The White House issued
Among the other impacts of
The new designation is different from
“These changes will better align risk designations to avoid duplication and ensure they are tailored to the risks facing financial institutions today,” said Paul Benda, executive vice president of risk, fraud and cybersecurity for the American Bankers Association.
The list of systemically important entities has been under development since March 2023, when CISA
On the whole, Benda said the association “welcomes the administration’s National Security Memorandum, which incorporates feedback from the financial services industry,” saying that it “builds on the successful public-private sector collaboration for cybersecurity and critical infrastructure.”
The Bank Policy Institute, a policy advocacy group representing large financial institutions, also “strongly supports” the policy directive and commended the administration of President Joe Biden “for its ongoing commitment to strong public-private partnerships,” according to Heather Hogsett, a senior vice president for the institute.
The policy directive “will also support the financial sector by enhancing collaboration with national security agencies to ensure the intelligence community collects, analyzes and disseminates timely information on threats to critical infrastructure to support national-level systemic risk mitigation,” Hogsett said.
The U.S. intelligence community — which includes the FBI, CIA, National Security Agency and other agencies — has long provided cybersecurity threat information to companies and trade groups across the U.S. But the Tuesday directive specifically orders the Director of National Intelligence to prioritize issuing intelligence reports and analysis on threats to critical infrastructure “at the lowest possible classification level, consistent with the protection of sources and methods, such as through the robust use of tearlines,” which are excerpts of intelligence reports.
Using the “lowest possible classification level” will mean that more banks can get access to classified information if they have a security clearance obtained through the Department of Homeland Security’s private sector security clearance program. Typically only government employees and government contractors can obtain security clearances, but under the program, critical infrastructure owners and operators can apply for “secret” level security clearances.
Bank owners and operators could get a variety of information from these intelligence-sharing efforts. In alerts and advisories about software vulnerabilities and ransomware attacks, government agencies often include IP addresses, attack vectors, file fingerprints and other so-called indicators of compromise to help companies detect and ward off cyber threats. They may also highlight the strategies threat actors use to trick victims into sharing passwords or other information.
The directive, which replaces
Clearing up these roles, ensuring the intelligence community adequately shares cybersecurity intelligence with banks and other companies and aligning regulatory definitions of which companies are “systemically important” — it all comes in the service of fighting back against state actors that target American critical infrastructure and tolerate or enable malicious activity conducted by non-state actors, according to Caitlin Durkovich, deputy assistant to the president and deputy homeland security advisor for resilience and response.
“The policy is particularly relevant today, given continued disruptive ransomware attacks, cyberattacks on U.S. water systems by our adversaries, and the frequent and repeated testimony of the FBI Director and other senior administration officials who have sounded the alarm about the ways our critical infrastructure is being targeted by our adversaries,” Durkovich
“Resilience, particularly for our most sensitive assets and systems, is the cornerstone of homeland defense and security,” Durkovich she added.