Michael Bodson, Chief Executive Officer and President of The Depository Trust & Clearing Corporation (DTCC), and Mark Clancy, DTCC Chief Information Security Officer, joined financial industry and government leaders to launch the National Institute of Standards and Technology (NIST) Cybersecurity Framework at the White House in February.
The Framework, while voluntary, is designed for adoption by the 16 critical infrastructure sectors identified by the Department of Homeland Security, which include the communications, energy, defense, financial services, and healthcare sectors, among others. It consists of best practices and guidelines to help the private sector better understand, communicate and manage their cyber risk.
"The NIST Cybersecurity Framework represents a milestone achievement,” said Bodson. “It is the result of a year-long public-private partnership, which plays a key role in the financial services industry’s ability to identify threats, respond to cyber incidents and coordinate with government partners. DTCC is pleased to have worked with the Administration and colleagues across industries to help develop these voluntary guidelines and we look forward to leveraging the Framework as a means to help reduce cyber risks to our nation’s critical infrastructure.”
The launch of the NIST Cybersecurity Framework fell on the one-year anniversary of President Obama’s Executive Order on “Improving Critical Infrastructure Cybersecurity”, a key focus of his 2013 State of the Union address. Among other things, the Order tasked NIST – a federal agency under the purview of the U.S. Department of Commerce – to convene the private sector to develop a baseline framework to help organizations improve their cybersecurity practices.
“The Framework provides a flexible and dynamic approach to enhancing cybersecurity and serves as a solid foundation to address the risks associated with cyber threats,” explained Clancy. “The financial services industry clearly recognizes the broader systemic risks that could result from a cyber attack, and the implementation of the Framework is an important step in mitigating this for the vital infrastructures across all sectors.”
DTCC worked closely with NIST and the Financial Services Sector Coordinating Council (FSSCC) to identify current financial services industry best practices and standards and incorporate them into the Framework. The FSSCC, who’s Policy Committee is co-chaired by Clancy, is the primary organization used by the financial services industry to identify potential cyber threats and techniques to mitigate them. Its mission is to strengthen the resiliency of the financial services sector against attacks and other threats to the nation’s critical infrastructure.
“Our sector recognizes cybersecurity as a non-competitive area and has long cooperated to enhance our cybersecurity environment,” stated Clancy. “From the beginning it was critical that the new Framework builds on the lessons we as an industry have learned from years of combating cyber attacks across the industry.”
A key challenge moving forward will be seeing to the adoption of the standards across all sectors, and DTCC continues to work with financial industry associations on proposed incentives for compliance with the Framework. Improving the speed and quality of information sharing related to cyber threats, both between private organizations and with relevant government agencies, will also prove critical to the ability of organizations to detect and respond to cyber attacks.
“Cyber attacks are occurring in greater frequency and at incredible speed,” said Clancy. “It is essential that organizations have the ability to share and receive information related to cyber attacks in real-time. While progress has been made, it’s critical that we continue to work with our government partners to improve the information sharing environment.” DTCC remains engaged in a variety of policy initiatives designed to reduce cyber risk, such as the Network Information Security Directive currently being considered by European lawmakers, and the myriad legislative proposals under development on Capitol Hill. The debate over cybersecurity is expected to continue in lawmaking chambers on both sides of the Atlantic throughout the 2014 legislative sessions.