Treasury Wants Better Information on Financial Entities’ Cybersecurity Practices

Two documents published in the Federal Register within the last week highlight how the Treasury Department is embracing a more active role for itself in protecting critical infrastructure in the financial sector from cybersecurity attacks, including by promoting industry’s perspective.

Treasury’s Office of Cybersecurity and Critical Infrastructure Protection will take comments through March 23 on a proposal issued Wednesday toward identifying “cybersecurity and operational risks to and interdependencies within U.S. financial services sector critical infrastructure and to work collaboratively with industry and interagency partners to develop risk management and operational resilience initiatives.”

Under the Paperwork Reduction Act, the office can currently only collect information from a maximum of nine companies at a time, a senior cyber policy advisor for Treasury explained.

If approved, OCIP’s proposal would allow Treasury to engage with a broader array of stakeholders and to have a written record in response to questionnaires the department hopes to issue in the future. 

“Part of our mission space is looking at the implementation of best practices,” Treasury official Elizabeth Irwin told Nextgov, noting the National Institute of Standards and Technology’s Cybersecurity Framework is one such example.

“People have said, ‘yes we’ve implemented it,’ but we would like a little more fidelity into what that looks like,” she said, adding Treasury might want to ask firms, “Which parts have you implemented? Which parts do you think are useful? Which parts do you think are less useful?”

Irwin said firms’ responses to such questions “can inform our conversations with NIST and lets us be an advocate for them.” 

In general, Irwin noted that Treasury is not a regulator and entities would voluntarily respond to survey questions, but she said the expanded information collection would help inform Treasury’s interagency work. 

Treasury participates in a number of interagency efforts, including the Cybersecurity and Infrastructure Security Agency’s Information and Communications Technology Supply Chain Risk Management task force, and chairs the powerful Committee on Foreign Investment in the United States. Mergers and acquisitions involving foreign parties must obtain approval from CFIUS following a national security review. 

On Jan. 17, Treasury finalized its rule for implementation of the Foreign Investment Risk Review Modernization Act of 2018, which expanded CFIUS’ remit to include “non-controlling” investments. 

The rule, effective Feb. 13, requires parties to submit a cybersecurity plan, which CFIUS would use to assess whether appropriate measures are in place to safeguard intellectual property and other sensitive information from would-be adversaries.

According to Treasury, one commenter stated, “Asking parties for a cyber-security plan is insufficient to determine whether the party's information technology systems are adequately protected.” 

“The commenter recommended that the Committee rely on cyber-security standards promulgated by other federal agencies, such as the Department of Homeland Security, or NIST within the Department of Commerce,” Treasury said, but ultimately decided against incorporating that feedback in the final rule.

“A company's cyber-security plan is relevant information for the Committee to consider,” Treasury said. “Adherence by a party to government or industry standards could be a relevant factor in the Committee's risk assessment, but is not necessary to prescribe in regulations.”