The US Treasury does not track efforts or prioritize them according to goals established by the sector for enhancing cybersecurity and resiliency, according to a report from the Government Accountability Office (GAO). Treasury also has not fully implemented GAO’s previous recommendation to establish metrics related to the value and results of the sector’s risk mitigation efforts. Further, the 2016 sector-specific plan, which is intended to direct sector activities, does not identify ways to measure sector progress and is out of date.
Unless Treasury undertakes more widespread and detailed tracking and prioritization of efforts, based on explicit metrics that measure progress against the sector’s goals and requirements, the sector will remain unable to determine whether its efforts are effective at reducing cyber risk. This, in turn, could leave the sector insufficiently prepared to deal with primary sector risks, such as insider threats and unauthorized access to sector data by third parties.
Treasury, as the designated lead agency for the financial sector, plays a key role in supporting many of the efforts to enhance the sector’s cybersecurity and resiliency. For example, Treasury’s Assistant Secretary for Financial Institutions serves as the chair of the committee of government agencies with sector responsibilities, and Treasury coordinates federal agency efforts to improve the sector’s cybersecurity and related communications.
Among other things, the sector-specific plan lacks information on sector-related requirements laid out in the 2019 National Cyber Strategy Implementation Plan. Unless more widespread and detailed tracking and prioritization of efforts occurs according to the goals laid out in the sector-specific plan, the sector could be insufficiently prepared to deal with cyber-related risks, such as those caused by increased access to data by third parties.
According to statistics from the FRB, US financial institutions held over $108 trillion in assets as of Q4 2019. Some of the largest categories of financial institutions, in terms of assets held, are U.S.-chartered depository institutions ($16.33 trillion), insurance companies ($11.28 trillion), mutual funds ($17.66 trillion), government sponsored enterprises ($7.11 trillion), and pension funds ($24.36 trillion). The remaining assets are distributed among finance and mortgage companies, securities brokers and dealers, and other financial institutions.
But the composition of the financial services sector extends beyond the categories of financial services to include a network of essential specialized service organizations and service providers that support the sector in its efforts to provide a trusted services environment. For example, the financial services sector has become more dependent on outsourcing certain activities — such as systems and applications, hardware and software, and technically skilled personnel — to third-party providers that are now an indispensable part of the sector’s infrastructure.
Currently, most of the sector’s key services are provided through the use of information and communications technology, increasing further the importance of cybersecurity to the sector. In addition, consumer applications, known as “fintech,” enable increased use of financial systems and data beyond the traditional boundaries of the sector. For example, digital wealth management platforms use algorithms based on consumers’ data and risk preferences to provide digital services, including investment and financial advice, directly to consumers.
Further, mobile payment applications allow consumers to use their smartphones or other mobile devices to make purchases and transfer money instead of relying on the physical use of cash, checks, or credit and debit cards. Due in part to the introduction of these new technologies, the financial services sector has even stronger need for information technology capabilities and support from supply chain partners and third-party service providers.