 11th the Cyber Version

• The nations cyber infrastructure has come under
  increasing assault from viruses, worms and other
  malicious code
• Phishing and similar online frauds continue to
  prey on unsuspecting computer users (and some
  suspecting ones too!)
• Increasingly sophisticated criminal techniques
  and technology threaten the viability of online
  commerce

6
Critical Infrastructure Protection 101
7
Government Services
Energy
Public Health
Critical Infrastructures
Emergency Services
Chemical Industry
Telecommunications
Financial Services
8
What does Critical Infrastructure Protection in
the financial services sector mean?

• More specifically
• What is the infrastructure were talking about?
• What parts of this infrastructure are viewed as
  being critical?
• What is the objective of protecting this
  critical infrastructure?
• Who is responsible for protecting it?

9
What infrastructure are we talking about?

• Is it the sector itself (i.e, insurance, banking
  and investment firms generally) ?
• 4,700 life/PC insurance companies
• 19,000 banks, thrifts and credit unions
• 5,300 securities firms
• 400 mutual fund management companies offering
  8,200 mutual funds

Conclusion This definition identifies the
overall objective but is too broad to be usable
10
What infrastructure are we talking about?

• As a general model, we need to differentiate
  among the layers of the banking, investments
  and insurance infrastructure
• The core infrastructure components, and
• The users of core infrastructures
• In turn, each of these layers has multiple layers

11
What infrastructure are we talking about?
INVESTMENTS
In scope for White Paper
CLEARING SETTLEMENT SYSTEMS
EXCHANGES ELECTRONIC MARKETS
SIGNIFICANT SELL-SIDE INSTITUTIONS (e.g.,
brokers)
SIGNIFICANT BUY-SIDE INSTITUTIONS (e.g.,
investment companies)
OTHER INTERMEDIARY INSTITUTIONS (sell-side and
buy-side)
12
What infrastructure are we talking about?
We also need to include the critical dependencies
of these infrastructure components
LARGE VAUEPAYMENT SYSTEMS
1. Most critically, telecommunications, with
Most critically, telecommunications
2. a rising awareness of the critical importance
of software and IT security concerns
SIGNIFICANT BANKING INSTITUTIONS
For many sector members, environmental factors
such as energy sources and water
3. For many sector members, environmental factors
such as energy and water
Less critically, environmental factors such as
agriculture, public health, etc.
4. Less critically, environmental factors such as
agriculture, public health, etc.
13
What are the objectives of protecting this
critical infrastructure?

• To ensure the sectors ability to continue to
  meet the financial needs of the U.S. population
  and to preserve its assets
• To ensure the sectors ability to continue to
  interact with the global financial markets
• To ensure that the U.S. population continues to
  have confidence in the sectors ability to meet
  their needs and preserve their assets

14
How do we proceed in protecting it?

• The protection of core infrastructure components
  is well advanced.
• Individual organizations are responsible for
  ensuring their own resiliency, but many need
  support to do this
• Knowledge capital key industry members have
  created can be leveraged by the broader
  population if it is made available
• Unless our customers are aware of our
  accomplishments, theres no solid basis for
  public confidence

15
How do we proceed in protecting it?

• The national approach relies on two key CIP
  organizations
• The Financial Services Sector Coordinating
  Council for Critical Infrastructure Protection
  and Homeland Security
• Coordination of sector activities and strategy-
  and policy-setting
• The Financial Services Information Sharing and
  Analysis Center
• Information communication throughout the sector
• Operational arm of the FSSCC

16
The Financial Services Sector Coordinating
Council (FSSCC)
17
PUBLIC SECTOR
PRIVATE SECTOR
US Treasury Assistant Secretary for Financial
Institutions, Wayne Abernathy FBIIC CHAIR
SECTOR COORDINATOR Donald Donahue
Financial and Banking Information Infrastructure
Committee (FBIIC) US Treasury Department Commodit
y Futures Trading Commission Conference of State
Bank Supervisors Federal Deposit Insurance
Corporation Federal Housing Finance Board Federal
Reserve Board of Governors Homeland Security
Council National Association of Insurance
Commissioners National Credit Union
Administration New York Federal Reserve
Bank Office of the Comptroller of the
Currency Office of Federal Housing Enterprise
Oversight Office of Thrift Supervision Securities
and Exchange Commission
Financial Services Sector Coordinating Council
for CIP/HLS, LLC (FSSCC) Financial Services
Trade Associations Institutes Depository Trust
Clearing Corporation New York Stock
Exchange The Clearinghouse FS/ISAC Securities
Industry Automation Corporation The Options
Clearing Corporation VISA USA Fannie Mae The
Nasdaq Stock Market American Stock Exchange ASIS
International
5-04 28 Members
18
Financial Services Sector Coordinating Council
for CIP/HLS, LLC (FSSCC) Financial Services
Trade Associations Institutes Depository Trust
Clearing Corporation New York Stock
Exchange The Clearinghouse FS/ISAC Securities
Industry Automation Corporation The Options
Clearing Corporation VISA USA Fannie Mae The
Nasdaq Stock Market American Stock Exchange ASIS
International

• Scope
• Critical Infrastructure Protection and Homeland
  Security

• Mission
• Foster and facilitate the coordination of
  financial services sector-wide voluntary
  activities and initiatives designed to improve
  Critical Infrastructure Protection and Homeland
  Security.

19
FSSCC Members

• ABA American Bankers Association
• ACLI American Council of Life Insurers
• ASIS ASIS International
• ACB America's Community Bankers
• BAI Bank Administration Institute
• BITS/FSR BITS and The Financial Services
  Roundtable
• ChicagoFIRST
• CUNA Credit Union National Association
• DTCC Depository Trust Clearing Corporation
• Fannie Mae
• CBA Consumer Bankers Association
• FS/ISAC Financial Services- Information Sharing
  and Analysis Center
• FIA Futures Industry Association

• ICBA Independent Community Bankers of America
• ICI Investment Company Institute
• MFA Managed Funds Association
• NASD NASD, Inc.
• NASDAQ NASDAQ Stock Market, Inc
• NAFCU National Association of Federal Credit
  Unions
• NACHA National Automated Clearinghouse
  Association
• SIA Securities Industry Association
• SIAC/NYSE Securities Industry Automation
  Corporation/New York Stock Exchange
• The BMA The Bond Market Association
• The Clearing House
• The OCC The Options Clearing Corporation
• VISA USA VISA USA, LLC

20
FSSCC Strategic Priorities

• Financial Sector National Strategy
• Warning, Alert and Information Dissemination
• Crisis Management and Response Management
• Outreach to Financial Services Sector and Other
  Sectors
• Research and Development
• Knowledge Sharing - Best Practices

21
The Financial Services Information Sharing and
Analysis Center (FS/ISAC)
22
FS/ISAC Mission

• To disseminate trusted and timely information
  intended to increase sector-wide knowledge about
  physical and cyber security operational risks
  faced by the Financial Services Sector.

23
FS/ISAC Members

• Members of the Financial Services Sector are
  eligible to join
• Banks, Thrifts, Credit Unions
• Securities Firms
• Investment Companies (mutual funds)
• Insurance Companies
• Mortgage Banking Companies
• Infrastructures and Service Bureaus
• Appropriate Industry Associations
• Roughly 800 members currently

24
FS/ISAC Operations

• The FS/ISAC gathers threat and vulnerability data
  about cyber and physical risks faced by the
  sector.
• Members have a platform for sharing information
  and ideas with professionals who face the same
  problems.
• The FS/ISAC has industry experts to analyze risks
  and deliver alerts to participants.
• Alerts may be Normal, Urgent, or Crisis. They
  identify the level of risk to the sector, provide
  detail about the risk, and propose any
  recommended solution to the risk.

25
FS/ISAC Operating Model
RAW Content IN
Public
Commercial
Government
Proprietary
Members
FS/ISAC
Analysis
Decision Quality Content Out
Queries
Collaboration
Support
Alerts
Reports
Members
Members
Members
26
FS/ISAC information sharing

• Immediate dissemination of US Treasury or DHS
  Urgent or Crisis messages to every firm in the
  industry.
• Analysis of member submissions to determine
  problem scope (i.e., only you or more
  widespread).
• Conference calls among premier members within an
  hour of a Crisis Event, usually with the vendor
  impacted, to discuss solutions and mitigation.
• Semi-annual meetings for premier members to learn
  and discuss similar issues with professionals

27
FS/ISAC Home Page
Last 5 new vulnerabilities
Geographic distribution of attack sources
Last 5 updated vulnerabilities
Homeland Security Advisory Level
Real-time scrolling news feed
Last 5 new threats
and more
28
FS/ISAC Web Content Pages

• Cyber Security
• Vulnerabilities
• Threats
• Incidents
• Physical Security
• Regional Intelligence
• Travel Advisories
• Incidents
• Benchmarking Best Practices
• Member Submission Forms

• Collective Intelligence
• Weekly Intelligence Report
• DHS Daily Report
• ISAC Meeting Minutes
• ISAC User Guides
• White Papers
• Announcements
• Discussion Forums
• Advisory Logs

29
How to Join
Step 1 Go to www.fsisac.com and Click on
Join Step 2 Review Feature and Benefits for
each level Review Frequently Asked Questions
Review Subscription Agreement Step 3 Select
the service level that best meets your
business needs and complete the
membership application Step 4 Accept the
Subscription Agreement and select
your method of payment. Upon approval of your
application and receipt of payment (Core and
above) your account and credentials will
be activated.
30
What Are We Asking You to Do?
31
Your To-Dos

• Join the FS/ISAC at the appropriate level
• Obtain and begin to assess relevant suggested
  practice or best practice standards
• For example, review the ANSI standard document
• Understand and meet your own responsibilities for
  cyber protection
• For example, review the Treasury statement on
  phishing, documents on www.FSSCC.org
• Promote a culture of security within your own
  group and within the company