Three financial services trade organizations had mixed reactions to an executive order, signed by President Trump last week, that calls for a massive review of cybersecurity efforts in government agencies, requires agencies to use one set of cybersecurity risk-management standards and holds agency heads accountable for protecting data.
Within the next 90 days, heads of executive departments and agencies must provide risk-management reports — some of which may be classified — to Homeland Security and the Office of Management and Budget detailing how they manage cyber-risks, what changes they plan to make, and what cybersecurity risks they’re willing to accept.
According to the order, agencies must also adopt the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity, first issued in 2014, to manage cybersecurity risk.
“The executive branch has for too long accepted antiquated and difficult–to-defend IT,” the order said.
“Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies (agencies),” it added. “Known vulnerabilities include using operating systems or hardware beyond the vendor’s support lifecycle, declining to implement a vendor’s security patch, or failing to execute security-specific configuration guidance.”
The order also requires several agencies to coordinate on a report of how the tech-modernization efforts would work legally, financially and from a policy perspective. Reports on reducing cyber-threats such as automated and distributed attacks (botnets), building international cooperation on cybersecurity and supporting the growth of the country’s cybersecurity workforce are also on the list.
In addition, the Secretary of Energy and the Secretary of Homeland Security must issue a report on the potential effects of cyber-related power outages and gaps in readiness for those events. The Defense Department, Homeland Security and the FBI are required to issue a report about cybersecurity risks facing military operations and defense supply chains.
Further, the Department of Homeland Security and the Secretary of Commerce must report on how well existing government policies and practices promote market transparency of cyber risk management in “critical infrastructure entities,” especially those that are publicly traded.
The NCUA said it is currently reviewing the executive order and had no comment on its implications for the agency. CUNA, however, appeared somewhat skeptical of the order’s requirements.
“CUNA generally supports the use of the framework as a tool for credit unions but is concerned that mandatory use by federal agencies could eventually lead to making it a mandatory standard for financial institutions,” it said in a statement. “It should not create additional requirements, nor should it apply a one-size-fits-all approach for credit unions to demonstrate readiness. CUNA also believes that, should regulators determine new or additional cybersecurity requirements are necessary, those should be incorporated into existing frameworks and guidance.”
American Bankers Association President and CEO Rob Nichols praised the executive order in a statement, saying it “will enhance the security of government systems and help protect our critical financial infrastructure — and ultimately bank customers — through enhanced information sharing and greater cross-industry collaboration.”
“The financial services industry is committed to help protect our country’s critical sectors and economic security. America’s banks will continue to work closely with the White House, Congress and others to establish clear lines of public-private communication, while avoiding inconsistent or duplicative regulation that might undermine our efforts to protect banks and the customers they serve,” he added.
Kenneth E. Bentsen, Jr., who is president and CEO of the Securities Industry and Financial Markets Association (SIFMA) also applauded the executive order.
“We commend the Administration for its focus on the critically important issue of cybersecurity. Improving both the government’s and the private sector’s ability to defend against cyberattacks is a top priority for the financial services industry,” he said in a statement issued yesterday.
“The Administration’s Executive Order is a positive step forward for enhancing the cyber defense capability of the government, but we urge those agencies and departments not directly covered by this action to adopt these policies to better protect Americans,” he added.
