Download - Nipp Ssp Banking
-
7/31/2019 Nipp Ssp Banking
1/116
Banking and FinanceCritical Inrastructure and Key Resources
Sector-Specifc Plan as input to the
National Inrastructure Protection Plan
May 2007
-
7/31/2019 Nipp Ssp Banking
2/116
-
7/31/2019 Nipp Ssp Banking
3/116
iBanking and Finance Government Coordinating Council Letter o Support
-
7/31/2019 Nipp Ssp Banking
4/116
ii Banking and Finance Sector-Specifc Plan
-
7/31/2019 Nipp Ssp Banking
5/116
iii
Table o Contents
Executive Summary 1
1. Sector Prole and Goals 1
2. Identiy Assets, Systems, Networks, and Functions 2
3. Assess Risks 3
4. Prioritize Inrastructure 3
5. Develop and Implement Protective Programs 3
6. Measure Progress 3
7. CI/KR Protection Research & Development (R&D) 4
8. Managing and Coordinating SSA Responsibilities 4
Introduction 5
1. Sector Profle and Goals 7
1.1 Sector Prole 8
1.1.1 Deposit, Consumer Credit, and Payment Systems Products 9
1.1.2 Credit and Liquidity Products 9
1.1.3 Investment Products 9
1.1.4 Risk-Transer Products (Including Insurance) 10
1.1.5 Federal and Sel-Regulation o Financial Services Firms 10
1.1.6 State Regulation o Financial Services Firms 10
1.2 Security Partners 11
1.2.1 Relationships with Federal and State Regulators and Related Associations 11
1.2.2 Relationships with Private Sector Owner/Operators and Organizations 14
1.3 Sector Security Goals 19
1.4 Value Proposition 20
2. Identiy Assets, Systems, Networks, and Functions 21
2.1 Dening Inormation Parameters 22 2.2 Collecting Inrastructure Inormation 23
2.2.1 Deposit and Payment System Products 23
2.2.2 Credit and Liquidity Products 24
2.2.3 Investment Products 24
2.2.4 Risk-Transer Products 24
Table o Contents
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?- -
7/31/2019 Nipp Ssp Banking
6/116
iv
2.2.5 Collecting Asset Data 25
2.3 Veriying Inrastructure Inormation 25
2.4 Updating Inrastructure Inormation 25
3. Assess Risks 27
3.1 Use o Risk Assessment in the Sector 28 3.2 Screening Inrastructure 29
3.3 Assessing Consequences 29
3.4 Assessing Vulnerabilities 29
3.5 Assessing Threats 30
4. Prioritize Inrastructure 31
5. Develop and Implement Protective Programs 33
5.1 Overview o Sector Protective Programs 33
5.2 Determining Protective Program Needs 34
5.3 Protective Program Implementation 34 Going Forward 36
5.4 Protective Program Perormance 38
6. Measure Progress 41
6.1 CI/KR Perormance Measurement 41
6.1.1 Developing Sector-Specic Metrics 42
6.1.2 Inormation Collection and Verication 43
6.1.3 Reporting 43
6.2 Implementation Actions 44
6.3 Challenges and Continuous Improvement 46
7. CI/KR Protection R&D 47
7.1 Overview o Sector R&D 47
7.2 Sector R&D Requirements 47
7.3 Sector R&D Plan 48
7.4 R&D Management Processes 48
8. Manage and Coordinate SSA Responsibilities 51
8.1 Program Management Approach 51
8.2 Process and Responsibilities 51
8.2.1 SSP Maintenance and Update 51
8.2.2 Annual Reporting 51
8.2.3 Training and Education 51
8.3 Implementing the Sector Partnership Model 52
8.4 Inormation Sharing and Protection 52
Banking and Finance Sector-Specifc Plan
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?- -
7/31/2019 Nipp Ssp Banking
7/116
v
Appendix 1: List o Acronyms and Abbreviations 55
Appendix 2: Statutory Authorities 57
Federal Regulators 57
State Regulators 62
Guidance and Key Documents: Federal Regulators 73 Guidance and Key Documents: State Regulators 92
Appendix 3: FSSCC Research and Development Agenda 95
List o FiguresFigure E-1. Vision Statement or the Banking and Finance Sector 2
Figure 1-1. FBIIC Members 12
Figure 1-2. FSSCC Members 15
Figure 1-3. Regional Partnerships 18
Figure 1-4. Locations o Regional Partnerships 19Figure 1-5. Vision Statement or the Banking and Finance Sector 19
Figure 2-1. Vulnerability Assessment Methodology 21
Figure 3-1. Vulnerability Assessment Methodology 28
Figure 3-2. Dependent Relationships 30
Figure 4-1. Vulnerability Assessment Methodology 32
Figure 5-1. Vulnerability Assessment Methodology 33
Figure 6-1. Vulnerability Assessment Methodology 41
Figure 8-1. Inormation Flow 53
List o TablesTable 6-1. Implementation Actions 44
Table A-1. Comparison Matrix: FSSCC R&D Challenges vs. NIPP R&D Themes 103
Table o Contents
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?- -
7/31/2019 Nipp Ssp Banking
8/116
-
7/31/2019 Nipp Ssp Banking
9/116
Executive Summary
The Banking and Finance Sector accounts or more than 8 percent o the U.S. annual gross domestic product and is the back-
bone or the world economy. As direct attacks and public statements by terrorist organizations demonstrate, the sector is a
high-value and symbolic target. Additionally, large-scale power outages, recent natural disasters, and a possible fu pandemic
demonstrate the wide range o potential threats acing the sector. With this understanding, nancial regulators and private
sector owners and operators work collaboratively to maintain a high degree o resilience in the ace o a myriad o potential
disasters, be they intentional or unintentional, manmade or natural. This collaboration has led to a comprehensive ramework
or a strong public-private sector partnership. This partnership has developed several programs that currently provide protec-
tion and crisis management, which are continuously improving.
Working through this public-private partnership, the Department o the Treasury, as the Sector-Specic Agency (SSA) or the
Banking and Finance Sector, has developed this Sector-Specic Plan (SSP) in close collaboration with the Financial and Banking
Inormation Inrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council or Critical Inrastructure
Protection and Homeland Security (FSSCC). This SSP, along with the SSPs rom the 16 other critical inrastructures identied
in Homeland Security Presidential Directive 7 (HSPD-7), are part o the overall National Inrastructure Protection Plan (NIPP).
This SSP contains the Banking and Finance Sectors strategy or working collaboratively with public and private sector partners
to identiy, prioritize, and coordinate the protection o critical inrastructure. This SSP also summarizes the extensive activitiesthe sector has undertaken already to reduce vulnerabilities and share inormation.
1. Sector Profle and Goals
The Banking and Finance SSP provides a description o the complex nature o the sector and an overview o the sectors provi-
sion o products and services, which are: (1) deposit, consumer credit, and payment systems; (2) credit and liquidity products;
(3) investment products; and (4) risk-transer products (including insurance).
Essential to this sector overview is a description o the Federal and State regulatory authorities as well as sel-regulatory organi-
zations. The Banking and Finance Sector is highly regulated with regulators providing oversight and, in some cases, guidance
to and examinations o the nancial institutions within their statutory purview. The nancial regulators work together throughthe FBIIC to coordinate eorts with respect to critical inrastructure protection issues. In October 2001, the President estab-
lished the FBIIC. The Presidents Working Group on Financial Markets currently sponsors the FBIIC, which is chaired by the
Treasury Departments Assistant Secretary or Financial Institutions.
The private sector pillar o the security partnership is organized through the FSSCC, the Financial Services Inormation Sharing
and Analysis Center (FS-ISAC), and the regional coalitions, which all promote voluntary inormation sharing eorts through-
out the sector. The FSSCC membership is comprised o individual institutions, trade associations, and regional coalitions.
Executive Summary
-
7/31/2019 Nipp Ssp Banking
10/116
Collectively, its members control the majority o assets o the nancial services sector. The FS-ISAC is the operational arm o the
FSSCC, sharing specic inormation pertaining to physical and cyber threats, vulnerabilities, incidents, and potential protective
measures and practices. The regional coalitions work to build relationships and share inormation among nancial institutions
and rst responders, emergency management, and ocials at the local level.
The public and private sectors share the ollowing vision statement:
Vision Statement or the Banking and Finance Sector
To continue to improve the resilience and availability o fnancial services, the Banking and Finance Sector will work throughits public-private partnership to address the evolving nature o threats and the risks posed by the sectors dependency upon other
critical sectors.
To meet this shared vision, the Banking and Finance Sector has three primary goals. As with all endeavors ocused primarily on
security, the goals orm a triad o prevention, detection, and correction o harm:1. To maintain its strong position o resilience, risk management, and redundant systems in the ace o a myriad o intentional,
unintentional, manmade, and natural threats;
2. To address and manage the risks posed by the dependency o the sector on the Communications, Inormation Technology,
Energy, and Transportation sectors; and
3. To work with the law enorcement community, the private sector, and our international counterparts to increase the amount
o available resources dedicated to tracking and catching criminals responsible or crimes against the sector, including cyber
attacks and other electronic crimes.
The Banking and Finance Sectors eorts are supported by strong value propositions that address voluntary collaboration or
both the public and private sectors. For the nancial regulators, voluntary programs provide unique insights into sector-wideresilience eorts and allow or important inormation-sharing and risk management procedures outside traditional regulatory
discussions and processes. These eorts provide a means or addressing dynamic risks through voluntary collaboration rather
than solely through regulation.
For the private sector, the voluntary collaborative eorts provide institutions with the opportunity to gain unique insight into
their regulators perspectives and priorities. Most importantly, the private sector participates in voluntary eorts because o the
concrete value they provide to their companies and, in turn, their customers.
2. Identiy Assets, Systems, Networks, and Functions
The products oered by the Banking and Finance Sector are largely intangible. Thus, eorts to identiy assets are largely
ocused on critical processes rather than physical assets. The FBIIC agencies, through their oversight authority and being shaped
by 217 years o experience, obtain a vast amount o inormation on institutions, critical assets, and processes. These data are
veried and updated through the continual process o regulatory examinations and mandated reporting.
Banking and Finance Sector-Specifc Plan
-
7/31/2019 Nipp Ssp Banking
11/116
3. Assess Risks
Risk assessments are a long-standing practice within the Banking and Finance Sector and accepted by both the regulators and
the private sector. The Treasury Department and the FBIIC agencies meet continually with nancial institutions to determine
whether any new assets are critical to the operations o the sector and thus require special attention regarding potential vulner-
abilities.
The Banking and Finance Sector assesses consequences based on whether the loss or impairment o an asset or process would
impact the sectors ability to operate in an orderly and ecient manner. The sector participants also consider the potential
impact on the publics condence in the nancial system as a whole. Through vulnerability assessments, the sector has deter-
mined that some o its greatest challenges are its dependency on telecommunications, the power grid, inormation technology,
and transportation. Along with understanding vulnerabilities, the Banking and Finance Sector integrates threat analysis into its
protective programs and shares threat inormation through the FBIIC and the FSSCC as necessary.
4. Prioritize Inrastructure
The Treasury Department, in conjunction with the FBIIC agencies and the private sector, identies and prioritizes key inra-
structures and updates this list annually. This prioritization is based on the impact to the orderly and ecient operation o thesector and public condence i the inrastructure were no longer able to operate or were impaired. Factors or prioritization
include: the degree o dependence on the asset; the presence or absence o alternatives to the inrastructure; the public need or
the services provided by the asset; the potential impact o disruption to the nancial system; and the potential impacts on the
economy resulting rom a cascading disruption o other critical inrastructures and key resources.
5. Develop and Implement Protective Programs
Both the public and private sectors have key roles to play in implementing protective programs. Through direct mandates
and regulatory authority, nancial regulators have specic regulatory tools that they may implement in response to a crisis.
Additionally, the Treasury Department, along with the FBIIC agencies, the members o the FSSCC, the FS-ISAC, and the regional
coalitions, have developed and begun implementing numerous protective programs to meet the stated security goals. Theseprotective programs range rom developing and testing robust emergency communication protocols to conducting and partici-
pating in a variety o exercises.
Successul programs already have been implemented, including sector-specic crisis communication acilities or events in
progress, coordination o regional resources to mitigate known physical security threats, and coordination between regulatory
and private sector organizations or pandemic planning. Protective programs still in progress include building ormal inorma-
tion-sharing networks, subscribing to warning and alert systems, conducting targeted outreach, supporting the development o
regional coalitions, and reaching out to other sector coordinating councils and law enorcement.
6. Measure Progress
The Treasury Department is working with our public and private sector partners to develop sector-specic metrics aligned
with the sector security goals. The process or developing these metrics will incorporate collaboration and insights rom sector
participants, regulators, as well as other sectors government and sector coordinating councils as appropriate. These include
processes or developing metrics to address vulnerabilities stemming rom gaps in sector dependencies, continuous improve-
ment to the inormation-sharing ramework, and unique challenges posed by cyber crime. The Treasury Department will
coordinate with the FBIIC agencies and the FSSCC to validate, update, and implement these metrics.
Executive Summary
-
7/31/2019 Nipp Ssp Banking
12/116
Due to its complexity, measurements o the resilience eorts in the Banking and Finance Sector are dicult to quantiy using
standard business measurements. Thereore, a one-size-ts-all approach would be inapplicable to all aspects o the sector and
also would weaken creativity and vitality in the sector, which would harm the Nations economy overall.
7. CI/KR Protection Research & Development (R&D)
In 2006, the FSSCC ormed a R&D Committee to develop plans and programs that would provide the most benet to the
specic critical inrastructure and key resources (CI/KR) requirements o the nancial services sector. The R&D Committee has
identied eight areas that present signicant issues to the ability o the Banking and Finance Sector to meet its challenges: (1)
Secure Financial Transaction Protocol (SFTP); (2) Resilient Financial Transaction System (RFTS); (3) enrollment and identity
credential management; (4) suggested practices and standards; (5) understanding and avoiding the insider threat; (6) nan-
cial inormation tracing and policy enorcement; (7) testing; and (8) standards or measuring return on investment o critical
inrastructure protection and security technology.
Accordingly, the R&D Committee views the ollowing three themes to have the greatest impact to the nancial services sector
in terms o R&D projects: (1) protection and prevention systems; (2) advanced inrastructure architecture; and (3) human and
social issues.
8. Managing and Coordinating SSA Responsibilities
The Secretary o the Treasury designated the Assistant Secretary or Financial Institutions as the Treasury ocial with the
responsibility or carrying out the Treasurys duties as the SSA or the Banking and Finance Sector. The Assistant Secretary
designated the Oce o Critical Inrastructure Protection and Compliance Policy (OCIP) to provide the necessary unctions
on a daily basis. As such, the OCIP is the lead or all SSP activities and will continue to work with the FBIIC agencies and the
FSSCC to coordinate any necessary updates and implementation eorts in conjunction with the triennial review o the National
Inrastructure Protection Plan (NIPP) Base Plan.
Additionally, the Treasury Department will work with the FBIIC agencies and the FSSCC to provide any necessary training on
the SSP, as well as training and education on business continuity, inormation sharing, emergency response protocols, andcross-sector dependencies.
Fortunately or the Banking and Finance Sector, a robust public-private sector partnership is already in place. The Treasury
Department will continue to acilitate this partnership through our daily activities, outreach eorts, sponsoring o exercises,
and through regularly scheduled meetings with the FBIIC and the FSSCC. The Treasury Department will continue to support
and acilitate inormation-sharing eorts through the FBIIC, the FSSCC, the FS-ISAC, and regional coalitions.
Banking and Finance Sector-Specifc Plan
-
7/31/2019 Nipp Ssp Banking
13/116
Introduction
According to Homeland Security Presidential Directive 7 (HSPD-7),1 signed by the President on December 17, 2003, the
Department o the Treasury, as the Sector-Specic Agency (SSA) or the Banking and Finance Sector, is required to develop a
Sector-Specic Plan (SSP) or critical inrastructure protection. This SSP provides the Banking and Finance Sectors strategy or
working collaboratively with public and private sector partners to identiy, prioritize, and coordinate the protection o critical
inrastructure. This SSP also summarizes the extensive activities the sector has already undertaken to reduce vulnerabilities and
share inormation.
The Banking and Finance SSP is part o the overall National Inrastructure Protection Plan (NIPP). As such, the Banking and
Finance SSP conorms to the guidance provided by Department o Homeland Security so that the Banking and Finance SSP may
be included in the NIPP. The NIPP provides the structure or integration o this SSP and the SSPs o the other 16 critical inra-
structures and key resources identied in HSPD-7, thereby bringing together the eorts o these sectors into a single national
program.
1 Homeland Security Presidential Direct ive 7 (HSPD-7), December 17, 2003, www.whitehouse.gov/news/releases/2003/12/20031217-5.html.
Introduction
-
7/31/2019 Nipp Ssp Banking
14/116
-
7/31/2019 Nipp Ssp Banking
15/116
1. Sector Profle and Goals
The United States nancial services sector is the backbone o the world economy. With assets estimated to be in excess o $48
trillion,2 this large and diverse sector accounted or more than $900 billion in 2005 or 8.1 percent o the United States gross
domestic product (GDP).3 Descriptions o the sectors prole and goals necessarily include the diversity o its institutions and
the services they provide. Most important to this prole is the understanding that the nancial services sector is primarily
owned and operated by the private sector whose institutions are extensively regulated by Federal and, in many cases, State
government. In addition to these public sector entities, sel-regulatory organizations (SROs), such as the Municipal Securities
Rulemaking Board (MSRB), NASD, and the National Futures Association (NFA), and exchanges, such as the Chicago Mercantile
Exchange (CME), the New York Stock Exchange (NYSE), and designated utures exchanges also play an important role in
industry oversight.
The nancial services sector is complex and diverse. From the largest institutions with assets greater than one trillion dollars to
the smallest community banks and credit unions, this diversity provides the ability or the sector as whole to meet the needs o
its large and diverse customer base. Whether it is an individual savings account, nancial derivatives, credit extended to a large
corporation, or investments made by a oreign country, nancial institutions provide a broad array o products. These prod-
ucts: (1) allow customers to deposit unds and make payments to other parties (more than $12 trillion in assets);4 (2) provide
credit and liquidity to customers (more than $14 trillion in assets); (3) allow customers to invest unds or both long and shortperiods (more than $18 trillion in assets); and (4) transer nancial risks between customers (more than $6 trillion in assets).5
Despite this diversity, a uniying mission o the U.S. nancial sector is to ensure the continued eciency in and continuity
o the sector and its institutions. Through the extensive regulatory regime and ormalized inormation-sharing organizations
detailed in this plan, the sector has wide-ranging transparency and accountability, which ensures an orderly and ecient
nancial system that serves a broad range o needs or both investors and consumers. In turn, these actors create a sense o
condence that enables customers to entrust their assets to the care o nancial institutions and to avail themselves o credit
and liquidity.
As this plan details, todays U.S. nancial regulatory regime consists o both Federal and State agencies, whose oversight assists
in ensuring the integrity o individual institutions and the overall U.S. nancial system. Working together, the public and
private sectors encourage a highly competitive market where identiying and managing a myriad o nancial and non-nancialrisks is essential to success. Through numerous laws enacted by Congress over the past 150 years, Federal nancial regulators
have implemented a complex regime that in many instances provides or examinations o institutions operational, nancial,
2 www.nancialservicesacts.org/nancial2/today/assets.
3 GDP in 2005, www.bea.gov/bea/dn2/gdpbyind_data.htm.
4 www.dic.gov/bank/statistical/stats/2e05dec/industry.html.
5 www.ederalreserve.gov/releases/Z1/20060309/Coded/coded-4.pd.
Sector Profle and Goals
-
7/31/2019 Nipp Ssp Banking
16/116
and technological systems. These examinations are designed to determine the extent to which the institution has identied its
nancial and non-nancial risks, such as inormation technology inrastructures, and to evaluate the adequacy o controls and
applicable risk management practices at the institution.
Additionally, nancial regulators update guidance to nancial institutions regularly. This guidance assists the sector in staying
abreast o the evolving nature o both nancial and non-nancial risks. Financial risk guidance addresses a variety o issues
including credit risk, reinvestment risk, interest rate risk, currency risk, and others. Guidance on non-nancial risks addressespotential means or increasing risk management and resilience in the ace o potential impacts that may result rom a terrorist
attack, natural disaster, or other incident. To the extent possible, these regulators have identied critical vulnerabilities, whether
they are nancial or operational, including Internet and inormation technology vulnerabilities. (See appendix 2 or a list o
statutory authorities and examples o regulators examination tools and guidance.)
Furthering the Nations ability to respond appropriately to and manage terrorism related risks, the President issued Homeland
Security Presidential Directive 7 (HSPD-7). Among its primary objectives, HSPD-7 designates SSAs to lead collaborative eorts
or the critical inrastructures. The Treasury Department is the SSA or the Banking and Finance Sector. As the SSA, the Treasury
Department works with all relevant Federal departments and agencies, State, local and tribal governments, and the private
sector, including key persons and entities in the nancial services sector, to coordinate eorts to improve the sectors ability to
prepare, respond, prevent, and mitigate against terrorism, natural disasters, and other intentional or unintentional risks.The Treasury Assistant Secretary or Financial Institutions implements the Treasury Departments responsibilities under
HSPD-7. As part o ullling the responsibilities outlined in HSPD-7, the Assistant Secretary chairs the Financial and Banking
Inormation Inrastructure Committee (FBIIC). The FBIIC is the working group comprised o the Federal nancial regulators
and agencies and State nancial regulatory trade associations. Through the FBIIC, the Assistant Secretary coordinates certain
policies, procedures and responses to crises or the Federal and State nancial regulators. (See section 1.2 or urther details.)
To meet objectives set orth by HSPD7 or collaboration with the private sector, the Treasury Department also works closely
with the Financial Services Sector Coordinating Council or Critical Inrastructure Protection and Homeland Security (FSSCC).
The FSSCC serves as the primary means or public-private sector collaboration and coordination. Members o the FSSCC
include trade associations and nancial institutions rom all components o the private sector. Furthermore, the Secretary o
the Treasury designates the private sector coordinator who, as a matter o practice, has been selected by the nancial servicesindustry to serve as the chair o the FSSCC. (See section 1.2 or urther details.)
Along with the FSSCC, the Treasury Department supports the Financial Services Inormation Sharing and Analysis Center (FS-
ISAC) and provides ongoing support o regional coalitions. (See section 1.2 or urther details.)
1.1 Sector Profle
The Banking and Finance Sector is a service-based industry providing a wide variety o nancial services in the United States,
and many such services throughout the world. These services range rom the simple cashing o a check to highly complex
arrangements that acilitate the transerring o nancial risks. Financial institutions are organized and regulated based on the
services the institutions provide. Thereore, the sector prole is best described by dening the services oered. These categories
include: (1) deposit and payment systems and products; (2) credit and liquidity products; (3) investment products; and (4)
risk-transer products.
Banking and Finance Sector-Specifc Plan
-
7/31/2019 Nipp Ssp Banking
17/116
With more than 17,000 depository institutions,6 15,000 providers o various investment products,7 more than 8,500 providers
o risk-transer products,8 and many thousands o credit and nancing organizations, the nancial services sector is both large
in assets and in the number o individual businesses.
1.1.1 Deposit, Consumer Credit, and Payment Systems Products
Depository institutions o all types (banks, thrits, and credit unions) are the primary providers o wholesale and retail pay-ments services, such as wire transers, checking accounts, and credit and debit cards. These institutions use and/or operate the
payments inrastructure, which includes electronic large value transer systems, Automated Clearinghouses (ACH), and auto-
mated teller machines (ATM). These institutions are the primary point o contact with the sector or many individual custom-
ers. Additionally, these institutions may be Federal or State-chartered banks or credit unions; however, in most instances, the
Federal nancial regulators have at least some authority over these institutions.
Along with the aorementioned payment systems, these depository institutions provide customers with various orms o
extensions o credit, such as mortgages and home equity loans; collateralized and uncollateralized loans; and lines o credit,
including credit cards. Consumers have multiple ways o accessing these services. For example, customers can make deposits
in person at a depository institutions branch oce, through the mail, at an ATM, or via direct deposit using ACH transactions.
Customers can make withdrawals at a branch oce, at an ATM, or by using a debit card or check. Customers also can accesscredit lines through other retail banking services using the telephone or the Internet. In the United States, customers typically
have deposit, checking, and loan accounts with more than one depository institution. The average household may have up to
18 account relationships spread among 12 nancial institutions.9
1.1.2 Credit and Liquidity Products
Customers seek liquidity and credit or a wide variety o needs. For example, individuals may seek a mortgage to purchase a
home, businesses may obtain a line o credit to expand their operations, and governments may issue sovereign debt obliga-
tions. Many nancial institutions, such as depository institutions, nance and lending rms, securities rms, and Government-
Sponsored Enterprises (GSE) meet customers long- and short-term needs through a multitude o nancial products. Some o
these entities provide credit directly to the end customer, while others do so indirectly by providing wholesale liquidity to
those nancial services rms that provide these services on a retail basis.
Essential to the credit and liquidity market is the assurance that these products are available with integrity and airness. The
law provides or consumer protections against raud involving these products, as well as certain other consumer protections,
many o which are tied directly to the specic type o credit and liquidity product. Furthermore, credit and liquidity products
are governed by a complex body o laws. These laws include Federal and State securities laws, banking laws, and laws that are
tailored to the specics o a particular class o lending activity.
1.1.3 Investment Products
A strong investment environment is essential to the growth o the U.S. economy. Moreover, the diversity o investment service
providers and products ensures that U.S. nancial markets are the best in the world. These products provide opportunities or
both short- or long-term investments and include debt securities (such as bonds and bond mutual unds) and equities (such asstocks or stock mutual unds), and derivatives (such as options and utures). Securities rms, depository institutions, pension
unds, and GSEs all oer nancial products that are used or investing needs. These investment products are issued and traded
6 www2.dic.gov/sod/sodSumReport.asp?barItem=3&sInoAsO=2006 and www.ncua.gov/data/FOIA/oia.html.
7 www.iciactbook.org/06_b_sec1.html.
8 National Association o Insurance Commissioners, 00 Insurance Department Resources Report, p. 46.
9 Sheshuno Bank Proft Improvement Manual.
Sector Profle and Goals
-
7/31/2019 Nipp Ssp Banking
18/116
0
in various organized markets, rom physical trading foors to electronic markets. Certain securitiesU.S. Treasuries and equi-
ties o some multinational companiesare traded around the globe 24 hours a day. The Treasury, the Securities and Exchange
Commission (SEC), the Commodity Futures Trading Commission (CFTC), banking regulators, and insurance regulators all
provide nancial regulation or certain investment products. The SEC and CFTC have legally designated SROs. Notably, the SEC
has the power to delegate authority to its SROs, national stock exchanges and NASD, to enorce certain industry standards and
requirements related to securities trading and brokerage. Similarly, the CFTC oversees exchanges and the industry SRO, i.e.,designated utures exchanges, and the NFA, which have regulatory authority to enorce industry standards and requirements
related to utures trading and participants. These regulatory requirements are directed toward consumer protection, air and
orderly markets, and the ongoing capability o nancial services rms to meet their nancial obligations.
1.1.4 Risk-Transer Products (Including Insurance)
The transer o nancial risks, such as the nancial loss due to thet or the destruction o physical or electronic property result-
ing rom a re, cyber attack, or other loss event, or the loss o income due to a death or disability in a amily, is an important
tool or the sustainability o businesses and economic vitality o individuals and their amilies. A wide variety o nancial
institutions provide risk-transerence products to meet this market need.
The U.S. market or nancial risk-transer products is among the largest in the world, measuring in the trillions o dollars.These products range rom straightorward to exceedingly complex. For example, insurance companies, utures rms, and
orwards participants oer nancial products that allow customers to transer various types o nancial risks under a myriad
o circumstances. Marketplace eciency oten requires that market participants engage in both nancial investments as well as
in nancial risk transers that enable risk hedging. Financial derivatives, including utures and security derivatives, can provide
both o these unctions or market participants.
1.1.5 Federal and Sel-Regulation o Financial Services Firms
All nancial services rms are subject to the discipline o the nancial market, and these markets have strong, though oten
inormal, market discipline and sel-regulation. Many o these nancial rms are subject to additional governmental and legally
mandated regulation and sel-regulation. Such regulation is designed to provide reasonable assurance that consumers are pro-
tected and that the nancial services rm is able to meet its nancial obligations on an ongoing basis.
1.1.6 State Regulation o Financial Services Firms
Some nancial services may be regulated at both the Federal and State levels. Insurance services are unique in that they are
primarily regulated by States. Under the McCarran-Ferguson Act o 1945,10 Congress armed the exclusive right o the States
to regulate the insurance industry. Except or a ew Federal laws and regulations, State insurance commissioners generally
have regulatory authority over all aspects o a rms business, including rates and terms o policies, qualications or licensing,
market conduct, and nancial structures and practices. (See appendix 2 or a listing o State statutory authorities.)
The chie insurance regulatory ocials rom each State collaborate through the National Association o Insurance
Commissioners (NAIC). The NAIC is a member o the FBIIC. Many o the State insurance regulators review the disaster
response and business continuity plans o insurers and conduct periodic examinations o these plans. Some States, such asNew York, also are doing stress-testing o insurer plans ollowing an event. This helps regulators be certain that the insurers
are ready to serve their policyholders when disaster strikes. The NAIC developed a handbook or State insurance regulatory
response to disasters entitled, The State Disaster Response Plan.
10 15 U.S.C. 1011 et seq.
Banking and Finance Sector-Specifc Plan
-
7/31/2019 Nipp Ssp Banking
19/116
In addition to the insurance industry, State agencies regulate State-chartered banks, thrits, and credit unions. Membership
in the Federal Reserve System is optional or State-chartered banks, but all o the banks are insured by the Federal Deposit
Insurance Corporation (FDIC). The Oce o Thrit Supervision (OTS) also regulates State- chartered savings associations with
FDIC insured deposits. The National Credit Union Administration (NCUA) may regulate State-chartered credit unions that have
Federal deposit insurance. State agencies also regulate the purchase and sale o securities and the provision o investment advice
regarding securities.
1.2 Security Partners
As the SSA or the Banking and Finance Sector, the Treasury Department recognizes the vital role o both the nancial regula-
tors and the private sector. These regulators and the private sector are committed to the Banking and Finance Sectors security
partnership. Working collaboratively, this partnership achieves its security goals and addresses the evolving nature o the sector
and its potential risks.
The Treasury Department has ormalized the collaboration o the sectors regulators, associations, and individual market par-
ticipants through the FBIIC, the FSSCC, and the FS-ISAC, as well as an increasing number o regional coalitions. These organiza-
tions are the recognized structures through which public and private nancial services sector participants: (1) share inorma-
tion both at the national and local levels; (2) assess and mitigate sector-wide risks; (3) develop and maintain key relationships;
(4) conduct periodic testing o emergency protocols to be used during times o crisis; (5) establish research priorities; (6)
organize and conduct exercises; and (7) act as a ocal point or inormation sharing between the public and private sectors.
Furthermore, the Treasury Department works closely with the Department o Homeland Security (DHS) to meet the sectors
security objectives. As a member o various key working groups led by, the Treasury Department apprises DHS o situ-
ational priorities and remains ully engaged with DHS. Some o these working groups include the Inormation Technology
Government Coordinating Council, the Emergency Support Function Leader Group, the Homeland Security Integrated
Intelligence Board Task Force, the Inosec Research Council, the National Cyber Response Coordination Group, the Strategic
Homeland Inrastructure Risk Assessment, and the Cyber Security and Inormation Assurance.
1.2.1 Relationships with Federal and State Regulators and Related Associations
In October 2001, the President established the FBIIC.11 The Presidents Working Group on Financial Markets currently sponsors
the FBIIC, which is chaired by the Treasury Departments Assistant Secretary or Financial Institutions. The FBIICs role is to
coordinate the eorts o Federal and State nancial regulators with respect to critical inrastructure issues, including prepara-
tion or and response to cyber or physical attacks against the nancial system or indirect attacks or events that may impact the
sector. The FBIICs membership includes experienced regulators rom the ollowing agencies and associations:
11 Executive Order 13231, 66 Federal Register (FR) 53063 (2001).
Sector Profle and Goals
-
7/31/2019 Nipp Ssp Banking
20/116
Figure 1-1: FBIIC Members
FBIIC Members
Commodity Futures Trading Commission (CFTC)
Conference of State Bank Supervisors (CSBS)
Farm Credit Administration (FCA)
Federal Deposit Insurance Corporation (FDIC)
Federal Housing Finance Board (FHFB)
Federal Reserve Bank of New York
Federal Reserve Board (FRB)
National Association of Insurance Commissioners (NAIC)
National Association of State Credit Union Supervisors
Office of the Comptroller of the Currency (OCC)
Office of Federal Housing Enterprise Oversight (OFHEO)
Office of Thrift Supervision (OTS)
Securities and Exchange Commission (SEC)
Securities Investor Protection Corporation (SIPC)
The Homeland Security Council
U.S. Department of the Treasury
Banking and Finance Sector-Specifc Plan
These agencies have regulatory authority over dierent sections o the nancial services sector and currently address inrastruc-
ture protection issues through routine regulatory interactions.
In ullling its mission, the FBIIC:
Identies critical inrastructure assets and their locations, and prioritizes their importance to the nancial system;
-
7/31/2019 Nipp Ssp Banking
21/116
Establishessecurecommunicationscapabilityandprotocolsorcommunicatingduringanemergencyamongthenancial
regulators;
Ensuresthatsucientstaexistateachmemberagencywithappropriatesecurityclearancestohandleclassiedinormation
andcoordinateintheeventoanemergency;
Encouragestheprivatesectortoconductvoluntarytestingtoimproveemergencypreparednessocriticalnancialinstitutions; IdentiesthecriticalinterdependenciesotheBankingandFinanceSectorwiththeEnergy,Transportation,Communications
andInormationTechnologysectors;and
PromotesinormationsharingamongandbetweentheFederal,State,local,andtribalauthorities,aswellastheprivatesector.
TheTreasuryDepartmentalsoworkswithFederal,State,local,andtriballawenorcement,includingDHSandtheDepartment
oJustice(DOJ).Areasinwhichcollaborativeinitiativesarebeingundertakenincludetheollowing:
Fightingnancialcrimes,suchasraudandidentitythet;andcybercrimes,suchasphishing,directedatnancial
institutions;12
Providingprotective-responseplanningexercisesdesignedtoprotectkeyassetsandcriticalinrastructuresandcreatea
responseplanthatincorporatesState,local,andtriballawenorcement;and
Enhancingcommunicationsandcoordinationacrossthesector.
Asnotedpreviously,theseagencieshaveextensivemeanstoidentiy,assess,andassistwithmitigatingrisksattheinstitutions
withintheirlegalpurview.(Seeappendix2,PublicSectorRegulatoryTools,Guidance,andReports,orspecicexamples
romtheseagencies.)Specically,theseagenciesinclude,butarenotlimitedto,authorityovertheollowingcomponentsothe
nancialsectormarkets:
TheBureauothePublicDebtadministerstheauctionrulesorTreasurymarketablesecuritiesandtheGovernmentSecurities
ActregulationsorparticipantsinthesecondarymarketorU.S.Governmentsecurities;
TheCFTCregulatesuturescommissionmerchants,introducingbrokers,commoditytradingadvisors,commoditypool
operators,uturesmarkets,andderivativesclearingorganizations.Thisisdoneinconjunctionwithexchangessuchasthe
CMEandtheNewYorkMercantileExchange,andtheindustrySRO,theNFA;
TheCSBSmembersregulateState-charteredbanks;
TheFCAregulatestheFarmCreditSystem;
TheFDICregulatesState-charteredbanksthatarenotmembersotheFederalReserveSystemandinsuredStatebrancheso
oreignbanks;
TheFHFBregulatestheFederalHomeLoanBanks;
TheFRBregulatesnancialandbankholdingcompaniesandState-charteredmemberbankswithintheFederalReserve
System;
TheNAICassistsStateinsuranceregulatorsinachievingtheirgoals;
MembersotheNorthAmericanSecuritiesAdministratorsAssociationrepresentStatesecuritiesregulators;
12 Phishingisaraudulentschemewhereane-maildirectsitsrecipientstoWebsiteswheretheyareaskedtoprovidecondentialpersonalornancialinormation.Reportsophishingattacksrosedramaticallyinthelastyear.
Sector Profle and Goals
-
7/31/2019 Nipp Ssp Banking
22/116
Banking and Finance Sector-Specifc Plan
TheNCUAregulatesFederallycharteredcreditunionsandsharessomesupervisionresponsibilitywiththeStateSupervisory
AuthoritiesortheFederallyinsuredState-charteredcreditunions;
TheOCCregulatesnationalbanksandtheFederalbranchesandagenciesooreignbanks;
TheOFHEOregulatesFannieMaeandFreddieMac;
TheOTSregulatessavingsassociationsandsavingsandloanholdingcompanies;
TheSECregulatesinvestmentcompanies,investmentadvisors,broker-dealers,transeragents,securitiesmarkets,andsecuri-
tiesclearingorganizations.ThisisdoneinconjunctionwithSROssuchasMSRB,NASD,andNYSE;
Stateinsurancecommissionersregulateinsurancecompaniesandproducers;and
TheTreasuryDepartmentdevelopstheAdministrationseconomicandnancialservicessectorpolicies.
1.2.2 Relationships with Private Sector Owner/Operators and Organizations
TheTreasuryDepartmenthasormedastrongbondwiththeprivatesectorthroughtheFSSCC,theFS-ISAC,andtheregional
coalitions.Membersotheseprivatesectororganizationsincludedepositoryandlendinginstitutions,aswellasexchanges,
tradeassociations,andotherorganizationswithinthesector.TheTreasuryDepartmentalsoconsultsindividuallywiththeseinstitutionsonthedevelopmentorimplementationovariouspolicies,suchasenhancingthesectorsresilience.
FSSCC
UndertheauspicesotheFBIIC,theTreasuryacilitatedthecreationotheFSSCCinJune2002astheprivatesectorarmoits
protectionstrategy.TheTreasuryDepartmentdesignatestheSectorCoordinatorortheBankingandFinanceSector,whoasa
matteropractice,ischosenbytheFSSCCtobethechairotheFSSCC.TheFSSCC,whosemembershiprepresentsthesector
throughnancialtradeassociationsandorganizations,ostersandacilitatesthecoordinationosector-widenancialservices
voluntaryinitiativestoimprovecriticalinrastructureprotectionandhomelandsecurity.Theorganizationscomprisingthe
FSSCCholdthemajorityotheassetsothenancialservicessectorandincludenancialinstitutions,tradeassociations,and
regionalpartnerships.TheFSSCCssuccessisduetothestrongcommitmentoitsmembersandtheirsignicanttimecontribu-
tionbyhigh-levelexecutiveswhoareocusedonproblemsolvinganddrivenbyachievableoutcomes.Theollowinginstitu-tionsandorganizationsaremembersotheFSSCC:
-
7/31/2019 Nipp Ssp Banking
23/116
Figure 1-2: FSSCC Members
Americas Community Bankers
American Bankers Association
American Council of Life Insurers
American Society for Industrial Security International
BAI
BITS/The Financial Services Roundtable
ChicagoFIRST
Chicago Mercantile Exchange
CLS Group
Consumer Bankers Association
Credit Union National Association
Fannie Mae
Financial Information Forum
Financial Services Information and Sharing
and Analysis Center (FS-ISAC), LLC
Financial Services Technology Consortium
Futures Industry Association
Independent Community Bankers of America
Investment Company Institute
Managed Funds Association
NACHA - The Electronic Payments Association
National Association of Federal Credit Unions
National Futures Association
New York Board of Trade
Securities Industry Association
Securities Industry Automation Corporation
The Bond Market Association
The Clearing House
The Depository Trust & Clearing Corporation
The NASDAQ Stock Market, Inc.
The Options Clearing Corporation
Visa USA & Visa International
FSSCC Members
ThemissionotheFSSCCisto:
Providebroadindustryrepresentationorcriticalinrastructureprotectionandhomelandsecurity(CIP/HLS)andrelated
mattersorthenancialservicessectorandorvoluntarysector-widepartnershipeorts;
FosterandpromotecoordinationandcooperationamongparticipatingsectorconstituenciesonCIP/HLS-relatedactivities
andinitiatives;
Sector Profle and Goals
-
7/31/2019 Nipp Ssp Banking
24/116
6 Banking and Finance Sector-Specifc Plan
IdentiyvoluntaryeortswhereimprovementsincoordinationcanostersectorpreparednessorCIP/HLS;
EstablishandpromotebroadsectoractivitiesandinitiativesthatimproveCIP/HLS,suchasaddressinginterdependencies
amongthenancialandothersectors;
Identiybarriersandrecommendinitiativestoimprovethesharingoinormationandknowledgeamongthenancial
servicessector;and ImprovesectorawarenessoCIP/HLSissues,sectoractivities/initiatives,andopportunitiesorimprovedcoordination.
TheTreasuryDepartmentalsoworkswithprivatesectorinstitutionsbyconductingresponseplanningexercises.Theseexer-
cises,whichinthepasthaveincludedlawenorcement,Government,andintelligenceagencies,coordinateresponseandcom-
municationamongFederal,State,local,andtribalrstresponderstospecicinstitutions.
ThejointsuccessesotheFBIICandtheFSSCCincludetheollowing:
SuggestionsornancialinstitutionsordierentthreatconditionsundertheHomelandSecurityAdvisorySystem.This
documentwasoriginallydevelopedbyFSSCCmembersBITSandSecuritiesIndustryAssociation(SIA);
Exchangeoinormationandbestpracticesorcriticalinrastructureprotectionissues;
Post-incidentanalysisocyberattacksandotherdisruptiveevents,suchastheNortheastBlackouto2003andHurricane
Katrinain2005,toimproveGovernmentandprivatesectorremediationandresponse;
Developmentoanintegratedsetocrisismanagementcallsandactionsacrossthesector;and
Severalprotectiveresponseexerciseswiththeprivatesectortoimprovepublicandprivateemergencypreparednessocritical
nancialinstitutions.
FS-ISAC
TheTreasuryDepartmentalsoworkscloselywiththeFS-ISAC,13oneotheoldestprivateinormation-sharinginitiativesinthe
UnitedStates.TheFS-ISACwassetupasthenancialsectorresponsetotherequirementsoPresidentialDecisionDirective63
(ProtectingAmericasCriticalInrastructures)inMay1998.
ThemissionotheFS-ISAC,incollaborationwiththeTreasuryDepartmentandtheFSSCC,istoenhancetheabilityothe
nancialservicessectortoprepareorandrespondtocyberandphysicalthreats,andvulnerabilitiesandincidents,andtoserve
astheprimarycommunicationschannelorthesector.
TheFS-ISACisthedesignatedoperationalarmotheFSSCCandsupportstheprotectionotheU.S.nancialservicessectorby
providingassistancetoboththeFSSCCandtheTreasurytoidentiy,prioritize,andcoordinatetheprotectionocriticalnan-
cialservices,inrastructureservice,andkeyresources;andtoacilitatesharingoinormationpertainingtophysicalandcyber
threats,vulnerabilities,incidents,andpotentialprotectivemeasuresandpractices.
TheFS-ISAChasidentiedtheollowingstrategicobjectivestoaccomplishitsmission:
Provideaneectiveorumorinormationsharingwithinthenancialservicessector,withothercriticalinrastructureand
keyresources(CI/KR)organizations,andwiththeU.S.Government;
IdentiycriticalnancialservicessectoroperationalsupportissuesandrequirementsandarticulatethosetotheTreasuryand
DHS;
13 AsoutlinedintheNationalStrategytoSecureCyberspace(February2003),inormationsharingandanalysiscenters(ISACs)arethecornerstoneoindustryinormationsharing,www.whitehouse.gov/pcipb.
-
7/31/2019 Nipp Ssp Banking
25/116
Serveasthesectorcommunicationshubconveyingtimelyandaccuratecyberandphysicalthreatinormation,andvulner-
abilityandincidentalertstothemembership;
Serveasthesectorcommunicationshubduringemergencies,throughthedeliveryorapidnoticationsandcommunication
toandamongtheFS-ISACandtheFSSCCmembers;
IdentiyandimplementnewservicesthataddvaluetothemembershipandsupportthemissionotheFS-ISAC;and CollaboratewiththeTreasuryandtheFSSCCto:
Fosterawarenessothebenetsoinormationsharingwithinthesector,amongotherCI/KRorganizations,andwithin
theGovernment;
Educatethenancialservicessectoronkeyinrastructureprotectionissues,vulnerabilities,threats,riskmanagement,and
complianceissues;and
CoordinatewithotherpublicandprivatesectorCI/KRorganizationstoensuresectorawarenessandemergencypreparedness.
TheFS-ISACisalsoamemberotheISACCouncil,whichosterscollaborationandsharingoinormationwiththeothercriti-
calinrastructuresectors.
In2003and2004,theTreasuryDepartmentacquired$2millioninservicesromtheFS-ISAC,whichhadtheaddedbeneto
enhancingtheFS-ISACscapabilities.TheenhancedFS-ISACnowhasthecapacitytobetterservethenancialservicessector.
TheFS-ISACintegratesphysicalandcyberthreatinormationandprovidesastate-o-the-arttechnologyplatormorthecon-
dentialexchangeoinormation.
Regional Partnerships
Theresilienceothenancialservicessectorisenhancedbyecientandeectivecollaborativeeortsosectorparticipants.
TheFBIICandtheFSSCCormapublic-privatepartnershipatthenationallevel,andtheyablyaddressCIP/HLSissuesthatcut
acrossmost,inotall,othenancialsector.However,naturalandmanmadedisastersoccurlocally.Enhancingandmaintain-
ingtheresilienceonancialinstitutionsintheaceoacrisisthusdependsupontheollowing:
Howwellthebusinesscontinuityandsecurityplansoinstitutionsincorporateemergencyresponseandrecoverymeasuresopolice,re,andotherlocal,State,andFederalparticipantsintheregionalemergencymanagementsphere;
HowwellthebusinesscontinuityandsecurityplansareinormedbyregionalpartnersintheCommunications,Inormation
Technology,Transportation,andEnergysectors;and
Thedevelopmentoinormation-sharingrelationshipswithothernancialinstitutionswithineachregion.
TheprecursorotherstregionalpartnershipwastheSIABusinessContinuityCommitteeormedinDecember2001.This
committeewasanoutgrowthotheNewYork-basedcoalitionolargenancialservicesrmsknownasSIBCMG(Securities
IndustryBusinessContinuityManagementGroup).Theinormalrelationshipsestablishedbythiscommitteehaveenhancedth
resilienceothesermsandtheNationssecuritiesmarkets.
MoreormalinitiativesinotherregionshaveollowedtheeortsinNewYork.Forexample,in2003,ChicagoFIRSTbecametherstormalregionalpartnershipwithinthenancialsector,andithassincebeenollowedbynumerousothers.Thecom-
positionotheseorganizationsvariesromthevariousnancialcharterswithinChicagoFIRSTandFloridaFIRSTtothecombi-
nationonancialandnon-nancialmembersopartnershipsinMinneapolisandSanFrancisco.
TheTreasury,theFBIIC,andtheFSSCChaveencouragedandsupportedregionalpartnerships.Toaidthisprocess,theTreasury,
ChicagoFIRSTandBITS,aFSSCCmember,createdacookbookguideorestablishingregionalcoalitions,Improving Business
Sector Profle and Goals
-
7/31/2019 Nipp Ssp Banking
26/116
Banking and Finance Sector-Specifc Plan
Continuity in the Financial Services Sector: A Model for Starting Regional Coalitions.14Inaddition,Congresspromotedtheestablish-
mentoregionalpartnershipswithinthenancialsectorintheIntelligenceReormandTerrorismPreventionActo2004.15
FollowingthesuccessoChicagoFIRSTandthesubsequentpromotionotheregionalpartnershipconcept,regionalpartner-
shipshaveormedinmanyareasothecountry,includingtheollowing:
Figure 1-3: Regional Partnerships
Regional Partnerships
Chicago (ChicagoFIRST)
Miami (FloridaFIRST)
Tampa (FloridaFIRST)
San Francisco (Bay Area Response Coalition (BARC FIRST))
Los Angeles (SoCalFIRST)
Minneapolis (MN-ISAC and Minnesota Security Board)
Birmingham (Alabama Recovery Coalition for the Financial Sector)
Houston (HoustonFIRST)
Inadditiontotheseormallyestablishedpartnerships,severalotherregionsintheUnitedStatesareaggressivelypursuingthe
ormationosuchorganizationsintheirregionorState.
In2006,inordertosharebestpractices,assistoneanother,andplugintotheexistingnationalpublic/privatepartnership,these
regionalpartnershipsormedtheRegionalPartnershipCouncil,calledRPCFIRST.Theorganizationmeetsquarterlyandis
developingaWebsite.
14 www.treas.gov/press/releases/reports/chicagorst_handbook.pd.
15 www.gpoaccess.gov/serialset/creports/intel_reorm.html.
-
7/31/2019 Nipp Ssp Banking
27/116
Figure 1-4: Locations o Regional Partnerships
BARC FIRST
MN-ISACand MinnesotaSecurity Board
ChicagoFIRST
FloridaFIRSTHoustonFIRST
Alabama RecoveryCoalition forthe Financial
Sector
SoCal FIRST
1.3 Sector Security Goals
TheBankingandFinanceSectorisstrongandresilient,withaninrastructurethatisdesignedtorespondquicklyandappro-
priatelytodetect,deter,prevent,andmitigatephysicalandcyber-basedintrusions,attacks,orotheremergencies.Thisability
ensuresthecontinuityandecientoperationothesectorsinstitutions,andtherebyservestostrengthenpubliccondencein
theU.S.economicsystem.
Vision Statement or the Banking and Finance Sector
To continue to improve the resilience and availability o fnancial services, the Banking and Finance Sector will work throughits public-private partnership to address the evolving nature o threats and the risks posed by the sectors dependency upon other
critical sectors.
Sector Profle and Goals
-
7/31/2019 Nipp Ssp Banking
28/116
0 Banking and Finance Sector-Specifc Plan
TheBankingandFinanceSectorhasthreeprimarygoalstoachievethisvisionstatement.Aswithallendeavorsocusedprimar-
ilyonsecurity,thegoalsormatriadoprevention,detection,andcorrectionoharmwiththeollowingobjectivesorthe
sector:
1.Tomaintainitsstrongpositionoresilience,riskmanagement,andredundantsystems,intheaceoamyriadointentional,
unintentional,manmade,andnaturalthreats;
2.ToaddressandmanagetherisksposedbythedependenceothesectorontheCommunications,InormationTechnology,
Energy,andTransportationsectors;and
3.Toworkwiththelawenorcementcommunity,theprivatesector,andourinternationalcounterpartstoincreasetheamount
oavailableresourcesdedicatedtotrackingandcatchingcriminalsresponsibleorcrimesagainstthesector,includingcyber
attacksandotherelectroniccrimes.
Theagenciesaremindulotheriskthatanunanticipatedevent,suchasaterroristattack,couldoccurinamannerthatwe
havenotseenbeoreandorwhichwemaynotbecompletelyprepared.Moreover,welivewiththecontinuingthreato
turbulentweather,whichcouldseverelydamagethecriticalinrastructureandacilitiesonancialservicesrms.Inaddition,
thenancialservicesindustrycannotullyprotectagainstinrastructuredisruptionsotelecommunications,anditcanprovide
onlylimitedresilienceagainstdisruptionsinotherelementsothecriticalinrastructure,suchaspower,transportation,andwater.16
1.4 Value Proposition
Thepublicandprivatesectorshaveequallycompellingvaluepropositionstosupporttheirvoluntaryparticipationinsector-
wideresilienceeorts,includingthisSSP.
Fornancialregulators,workingcollaborativelywiththeprivatesectorurtherstheimportantmissiontopromotetheorderly
andecientoperationothenancialservicessector.Whilenancialregulatorsenorceextensiveregulationandconduct
regularexaminationsotheinstitutions,voluntarycollaborationwiththeprivatesectorhasprovedtobeaneectivemethod
togarnerindustry-wideparticipationintheidenticationoemerginganddynamicrisksandpreparationoresponsecapabili-
ties.Throughinormationsharing,testing,andexercises,regulatorsareabletobetterunderstandsector-widevulnerabilities
andresilience.Theseeortsprovideameansoraddressingdynamicrisksthroughvoluntarycollaborationratherthansolely
throughregulation.
Forprivatesectorinstitutionsandorganizations,participationinvoluntarycollaborativeeortsprovidesvalueinseveralways.
Workingalongsidethepublicsectorprovidesuniqueinsightsintoregulatorsconcerns,perspectives,andpriorities.Through
relationshipbuilding,inormationsharing,testing,andexercises,nancialinstitutionsareabletodiscussmattersoutsideothe
normalregulatoryramework.Mostimportantly,nancialinstitutionsandnancialservicesorganizationsparticipateinthese
voluntaryeortsbecauseotheconcretevaluetheyprovidetotheircompaniesand,inturn,theircustomers.Customersmust
havecondenceintheirnancialinstitutionsabilitytomaintainorderlyoperationsandtobehighlyresilient.Participatingin
thesevoluntarysector-wideeortsprovidesinstitutionswithabetterunderstandingovulnerabilitieswithinthesectoraswell
asrisksposedbyitsdependenceonothersectors.Insightsgainedthroughvoluntarycollaborationassistnancialinstitutionseortstotailorresponsestomanagetheirspecicriskaswellassector-widerisk.Inturn,thenancialinstitutionsarebetter
abletomeettheircustomersdemandorahighdegreeoresilienceandreliability.
16 www.ederal reserve.gov/boarddocs/rptcongress/soundpract ices/soundpractices200604.pd.
-
7/31/2019 Nipp Ssp Banking
29/116
2. Identify Assets, Systems,
Networks, and Functions
EssentialtoconductingariskassessmentotheBankingandFinanceSectoristheawarenessthattheproductsothefnancial
servicesindustryarenotoverwhelminglyphysicalinnature.Thus,identiyingandassessingassetsinthesectorisocused
largelyonidentiyingcriticalprocessesbasedontheorganizationothesectorasdescribedinchapter1,andtheinstitutions
thateitherownandoperateorparticipateintheseprocesses,ratherthanocusingonphysicalassets.
Figure 2-1: Vulnerability Assessment Methodology
Manyinstitutionsplayimportantrolesinthefnancialsystem.Identiyinginstitutionsthathavesystemicallycriticaloperational
rolesisrelevanttomakecertainotheirrapidrecoveryromadisruptionotheircriticalunctions,regardlessothecause.
Identiyingthoseinstitutionsalsoisnecessaryorimposingappropriatebusinesscontinuityplanningandrecoverystandards
andensuringtheircompliancewiththosestandards.Atercareulconsideration,theTreasuryDepartmentandtheFBIICagen-
cieshaveidentifedasmallnumberosystemicallycriticalinstitutionswhoseoperationsormthebackboneothefnancial
Identify Assets, Systems, Networks, and Functions
-
7/31/2019 Nipp Ssp Banking
30/116
Banking and Finance Sector-Specifc Plan
system.AllothesystemicallycriticalinstitutionsaresubjecttosomeormoGovernmentoversight,andtheirresilienceisa
matterokeeninterest.Astechnologyandinnovationadvancetheoperationsonancialservicesrms,thelistosystemically
criticalinstitutionsmayevolveovertime.
Therearealsoinstitutionsorgroupsoinstitutionsthat,whilenotsystemicallycritical,playsignicantrolesincriticalnancial
markets.Consequencesodisruptionattheseorganizationswouldvary.Forexample,anoperationaldisruptionatthelargest
banksandrmswithsignicantpaymentormarketactivitiescouldbetoleratedoralimitedtime,whiledisruptionsatothersmaybetoleratedorlongerperiods,especiallyitheiroperationscouldbeshitedorperormedbyothermarketparticipants.
AterSeptember11,2001,thesecuritiesmarketsandseveraluturesexchangeswerecloseduntiltelecommunicationsandother
serviceswererestoredtolowerManhattan.Theactthatthesemarketsandnewtransactionswereaectedorashortperiodo
timedidnotresultinsignicantdamagetoorlossocondenceintheU.S.nancialsystem.
Diversitywithinthenancialservicessectorandgeographicdispersionoitsinstitutionslendsignicantresiliencetothe
BankingandFinanceSector.Inadditiontothesystemicallycriticalinstitutionsdescribedabove,theU.S.nancialsystem
consistsomanythousandsodepositoryinstitutions,securitiesanduturesrms,insurancecompanies,andothernancial
servicecompanies,andsupportsanumberoexchangesandover-the-countermarkets,allowhichprovideahighdegree
oredundancyacrossthesector.Thecompetitivestructureothenancialindustryandthebreadthothenancialinstru-
mentsprovidealeveloresiliencyagainstattackandothertypesophysicalorcyberdisruptions.Accordingly,orpurposesodeterminingsystemicvulnerabilities,theseinstitutions,whilecertainlyimportanttothenancialsystem,arenotconsidered
systemicallycritical.
2.1 Defning Inormation Parameters
TheBankingandFinanceSectormaybedividedintoseveralunctions:depositandpaymentssystems;creditandliquidity
products;investmentproducts;andrisktranserproducts.VariousmembersotheFBIICregulateeachotheseunctionsas
outlinedinsection1.1.Thenancialregulators,throughtheiroversightauthority,obtainavastamountoinormationon
institutions,criticalassetsandprocesses,andpotentialvulnerabilities.Sector-widerisksassessmentsareprocess-drivenand
addressinterdependence.Individualinstitutionsalsoconducttheirownriskassessmentstoidentiyandmitigateinternalvul-
nerabilitiesandexternaldependencies.
TheTreasuryDepartment,throughcollaborationandinsightsobtainedromthemembersotheFBIICandtheFSSCC,gathers
sector-specicinormation.Althoughthedenitionoassetdataislimitedtothecategoriescollectedbytheregulators,regula-
toryexaminationsandtradeassociationsurveysarethoroughandprovideadequateinormationordeningnancialassets.
Generalinormationorassetsmayincludeasappropriatetoeachcomponentothesector:
Assetname,mailingaddress,physicallocation,owner/operatorname;
Functionortypeotransaction:depositandpaymentssystems;creditandliquidityproducts,includinginvestmentandrisk
transer;
Geographicregion,nancialcenter;
Numberoemployees;
Economiccontribution:totalmarketvalueonancialtransactionsconductedbyorthroughtheassetonadaily,weekly,
monthly,andyearlybasis;
Internationalconsiderations,iany;
Existingandplannedprotectivemeasures;
-
7/31/2019 Nipp Ssp Banking
31/116
MembershipinaregionalpartnershiporISAC;
Dependenceonothersectors:Communications,Energy,InormationTechnology,andTransportation;
Interactionwithotherassets:thoseothercriticalnationalassetsdirectlyandindirectlyaectedbytheoperationoeachasset
Backupcapability:locationandunctionobackupacilities(datacenterandbusinessresumption);and
Substitutability:whetherotherindustrysystemsorinrastructureswouldbeabletoservethesameunction.
Intangibleassets,suchassystems,databases,ornetworks,areinonewayoranotherlinkedtophysicalassetsandlocations.
Systemicallysignicantassetsarestratiedbytheirexaminationagencywithrespecttocriticalitytothenancialservicessector
asawhole.
2.2 Collecting Inrastructure Inormation
TheTreasuryDepartmentsandtheFederalandStatenancialregulatorsexpertiseinthenancialservicessectorhasbeen
shapedby217yearsoexperience.Continuousnancialregulatoryexaminationsandreportingrequirementsprovidethe
nancialregulatoryagencieswithvoluminousandconsistentlyupdateddataoninstitutionsoperationsandnances.Through
thecollaborativeeortsotheFBIIC,thenancialregulatoryauthoritieshaveassessedtheBankingandFinanceSector,iden-
tiyingstrengthsandweaknesseswithinthedomesticnancialsystem,aswellaspinpointingsomeinstitutionsthatplaya
systemicallycriticalrolewithinthesector.
Intheprivatesector,nancialtradeassociationsregularlycollectandshareinormationontheirmemberinstitutionsor
policydevelopment.Forexample,theFSSCCmemberssurveyedtheirmembersonlessonslearnedromtheNortheast
Blackouto2003andHurricaneKatrinain2005.Thiseorthelpstoguidepolicymakersinunderstandingtheneedsothe
sectorinpreparationorutureevents.TheFSSCCmembersalsogatheredinormationontheparticipationotheirmembers
inprogramssuchasGovernmentEmergencyTelecommunicationsService(GETS),WirelessPriorityService(WPS),and
TelecommunicationsServicePriority(TSP).Thisinormationhelpstotargetthoseorganizationsthatqualiyortheseservices
butarenotyettakingadvantageothem.
2.2.1 Deposit and Payment System Products
Thedepositoryinstitutionsystemissupportedbyelectronicpaymentsystemsthatlinktheseinstitutionstooneanotherandto
theircustomers.Examplesothesesystemsandnetworksarethemanyregional/nationalATMnetworks17thatpermitconsum-
erstoaccesstheirundsrommorethan1.5millionATMsitesworldwide;18ourmajorcreditcardsponsors;19andtheACH
operators,whichprocessednearly14billionpaymentsworthmorethan$27.9trillionin2005.20Businessesandconsumers
increasinglyuseACHpaymentsystemstomakerecurringpayments(e.g.,creditorwithdrawalothecustomersmonthlymort-
gageandotherrecurringpayments).21
Severalotherpaymentsystems,suchastheClearingHouseInterbankPaymentsSystem(CHIPS)andFedwire,supportlarger
valuepayments.In2005,theFedwirepaymentssystemssent132millionpayments,valuedat$518trillionperyearoveritssys-
tem,withanaveragetransactionsizeo$3.9million.Duringthesameperiod,theCHIPSpaymentnetworksent71millionpaymentsvaluedat$350trillionwithanaveragesizeo$4.9millionperpayment.Itisimportanttonotethatthesesystemsmayb
17 ATMnetworksgenerallysupportbothATMandPersonalIdenticationNumber(PIN)-baseddebitcardtransactions.
18 ATMIndustryAssociationEurope.
19 Thesemerchantshave55millionlocations(merchantsandATMs)worldwide.TheourmajorcreditcardcompaniesareVisa,MasterCard,AmericanExpress,andDiscover
20 www.nacha.org/News/news/pressre leases/2006/Pr050806/pr050806.htm.
21 Bycomparison,$2.3trillionworthopaymentsandanother$1.2trillionworthosecuritiessettlementstypicallyaremadedailythroughtheFederalReserveslarge-valuepaymentsystem,whileanother$1.7trillionaremadeoverCHIPS,alsoalarge-valuesystem.
Identiy Assets, Systems, Networks, and Functions
-
7/31/2019 Nipp Ssp Banking
32/116
Banking and Finance Sector-Specifc Plan
linkedtopaymentsoccurringinsystemsoutsidetheUnitedStates.Also,thesecuritiesclearingsystemssuchastheDepository
Trust&ClearingCorporationortheequitiesandgovernmentsecuritiesmarketsandTheOptionsClearingCorporationorthe
securitiesderivativesmarkets,processmorethan8.35billiontransactionsworth$1.01quadrillionannually.22
RetailcustomersareincreasinglyprocessingtheirtransactionswiththeirdepositoryinstitutionsviatheInternet.Financial
regulatorshaveissuedextensiveguidancetotheseinstitutionsonhowtomanagethisactivityandmitigatetherisksassociated.
Thesedepositandpaymentsystemproductsaregovernedbyacomplexsystemorequirements,generallypromulgatedby
Federalbankingagencies,theSEC,orprivateSROsorrule-makingbodies.Theorganizationsoperatingpaymentsystemsare
examinedorcompliancepurposesbytheappropriateagencies.Forexample,distinctFederalregulationsgoverntheprocessing
oundsstemmingromchecks,andinter-bankundstransers,whileACHpaymentsaregovernedbyrulespromulgatedby
NACHA-TheElectronicsPaymentAssociation.
2.2.2 Credit and Liquidity Products
Creditmarketsarenotormalmarketswitheitheraphysicallocationoronenarrowsetomethodsthatdenethem.Rather,
thereareawidevarietyonancialrmsthatprovidecreditandnancing,includingmorethan17,000depositoryinstitutions
intheUnitedStates,23andawidevarietyonon-depositoryproviders,includingmortgagenancingrms,andmanyothers.
Moreover,manyothenancialrmsthatprovidenancingatretailinstitutionsrequireliquiditytoundtheirnancingactivity
Thenumberonancialservicesprovidersocreditandliquidityisextremelylarge,duetothemanyspecializednichemarkets
servicedandtheotenhighlytailorednancialservicesprovided.Giventhemanytypesoproducts,thereisnosingleseto
systemsatworkthatdominatesthesenancialproducts.However,throughouttheentirenancialservicessectortherearerigid
goalsosaeguardingtheassetsoclientsandensuringthatclientassets,thenancialrmsassets,andrecordkeepingsystems
arehighlyresilienttoanyoreseeableevent.
2.2.3 Investment Products
Collectively,thethousandsoinvestmentserviceprovidersownmorethan$16trillion24innancialassets.Manyothese
providersoperateinahighlyregulatedenvironmentgovernedbyacomplexlegalstructure.
Someotheseinvestmentproductsareprovidedonhighlyormalizednancialmarkets,whileothersareprovidedbyregulated
nancialservicesprovidersnotactingspecicallyinaormalnancialmarket.Examplesohighlydevelopedormalnancial
marketsincludenancialexchanges,atwhichnancialassetsaretradedinatightlyregulatedmannersoastoachievethe
desiredpurposesomarketparticipants.
Theseormalnancialmarketshavehighlydevelopedandextremelyecient,redundantnetworksandsystemsthatprovidea
highdegreeoresilienceorthesemarketsintheaceoavarietyopotentialsituations.Additionally,thesenetworksincorpo-
ratestrongsaeguardstoprotectclientsassetsandprovideboththecustomersandinstitutionswithconsistentaccesstotheir
undsandrecords.
2.2.4 Risk-Transer Products
Risk-transerproductsincludeinsuranceandhedginginstrumentssuchasuturesandoptions.Hedginginstrumentsvaluedat
closeto$1quadrillionaretradedannually.25Insurancecoversinexcesso$6trillion26worthoassets.Financialrisk-transer
22 www.dtcc.com/AboutUs/2005annual/dtcc2005_annual.pdandwww.theocc.com/about/ann_rep/ann_rep_pd/annual_rep_05.pd.
23 www2.dic.gov/sod/sodSumReport.asp?barItem=3&sInoAsO=2006andwww.ncua.gov/data/FOIA/oia.html.
24 www.ederal reserve.gov/releases/Z1/Current/annuals/a1995-2005.pd.
25 www.cme.com/about/ins/caag/FacFigu2803.htmlandwww.theocc.com/about/ann_rep/ann_rep_pd/annual_rep_05.pd.
26 www.ederal reserve.gov/releases/Z1/Current/annuals/a1995-2005.pd.
-
7/31/2019 Nipp Ssp Banking
33/116
productsotenaretailoredtotheuniquenatureotherisksinvolved,althoughtherearenumerousstandardizednancialrisk-
transerproducts,suchasthosetradedonoptionsanduturesexchanges.Thus,thenetworksandsystemsusedbytheinstitu-
tionsprovidingtheseservicesotenaretailoredtotheindividualnancialrm.
2.2.5 Collecting Asset Data
Tomeetthechallengeomorecomplexnancialmarkets,products,anddeliverysystems,nancialinstitutionsinparticu-lar,largenancialinstitutionshavebeenimplementingmoreormalandcomplexriskmanagementsystems.Similarly,the
regulatorshaverenedtheirapproachtosupervisiononancialinstitutionsoallsizesbyadoptingarisk-ocusedapproach
tomeetnewchallenges.Someregulatorsassignastaoull-timeexaminers,whoworkonsite,tothelargest,mostcomplex
nancialinstitutions.Thison-sitepresenceallowsregulatorstoreceiveupdatedinormationaboutlargerrmsonadailybasis.
Federal,andattimesState,lawgivesnancialregulatoryagenciesbroadauthoritytoaccessrecordsheldormaintainedby
regulatednancialinstitutions.27Thatinormationgenerallyisprovidedexclusivelytothenancialregulatoryagency,although
intheeventopotentialcriminallawviolations,mechanismsexisttosharethatinormationwithlawenorcementagencies,
includingthosewithinDHS.
TheTreasuryDepartmentwillcontinuetocollectdataoncriticalassetsbycoordinatingwiththeFBIICagencies.
2.3 Veriying Inrastructure Inormation
TheTreasuryDepartment,throughthemembersotheFBIIC,usesathree-partprocesstoveriyassetinormation.First,a
dratingcommitteecollectsandveriestheinormation.Second,theFBIICmembersreviewtheinormationoraccuracyand
errors.Third,aspecialFBIICreviewcommitteesubjectseachassetassessmenttorigorousquestioningandreview.
2.4 Updating Inrastructure Inormation
TheinormationgatheredthroughtheexaminationprocessprovidesaccesstoinrastructureinormationontheBankingand
FinanceSector.TheTreasuryDepartment,throughthemembersotheFBIIC,updatesassetdataonanas-neededbasis.
Therequentexaminationsprocessesundertakenbythenancialregulatoryagenciesensurethatup-to-dateinormationis
maintainedregardingallacetsotheregulatednancialinstitutions,andthenancialservicesindustryregularlyupdatesits
regulatorsregardingbothhighlysignicantaswellasroutinechanges.
27 SomeothosesourcesoFederalstatutoryauthoritya recontainedinTitles12and15otheUnitedStatesCode.(Seeappendix2ordeta ils.)
Identiy Assets, Systems, Networks, and Functions
-
7/31/2019 Nipp Ssp Banking
34/116
-
7/31/2019 Nipp Ssp Banking
35/116
3. Assess Risks
BoththepublicandprivatemembersotheBankingandFinanceSectorconductriskassessments.Theseassessmentslookat
issuesandpotentialvulnerabilitiesbothwithinindividualorganizationsandsector-wide.Sinceriskmanagementispartothe
bankingandnanceculture,bothregulatorsandprivateorganizationhavealonghistoryoconductingregularriskassess-
ments.Intheprivatesectorsomeotheseriskassessmentsaremandatedthroughregulationandvalidatedbytheexamination
process.Furthermore,theprivatesectorinstitutionsconductvoluntaryriskassessmentstomeettheirbusinessneedsasparto
theircontinuitypanningand/orinconjunctionwithtradeassociationsrecommendationsandsel-regulatoryrequirements.
FollowingtheattacksoSeptember11,2001,thesectorsriskassessmenteortsbecamemoreormalizedandtookonarenewed
senseourgency.TheFBIICbegananorganizedannualeorttoexaminethenancialsectorsresilience.Theprocesshas
continuedandmaturedovertheyearstoincludephysicalandcyber-basedcomponentsothesectoraswellasdependencies
onothercriticalsectors.Inormationinthisprocessisgarneredthroughtheregulatorsextensiveknowledgeosectorpartici-
pants.Furthermore,thisinormationisveriedthroughconsultationwithkeyprivatesectororganizations.Inormationshared
betweenthemembersothesectorandthenancialregulatorsprovideinsightsintotheoperational,nancial,andsystemic
risksacingindividualorganizationsandthesectorasawhole.ThroughorganizationssuchastheFederalFinancialInstitutions
ExaminationsCouncil(FFIEC),variousprivatesectortradeassociations,andtheFBIIC,thereisongoingvericationandvalida-
tionupdatingoriskassessmentinormation.Furthermore,throughindividualinormation-sharingeortsbetweentheTreasuryDepartmentandindividualnancialinstitutions,thisprocessisurtheredinormedregardingnewandemergingthreats.
Throughthisprocess,theTreasuryDepartmenthasidentiedpotentiallimitationsandcreatedaprocesstoidentiyandassess
vulnerabilitieswithinthesector.
TheollowingsectionsreertotheeortsotheTreasuryDepartment,workingwiththeFBIICmembersandtheprivatesector
toidentiysectorvulnerabilitiesandassesstherisksacrosstheBankingandFinanceSector.
Assess Risks
-
7/31/2019 Nipp Ssp Banking
36/116
Banking and Finance Sector-Specifc Plan
Figure 3-1: Vulnerability Assessment Methodology
3.1 Use of Risk Assessment in the Sector
TheBankingandFinanceSectorhasalong-standingandacceptedpracticeoconductingriskassessmentsandmitigating
vulnerabilities.TheseriskassessmentstakeintoaccountNIPPbaselineassessmentcriteria,includingconsequences,vulner-
abilities,andthreatstotheessentialunderlyingclearing,payment,andsettlementssystemsothesector.Theseassessmentsalso
considervulnerabilitiesstemmingromdirectorindirectthreatstothephysicalandcyber-basedoperationsacrossthesector.
Furthermore,theseassessmentsconsiderthenatureotheincident,beitnaturalormanmade.Theocusothesesector-wide
assessmentsisonthepotentialimpactthatsuchrisks,iexploited,wouldhaveontheorderlyandefcientoperationothe
sector.
Intheprivatesector,consequenceanalysisassessmentmethodologyincludespotentialeconomicimpactstotheinstitution,
reputationrisktotheinstitution,andpotentialimpactstotheemployeesandsurroundingpopulationandacilitiesdepending
onthenatureotheincident.
Inthepublicsector,eachregulatoryagencyexaminestheindividualentitieswithintheirpurviewbaseduponariskman-
agementramework.Thisregimenhasbeenfne-tunedoveranextendedperiodotimetoaddressriskasitpertainstothe
resilienceandintegrityoboththeindividualinstitutionsandthefnancialsystemasawhole.Consequenceanalysisinrisk
assessmentmethodologiesinthepublicsectorincludepotentialeconomicimpact,impactonpublicconfdenceinthefnan-
cialsystem,andimpacttotheGovernmentsabilitytocontinuetoprovideitsservicestothepublic.Thesemethodologiesare
complete,accurate,andreproducibleinaccordancewiththeNIPPbaselinecriteria.Theassessmentsareupdateddailythrough
theintenseandextensiveregulatoryexaminationprocess.
Collectively,thepublicsector,undertheauspicesotheFBIIC,careullyanalyzestheentireU.S.fnancialsystemtoassessits
strengthandresiliencetomanmadeandnaturaldisasters.Relyingupontheircollectiveexpertiseandexperience,thememberso
theFBIICdevelopedaspecializedriskassessmentmethodologyortheBankingandFinanceSector.Basedonthismethodology,
-
7/31/2019 Nipp Ssp Banking
37/116
theFBIICagenciesidentiynancialinstitutionsthatplaysignicantrolesinkeynancialmarketseitherindividuallyorasa
group.Thevulnerabilitiesassessmentsaddressphysicalandcyberweaknessesinthenancialservicessectorandarerepresenta-
tiveobothkindsoincidents.Collectively,theseriskassessmentsprovideanoverallriskproleothesector.
3.2 Screening Inrastructure
Asstatedinsection1,theBankingandFinanceSectormaybedividedintoseveralunctions:depositandpaymentssystems;
creditandliquidityproducts;investmentproducts;andrisk-transerproducts.TheTreasuryDepartmentandmembersothe
FBIICuseascreeningprocesstoidentiycertainassetswithintheBankingandFinanceSectorthataresystemicallyimportant.
Thesectorisconstantlychanging,asarethedynamicscreeningeortsotheFBIICtoidentiythesesystemicallyimportant
assets.TheTreasuryDepartmentandtheFBIICcontinuallymeetwithnancialinstitutionsandregulatorstodetermineany
newassetsthatarecriticaltotheoperationsothesector.Whenanewassetisidentied,theTreasuryandtheFBIICtakeappro
priateactionstoaddressanyvulnerabilityrelatedtothatasset.
ThedescribedassetdataarecontrolledbytheTreasuryDepartmentandthemembersotheFBIIC.TheTreasuryandkeystake-
holdersinthepublicandprivatesectorsupdatetheassetdataonanas-neededbasis.
3.3 Assessing Consequences
TheBankingandFinanceSectorassessestheconsequencesoanassetslossorimpairmentwithinthecontextoitsimpacton
thesectorsabilitytooperateecientlyandinanorderlymanneranditspotentialimpactonthepublicscondenceinthe
nancialsystemasawhole.Severalactorsusedinthisassessmentincludediversity,redundancy,natureodependenceonthe
asset,networkorsystem,andsymbolicimportance.
3.4 Assessing Vulnerabilities
TheBankingandFinanceSectorconductsongoingvulnerabilityassessments.Thesevulnerabilityassessmentsincludeexamina-
tionsintothepotentialrisksresultingromcross-sectordependency,sector-specicvulnerabilitiesanddependenciesonkeyassets,systems,technologies,andprocesses.Theseassessmentsarebasedupontheextensiveknowledgeoregulatorsandguid-
anceissued,andtakeintoaccountphysical,cyber,andhumanvulnerabilities,availableredundancy,andthesectorsrelianceon
sector-specicassets,systemsandprocesses,andcross-sectorrelianceontheseactors.Consequenceassessmentsincludedirect
economicimpactsandnationalcondenceimpacts,andarebasedonexpertjudgmentandexercises.
Throughthevulnerabilityassessments,thesectorhasdeterminedthatsomeoitsgreatestchallengesareitsdependenceonthe
telecommunicationsnetworkandthepowergrid.Also,theTreasuryDepartmentandtheFBIIChaveidentiedtheollowing
additionalimportantsectordependencies:Communications,Energy,InormationTechnology,andTransportationsystems.As
addressedinchapter5onprotectiveprograms,variouseortsareunderwaytoaddressthesedependencerisks.
Assess Risks
-
7/31/2019 Nipp Ssp Banking
38/116
0 Banking and Finance Sector-Specifc Plan
Figure 3-2: Dependent Relationships
Anyvulnerabilityassessmentothefnancialservicessectorcannotbetrulyfnalbecausethesectorisevolvingconstantly.
Thus,theFBIICmemberscontinuetoupdateassessmentsregularlytoidentiyvulnerabilitiesandmanageandassessassetrisks,
especiallyasthesectoradoptsnewtechnology.Furthermore,theTreasuryDepartmentwillworkwithDHStocoordinatehow
tonormalizetheresultsotheBankingandFinanceSectorsvulnerabilityassessmentssothattheymaybecomparabletothe
overallNIPP.
3.5 Assessing Threats
Therehavebeenindividualsandgroupsthathaveattemptedtoexploitthesectorortheirownpecuniarygains.Overtime,the
sectorhasdevelopeddeensestothwarttheseattacks.However,criminalsandterroristscontinuetodevisenewmethodsand
schemes.Thereore,theTreasuryworkswithotherFederalagencies,includingtheDHSHomelandInrastructureThreatandRisk
AnalysisCenter,onadailybasistoassessphysicalandcyberthreatsthatareidentifedasspecifcallydirectedatthesectororat
anassetonanational,regional,orlocallevel.RelationshipswithDHSandotherSSAsprovidereal-timeinormationregarding
thesethreats.Additionally,whenthreatsareidentifed,requentcommunicationsbetweentheFBIICandtheFSSCCacilitatethe
efcientandeectivetranseropotentialthreatinormation,permittingthesectortomitigatevulnerabilities.
-
7/31/2019 Nipp Ssp Banking
39/116
4. Prioritize Infrastructure
InthewakeotheattacksoSeptember11,2001,theTreasury,inconjunctionwiththemembersotheFBIICandtheprivate
sector,undertookarenewedeorttoidentiyandprioritizethekeyinrastructures.Thiseortispartotheoverallriskassess-
mentandmanagementprocesstakingplaceinthepublicandprivatesectorsonanongoingbasis.Theriskassessmentmethod-
ologydiscussedinsection3ispartothesectorsoverallriskmanagementapproach,whichincludesprioritizationeorts.The
prioritizationwithinthisapproachassiststhesectorindeterminingtheocusorprotectiveprograms.
Intheprivatesector,thiseortisaninternalprocesstoanalyzeandprioritizetheprocessesandnetworksthattheindividual
institutionsneedtomeettheirbusinesscontinuitymanagementandplanningeorts.
Inthepublicsector,theTreasuryDepartment,throughoutreachtothemembersotheFBIIC,conductsanannualriskassess-
mentreviewothesector.Thiseortprovidesasector-wideprioritizationocusedonbusinesscontinuityandresilienceor
essentialprocessesintheBankingandFinanceSector.Theprioritizationisinormedbytheextensiveknowledgeothemem-
bersotheFBIICand,whereappropriate,inconsultationwithcertainprivatesectorownersandoperators.Asthesectoris
changingconstantly,so,too,aretheTreasuryandtheFBIICsprocessesoridentiyingandprioritizingthesystemicallyimpor-
tantassets,processes,andnetworks.TheTreasuryDepartmentandtheFBIICcontinuallymeetwithnancialinstitutionsand
regulatorstodetermineanynewassetsthatarecriticaltotheoperationsothesector.Resultsromtheseconsultationsareusedtoupdatetheannualprioritizationwhereappropriate.
TheTreasuryDepartmentusestheprioritizationtoinormsectorparticipantswhereappropriateandtoacilitatediscussions,
inecessary,toemployprotectivemeasureswiththeownersandoperators.Inspecicinstances,theTreasuryDepartment
reachesouttothesemembersothesectortoencourageparticipationinbusinesscontinuityexercisesandprograms.Froma
sector-wideperspective,theseprioritizationeortsinormtheFBIICsperspectiveonoverallsectorriskand,inturn,infuence
theTreasuryDepartmentsongoingdevelopmentonewoutreachprograms.
FurthermoretheTreasuryDepartmentworkswithitssecuritypartners,includingDHS,to