Survey: Financial-Sector Agencies’ Policies for Sharing Cyber Threats Inconsistent

Four years after the enactment of the Cybersecurity Information Sharing Act of 2015, a joint inspectors general survey of seven financial-sector agencies’ efforts to implement the law reflects significant irregularities in steps taken to share cyber threat indicators and defensive measures with their fellow federal agencies and non-federal entities.

The Office of the Chief Information Officer “does not have the resources, fiscal funds, or technical capabilities to implement a sharing of CTIs and DM program,” the National Credit Union Administration told the Council of Inspectors General on Financial Oversight in a Jan. 15 memo.

The CISA law promised to shield private-sector entities from liability if they shared such information through the Department of Homeland Security’s Automated Indicator Sharing system and required federal agencies to implement policies to likewise share information the government had access to with the private sector. 

The idea was that this would lay the foundation for a stronger collective defense, but companies are still skittish, fearing the protections aren’t enough to shield them from regulators, and as the new survey shows, government entities are also constrained by the classification levels attached to threat information by intelligence agencies.

The survey of the financial sector agencies—which, in addition to the NCUA, included the Board of Governors of the Federal Reserve System, the Bureau of Consumer Financial Protection, the Commodity Futures Trading Commission, Federal Deposit Insurance Corporation, the Federal Housing Finance Agency, and the Securities and Exchange Commission—gives insight into challenges the larger federal government might be facing, under pressure to share more of its information with private-sector partners. 

“Intelligence providers should continue to weigh the need to highly classify actionable information as this limits the ability to widely share such information,” the Federal Reserve System Board said, also noting that “the need to have Secure Compartmentalized Information clearances for all recipients limits the ability to implement actionable intelligence quickly and efficiently.” 

The Consumer Financial Protection Bureau added that “it was difficult to get responses from the DHS Cyber Liaison team regarding technical specifics on options available to leverage deeper analysis on shared indicators.” 

“In general, the AIS program worked as intended,” the Bureau said, but added it was unclear how it could take advantage of services like those provided by LookingGlass, a DHS cyber-intelligence contractor. 

The survey was conducted from April 2019 through September 2019 and covered the period of January 1, 2017 through March 31, 2019. 

The IGs interviewed staff from the Secretariat of the Financial Stability Oversight Council, a body that is supposed to assist in coordinating the work of its member agencies including by “performing research, ensuring compliance with FSOC policies (bylaws), and providing administrative support (budget).”

But an FSOC Secretariat official told the IGs “the FSOC’s role in CISA is limited.” 

“The topic of cybersecurity had been discussed at meetings and in FSOC’s annual reports, but CISA, the statute itself, had been rarely discussed,” the IG’s wrote.

According to the auditors’ memo, in its last mention of CISA—in a 2016 annual report—the FSOC noted that the law “provides a foundation for further advances in cybersecurity-related information sharing,” and recommended that “Treasury, the Departments of Homeland Security, Justice, and Defense, and financial regulators strongly support efforts to implement this legislation, including coordinating their associated processes with the financial services sector, consistent with processes established by the law.”