Cyber threats are evolving rapidly and at an accelerating pace. At the same time, the importance of operational and business resilience grows every day as DTCC and the broader financial market collectively look to improve processes and technology. At DTCC, innovation must be purpose driven, deliver value and reduce risk. It is through this lens that DTCC sees its role as a critical, resilient and forward-looking infrastructure providing efficiencies, mitigating risks for its stakeholders and reducing systemic risk for the ever-changing financial industry.
Large-scale cyberattacks on critical financial infrastructure are a major threat, with the potential to cause significant damage and disruption to the financial sector and the larger economy. The complexity of the financial services industry, the interconnectedness of financial firms and the markets in which they operate, and the introduction of new and innovative technologies further heighten the risk of a large-scale cyberattack.
When it comes to cybersecurity, DTCC follows core tenets that have proven effective: patch management, vulnerability management, effective monitoring of infrastructure, identity management, network segregation, segregation of duties and network access, to name a few.
In keeping with the commitment to reduce risk as well as provide certainty and reliability to the global financial system, DTCC’s Client Cybersecurity Program (CCSP) is a collaborative effort between DTCC and its clients to ensure firms have adopted proper frameworks to safeguard against cyber risks.
This is essential since an attack on one or more institutions or critical infrastructures could have a contagion effect across the financial system, especially as interconnectedness continues to grow. Raising the cyber resilience of individual firms makes the entire financial services ecosystem safer and more secure.
In addition, cyber-threat information sharing is a cornerstone of a resilient cyber defense program. What one firm learns from its peers can be used to strengthen its defenses before an attack hits or to limit its impact and recover more quickly. DTCC works with sector-specific and government agencies to enhance threat intelligence sharing and the resilience of the global financial ecosystem.
Guidance is also taken, as applicable, from a number of recognized information security standards, including:
- The internationally recognized standard “ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems – requirements”.
- The FFIEC Information Technology (IT) Examination Handbook, which is comprised of several booklets covering a variety of technology and technology-related risk management guidance for financial institutions and examiners.
- The NIST Cybersecurity Framework (NIST CSF) consisting of standards, guidelines, and practices to promote the protection of critical infrastructure.
- The Cyber Risk Institute Cybersecurity Profile, which is a scalable and extensible assessment that financial institutions of all types can use for cyber risk management assessment and as a mechanism to evidence compliance with various regulatory frameworks.
Post-Quantum Security Considerations for the Financial Industry brings this near-term risk into focus for the financial industry, to identify initial steps financial institutions can take, and to provoke a more intentional dialogue about how the industry can act now to ward off post-quantum risk.