The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
5/5/2020 Remarks of Acting Assistant Secretary Gerety at the Credit Union National Association's Governmental Affairs Conference U.S. DEPARTMENT OF THE TREASURY Press Center Remarks of Acting Assistant Secretary Gerety at the Credit Union National Association's Governmental Affairs Conference 3/11/2015 As prepared for delivery WASHINGTON - Thank you for inviting me to address your annual Governmental Affairs Conference. Credit unions play an important role in our economy and in our communities, providing access to critical financial services and savings opportunities. At Treasury, credit unions are also important partners in many of the vital initiatives we are working on. For example, credit unions are leading the way in building the financial skills of the next generation. Financial capability of young people is a major priority for this Administration, and through programs designed to provide financial education in the community and facilitate savings for young Americans through their schools, credit unions are helping provide pathways to financial inclusion. Toward that end, Treasury has worked with the NCUA and other federal financial regulatory agencies to release regulatory guidance to encourage such programs and address a number of common questions about starting savings programs. If you have not already, I hope you will consider launching such programs in the communities your credit unions serve. Financial capability is just one of the many important areas where we are working together. Today, I want to focus my remarks on cybersecurity, an increasingly vital point of intersection, and one where we need your help. Since I spoke about cybersecurity to the NAFCU in the fall, cyber threat activity has only continued to multiply, and we have accordingly stepped up our efforts in the government and at Treasury. Cybersecurity is a top priority for this Administration, as I believe it should be for the financial sector, including all of your members. Given the urgency and persistency of this issue, I would like to take some time here today to underscore and expand upon some of the key points I made last year through the lens that we at Treasury use to approach cybersecurity. Our approach is based upon three pillars: Best Practices, Information Sharing, and Incidence Response and Recovery. Along the way, I hope to give you a sense of the heightened level of recent activity on this issue in government, spearheaded by the President, with the ultimate hope that you will bring back to your organizations a renewed sense of urgency and bias for action with regard to this insidious, expanding threat we all face. I have no doubt that by now many, and hopefully all, of you are as closely focused on this issue as we are at Treasury. Some of your credit unions have been dealing with online fraud and credit card theft for decades. Others were victim to the series of large scale Distributed Denial of Service attacks that targeted the financial sector throughout last year, overwhelming systems and forcing many customers to lose online access to their accounts. As we speak, staff at some of your institutions may be actively fighting intruders that have gained access to your networks and systems. And, undoubtedly, you have all seen the potential for damage that can result from a destructive cyber-attack similar to the one carried out against Sony Pictures Entertainment, where thousands of computers were rendered inoperable and key intellectual property was stolen or destroyed. Despite the steep potential costs associated with cybersecurity incidents, we struggled for some time to effectively focus the Nation’s attention on these issues. But our efforts over the past years to raise awareness are starting to pay off and – especially in light of recent high profile incidents such as the Sony intrusion – the public’s collective attention is now on cybersecurity. The challenge is to capture that attention and convert the underlying concern into concrete action, which I hope you all have done, or will do imminently. Why Cybersecurity Matters to Credit Unions While I focus most closely on threats to the financial sector in my role at Treasury, the broad nature of the threat requires us to collaborate across the government and private sector. To be successful, this collaboration must involve all sectors of the economy and companies of all sizes and in every part of the country. Our goal is to enhance public confidence and defend the American public from the damage caused by cyber incidents through productive engagement with the private sector. To that end, here’s why I think cybersecurity matters specifically to credit unions: https://www.treasury.gov/press-center/press-releases/Pages/jl9994.aspx 1/4 5/5/2020 Remarks of Acting Assistant Secretary Gerety at the Credit Union National Association's Governmental Affairs Conference Credit unions play a key role in the lives of millions of Americans and are a central component of the U.S. financial sector. And – especially when you consider the vast electronic interconnections between our key financial systems – a significant cyber incident impacting your credit union could have or lead to a major effect on the U.S. economy. Trust is important. Your members rely on you to protect their savings and their personal information. Now more than ever, doing this well is as much about secure IT systems as it is about surveillance cameras and security guards. Your credit union’s cybersecurity has a direct impact on its financial standing. The possible financial impacts of cyber incidents can be felt not only as a result of fraud and theft, but also from the significant business interruption that could occur in the event of a destructive attack. What Can Be Done There is a reason we at Treasury have an abiding interest in the cybersecurity of credit unions, which is that Treasury has a formal role, established by a Presidential policy directive, to coordinate Federal support for financial sector security and resiliency efforts. Within Treasury, this role is executed by the Office of Critical Infrastructure Protection and Compliance Policy (OCIP). OCIP monitors intelligence and law enforcement channels for information on threats to the financial sector. When such threats are identified, we collaborate with other agencies like DHS, FBI, and DoD to respond accordingly. We also work with the financial sector, including CUNA, and other agencies including financial regulators, to develop policies and programs to improve security. One of the reasons that I’m optimistic about our ability to confront the challenges posed by cyber threats is that government interests and private sector interests are aligned. From what I’ve seen, government agencies and private sector firms share a sincere desire to collaborate on cybersecurity. To focus your involvement in this security collaboration effort, I would recommend that you consider taking action in three categories, which act as the pillars for a general structure that we at Treasury have employed to organize our approach to cybersecurity: (1) adopting best practices and baseline protections, (2) engaging in information sharing, and (3) planning for incident response and recovery. Best Practices First, I’d like to talk about best practices and baseline protections. Best practices are the policies, procedures, and other controls that a company has adopted to prevent penetration of their networks and systems, and to prevent damage assuming that there has been access. Organizations should have risk management programs that are appropriately tailored to the cyber risks presented by their specific businesses and operations. Company leaders should identify the cyber threats presented by their particular activities and operations and match those threats to appropriate technology solutions. Then company leadership should adopt policies, procedures, and other controls – like training and governance – to not only address identified cyber threats that their technology solutions can’t control, but also to reasonably anticipate possible breakdowns and overrides of that technology. One of the best examples of a set of best practices is the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework), which I spent some time discussing with NAFCU last year. To remind everyone, the NIST Framework is a model for considering cyber risk based on five functions: “identify,” “protect,” “detect,” “respond,” and “recover,” and I would suggest that this Framework is a powerful guide for considering and addressing all the key areas needed to build a baseline level of cybersecurity. Have you met with your security staff to review the NIST Framework and consider the simple, but powerful, questions it raises to expose your baseline cybersecurity levels? If not, I would strongly encourage that you do. And if you don’t have an in house security team, then the next time you’re meeting with a vendor, ask them whether they’re using the NIST Framework. Starting this dialogue now is critical to understanding the risks your organization faces. Information Sharing While adopting best practices is a critical first step, I’d also like to highlight the importance of cybersecurity information sharing, which is one of our most potent tools to counter malicious cyber activity. In order to reduce your risk over time, you must understand the threats you face. Many times the best way to do this is to understand the threats being faced by other entities so you can prevent the same incidents from happening to you. At a technical level, the tools that protect your networks only work well if you know what to look for – whether understanding that a particular IP address is responsible for malicious activity, or scanning your systems for known “malware” that may have been installed by an unauthorized intruder. Malicious cyber actors share information and tools used to exploit our systems every day. We should be doing the same to stop them. For example, last month at Stanford University, President Obama hosted the White House Summit on Cybersecurity and Consumer Protection, which brought together leaders from a number of areas to explore partnerships that will help develop the best ways to bolster our cybersecurity. During the Summit, President Obama signed an Executive Order that will encourage and promote the sharing of cybersecurity threat information within the private sector and between the private sector and government. It empowers private sector companies and organizations to form cooperative information sharing organizations based on their needs. By self-organizing into trusted communities, companies can more effectively share information with similar businesses that face similar threats or operate similar IT systems. https://www.treasury.gov/press-center/press-releases/Pages/jl9994.aspx 2/4 5/5/2020 Remarks of Acting Assistant Secretary Gerety at the Credit Union National Association's Governmental Affairs Conference The financial services sector was one of the first sectors of critical infrastructure to establish a dedicated information sharing organization, the Financial Sector Information Sharing and Analysis Center (FS-ISAC). On a day to day basis, the FS-ISAC facilitates sharing about critical infrastructure incidents, including cybersecurity incidents, among industry. This can include offering mitigation recommendations, providing indicators of malicious activity, and sharing more detailed analytical reports. Unless the victim company requests otherwise, data are always shared without specifically naming the victim company. Government is also taking its own advice in terms of providing effective information sharing and coordination. On February 10, Lisa Monaco, Assistant to the President for Homeland Security and Counterterrorism, announced plans for a national Cyber Threat Intelligence Integration Center (CTIIC). The CTIIC [pronounced: “SEE-TICK”] is expected to serve as a single point of contact for the White House on emerging cyber threats to the United States. In this role, the CTIIC will be responsible for integrating cyber threat intelligence efforts within government to provide clear situational awareness and operational support to the President, similar to the National Counterterrorism Center’s role in integrating the government’s counterterrorism intelligence efforts. As the sector specific agency responsible for the financial services sector, Treasury will work closely with the CTIIC. For Treasury's part, last year we established the Financial Sector Cyber Intelligence Group (CIG) within our Office of Critical Infrastructure Protection and Compliance Policy. The CIG’s role is to share information about cybersecurity incidents available through law enforcement and intelligence community channels with the private sector at the unclassified level. This team is working to deliver timely and actionable information that financial institutions can use to protect themselves. This group consists of cyber experts and security analysts who scour law enforcement and intelligence reports to find relevant activity, analyze and connect the dots between events, and issue information bulletins for security professionals in the financial sector. The FS-ISAC is a key partner for the CIG to get information to and from the sector. As you can see, there are extensive efforts underway to utilize the power of information sharing. I strongly recommend that you talk with your security staff to understand how your credit union is involved in cybersecurity information sharing processes, whether through the FSISAC or otherwise. Are you receiving information about attacks against other credit unions? Are you sharing information about attacks against your own credit union? And, if you aren’t managing your IT services in-house, then ask these questions of your vendors and make sure they are active members of the information sharing community. Assess whether you should be more involved in these efforts, and considering making additional investments to make sure your credit union is up to speed on current malicious activity. Response and Recovery We’ve talked about your institution’s baseline protections and information sharing protocols. The last topic that I would like to discuss relates to response and recovery. We must recognize that there is no such thing as absolute security and, while we should do everything we can to prevent them, incidents will occur. For this reason, we must maintain national and organizational incident response plans that make response and recovery processes more efficient, effective, and predicable. Whether it is a stand-alone document or part of a larger business continuity and disaster recovery plan, your credit union should consider having a detailed, documented plan that provides clear incident response roles and responsibilities and articulates clear processes for “what we do next” once an incident has been detected. Your plan should explain what roles your senior leaders and the board play in managing and overseeing the cyber incident response. For example, should the full board or a committee – like risk or audit – initially be tasked to oversee the response from a governance perspective? Major incidents can create a sense of panic. A good plan that defines specific roles and responsibilities can help your credit union stay focused in mitigating the incident and rapidly recovering. Who takes charge in these cases, what resources are available to them, and with whom do they work and communicate? One important component of incident response will be your communication with law enforcement and other government officials. When a firm is under attack, there should be no confusion over who to call. You should have a tested process for contacting the appropriate Federal law enforcement agencies and financial regulators. If you do not have those contacts, we at Treasury are ready to make the relevant introductions. Your plan should also consider what steps you might take to notify and protect any members or employees who are adversely impacted by cyber-incidents. Providing early warning to your members is critical to enable them to take action to prevent identity theft. And more companies are finding it in their business interest to make these notifications as soon as possible and offer identity protection services such as free credit reporting in order to maintain the trust and confidence of their customers. There are currently laws in 46 different states, as well as the District of Columbia and several territories, which require companies to make notifications when an individual’s personal information is compromised. In January, the President proposed legislation that would put in place a single, clear federal standard for timely notice. This legislation would help businesses and consumers by creating predictable requirements and strong consumer protections. https://www.treasury.gov/press-center/press-releases/Pages/jl9994.aspx 3/4 5/5/2020 Remarks of Acting Assistant Secretary Gerety at the Credit Union National Association's Governmental Affairs Conference Once you have developed a strong incident response plan, testing these plans through exercises can help senior management and your security team to get comfortable with their incident response roles and responsibilities. These exercises allow CEOs, directors, and other key players determine how they will navigate the pressures and problems that come from an intrusion. At Treasury, we have worked with DHS, the Financial Services Sector Coordinating Council, regulators, and others to regularly exercise processes for responding to cyber incidents that have the potential to impact the whole sector. Likewise, many trade associations regularly organize cybersecurity exercises. My recommendation is that you take a close look at your cyber-incident response plans: Are they truly comprehensive? Have you established your own internal exercise regimes and/or participated in exercises with other credit unions and financial institutions to test these plans? These are some questions to consider to optimize your response and recovery procedures if faced with a cyberattack. Conclusion Adopting baseline best practices, sharing information, and developing sound response and recovery procedures are core steps that you can take to improve your organization’s cyber posture. These are all examples of areas where strong collaboration within the financial sector and across other sectors is required, and they are efforts we can build on to create the whole-of-nation approach needed to counter malicious cyber activity. Congress also has a role to play in that whole-of-nation approach. In addition to issuing the Executive Order and the legislative proposal on victim notification requirements, the President has also recently proposed legislation that, if passed, would further improve information sharing while enhancing consumer protections and law enforcement capabilities. Just as the cyber-threat will continue to evolve, so must our approach to mitigating it. This legislative proposal provides important authorities and protections to strengthen our efforts. In closing, I hope that what we’re doing at Treasury and across the Administration serves as encouragement for you to ensure you’re doing all that you can to prepare for cyber incidents. Raise this issue with your teams and at your credit unions. I understand that cybersecurity can seem like a daunting and technical topic. But I want to leave you with one important reassurance that I have stated before: improving your cybersecurity is not that complicated, and it starts with a conversation. Much of this effort begins with simply asking the right questions and accessing the right information. The resources to support this are already being developed and supported by your peers across the sector. And, of course, we at Treasury remain committed to helping you in your efforts, and so please reach out to us if you need further support and assistance in this area. Thank you for having me here today and I look forward to continuing to work with you. ### https://www.treasury.gov/press-center/press-releases/Pages/jl9994.aspx 4/4