GAO report urges Treasury to do more on financial sector cyber risk mitigation

Recommendations that the Treasury Department track and prioritize the financial services sector’s cyber risk-mitigation efforts and update the sector-specific plan to include specific metrics to measure progress are provided in a report released Thursday by the congressional watchdog.

The Government Accountability Office (GAO) initiated a review of the sector’s cyber risk mitigation to (1) describe the key cyber-related risks facing the financial sector; (2) describe steps the financial services industry is taking to share information on and address risks to its sector; and (3) assess steps federal agencies are taking to enhance the security and resilience of the sector.

The financial services sector – the GAO includes in this group depository institutions (“commercial banks,” but the federal credit union regulator was among those interviewed), securities brokers and dealers, and providers of the key financial systems and services that support these functions – holds about $108 trillion in assets and faces a variety of cybersecurity-related risks.

Key risks, it said, include (1) an increase in access to financial data through information technology service providers and supply chain partners; (2) a growth in sophistication of malware (software meant to do harm); and (3) an increase in interconnectivity via networks, the cloud, and mobile applications.

“Cyberattacks that exploit risks can occur against either public or private components of the sector,” the GAO said in a summary. “For example, in February 2016, hackers were able to install malware on the Bangladesh Central Bank’s system through a service provider, which then directed the Federal Reserve Bank of New York to transfer money to accounts in other Asian countries. This attack resulted in the theft of approximately $81 million.”

For financial sector cyber risk mitigation efforts, the GAO recommended that the Treasury secretary, “in coordination with the Department of Homeland Security and other federal and nonfederal sector partners, track the content and progress of sectorwide cyber risk mitigation efforts, and prioritize their completion according to sector goals and priorities in the sector-specific plan.”

For the sector-specific plan, it recommended that the Treasury secretary, in coordination with others as noted above, “update the financial services sector-specific plan to include specific metrics for measuring the progress of risk mitigation efforts and information on how the sector’s ongoing and planned risk mitigation efforts will meet sector goals and requirements, such as requirements for the financial services sector in the National Cyber Strategy Implementation Plan.”

It said Treasury “generally” agreed to the recommendations, though there was some push-back in the Treasury’s written response suggesting it lacks authority to require parties to provide it with information.

GAO report on critical infrastructure protection (September 2020)