Banking and Finance Sector-Specific Plan - U.S. Department of ...
Banking and Finance Sector-Specific Plan - U.S. Department of ...
Banking and Finance Sector-Specific Plan - U.S. Department of ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
3. Assess Risks<br />
Risk assessments are a long-st<strong>and</strong>ing practice within the <strong>Banking</strong> <strong>and</strong> <strong>Finance</strong> <strong>Sector</strong> <strong>and</strong> accepted by both the regulators <strong>and</strong><br />
the private sector. The Treasury <strong>Department</strong> <strong>and</strong> the FBIIC agencies meet continually with financial institutions to determine<br />
whether any new assets are critical to the operations <strong>of</strong> the sector <strong>and</strong> thus require special attention regarding potential vulnerabilities.<br />
The <strong>Banking</strong> <strong>and</strong> <strong>Finance</strong> <strong>Sector</strong> assesses consequences based on whether the loss or impairment <strong>of</strong> an asset or process would<br />
impact the sector’s ability to operate in an orderly <strong>and</strong> efficient manner. The sector participants also consider the potential<br />
impact on the public’s confidence in the financial system as a whole. Through vulnerability assessments, the sector has determined<br />
that some <strong>of</strong> its greatest challenges are its dependency on telecommunications, the power grid, information technology,<br />
<strong>and</strong> transportation. Along with underst<strong>and</strong>ing vulnerabilities, the <strong>Banking</strong> <strong>and</strong> <strong>Finance</strong> <strong>Sector</strong> integrates threat analysis into its<br />
protective programs <strong>and</strong> shares threat information through the FBIIC <strong>and</strong> the FSSCC as necessary.<br />
4. Prioritize Infrastructure<br />
The Treasury <strong>Department</strong>, in conjunction with the FBIIC agencies <strong>and</strong> the private sector, identifies <strong>and</strong> prioritizes key infrastructures<br />
<strong>and</strong> updates this list annually. This prioritization is based on the impact to the orderly <strong>and</strong> efficient operation <strong>of</strong> the<br />
sector <strong>and</strong> public confidence if the infrastructure were no longer able to operate or were impaired. Factors for prioritization<br />
include: the degree <strong>of</strong> dependence on the asset; the presence or absence <strong>of</strong> alternatives to the infrastructure; the public need for<br />
the services provided by the asset; the potential impact <strong>of</strong> disruption to the financial system; <strong>and</strong> the potential impacts on the<br />
economy resulting from a cascading disruption <strong>of</strong> other critical infrastructures <strong>and</strong> key resources.<br />
5. Develop <strong>and</strong> Implement Protective Programs<br />
Both the public <strong>and</strong> private sectors have key roles to play in implementing protective programs. Through direct m<strong>and</strong>ates<br />
<strong>and</strong> regulatory authority, financial regulators have specific regulatory tools that they may implement in response to a crisis.<br />
Additionally, the Treasury <strong>Department</strong>, along with the FBIIC agencies, the members <strong>of</strong> the FSSCC, the FS-ISAC, <strong>and</strong> the regional<br />
coalitions, have developed <strong>and</strong> begun implementing numerous protective programs to meet the stated security goals. These<br />
protective programs range from developing <strong>and</strong> testing robust emergency communication protocols to conducting <strong>and</strong> participating<br />
in a variety <strong>of</strong> exercises.<br />
Successful programs already have been implemented, including sector-specific crisis communication facilities for events in<br />
progress, coordination <strong>of</strong> regional resources to mitigate known physical security threats, <strong>and</strong> coordination between regulatory<br />
<strong>and</strong> private sector organizations for p<strong>and</strong>emic planning. Protective programs still in progress include building formal information-sharing<br />
networks, subscribing to warning <strong>and</strong> alert systems, conducting targeted outreach, supporting the development <strong>of</strong><br />
regional coalitions, <strong>and</strong> reaching out to other sector coordinating councils <strong>and</strong> law enforcement.<br />
6. Measure Progress<br />
The Treasury <strong>Department</strong> is working with our public <strong>and</strong> private sector partners to develop sector-specific metrics aligned<br />
with the sector security goals. The process for developing these metrics will incorporate collaboration <strong>and</strong> insights from sector<br />
participants, regulators, as well as other sectors’ government <strong>and</strong> sector coordinating councils as appropriate. These include<br />
processes for developing metrics to address vulnerabilities stemming from gaps in sector dependencies, continuous improvement<br />
to the information-sharing framework, <strong>and</strong> unique challenges posed by cyber crime. The Treasury <strong>Department</strong> will<br />
coordinate with the FBIIC agencies <strong>and</strong> the FSSCC to validate, update, <strong>and</strong> implement these metrics.<br />
Executive Summary