Nipp Ssp Banking

7/31/2019 Nipp Ssp Banking

1/116

Banking and FinanceCritical Inrastructure and Key Resources

Sector-Specifc Plan as input to the

National Inrastructure Protection Plan

May 2007

7/31/2019 Nipp Ssp Banking

2/116

7/31/2019 Nipp Ssp Banking

3/116

iBanking and Finance Government Coordinating Council Letter o Support

7/31/2019 Nipp Ssp Banking

4/116

ii Banking and Finance Sector-Specifc Plan

7/31/2019 Nipp Ssp Banking

5/116

iii

Table o Contents

Executive Summary 1

1. Sector Prole and Goals 1

2. Identiy Assets, Systems, Networks, and Functions 2

3. Assess Risks 3

4. Prioritize Inrastructure 3

5. Develop and Implement Protective Programs 3

6. Measure Progress 3

7. CI/KR Protection Research & Development (R&D) 4

8. Managing and Coordinating SSA Responsibilities 4

Introduction 5

1. Sector Profle and Goals 7

1.1 Sector Prole 8

1.1.1 Deposit, Consumer Credit, and Payment Systems Products 9

1.1.2 Credit and Liquidity Products 9

1.1.3 Investment Products 9

1.1.4 Risk-Transer Products (Including Insurance) 10

1.1.5 Federal and Sel-Regulation o Financial Services Firms 10

1.1.6 State Regulation o Financial Services Firms 10

1.2 Security Partners 11

1.2.1 Relationships with Federal and State Regulators and Related Associations 11

1.2.2 Relationships with Private Sector Owner/Operators and Organizations 14

1.3 Sector Security Goals 19

1.4 Value Proposition 20

2. Identiy Assets, Systems, Networks, and Functions 21

2.1 Dening Inormation Parameters 22 2.2 Collecting Inrastructure Inormation 23

2.2.1 Deposit and Payment System Products 23

2.2.2 Credit and Liquidity Products 24

2.2.3 Investment Products 24

2.2.4 Risk-Transer Products 24

Table o Contents

7/31/2019 Nipp Ssp Banking

6/116

iv

2.2.5 Collecting Asset Data 25

2.3 Veriying Inrastructure Inormation 25

2.4 Updating Inrastructure Inormation 25

3. Assess Risks 27

3.1 Use o Risk Assessment in the Sector 28 3.2 Screening Inrastructure 29

3.3 Assessing Consequences 29

3.4 Assessing Vulnerabilities 29

3.5 Assessing Threats 30

4. Prioritize Inrastructure 31

5. Develop and Implement Protective Programs 33

5.1 Overview o Sector Protective Programs 33

5.2 Determining Protective Program Needs 34

5.3 Protective Program Implementation 34 Going Forward 36

5.4 Protective Program Perormance 38

6. Measure Progress 41

6.1 CI/KR Perormance Measurement 41

6.1.1 Developing Sector-Specic Metrics 42

6.1.2 Inormation Collection and Verication 43

6.1.3 Reporting 43

6.2 Implementation Actions 44

6.3 Challenges and Continuous Improvement 46

7. CI/KR Protection R&D 47

7.1 Overview o Sector R&D 47

7.2 Sector R&D Requirements 47

7.3 Sector R&D Plan 48

7.4 R&D Management Processes 48

8. Manage and Coordinate SSA Responsibilities 51

8.1 Program Management Approach 51

8.2 Process and Responsibilities 51

8.2.1 SSP Maintenance and Update 51

8.2.2 Annual Reporting 51

8.2.3 Training and Education 51

8.3 Implementing the Sector Partnership Model 52

8.4 Inormation Sharing and Protection 52

Banking and Finance Sector-Specifc Plan

7/31/2019 Nipp Ssp Banking

7/116

v

Appendix 1: List o Acronyms and Abbreviations 55

Appendix 2: Statutory Authorities 57

Federal Regulators 57

State Regulators 62

Guidance and Key Documents: Federal Regulators 73 Guidance and Key Documents: State Regulators 92

Appendix 3: FSSCC Research and Development Agenda 95

List o FiguresFigure E-1. Vision Statement or the Banking and Finance Sector 2

Figure 1-1. FBIIC Members 12

Figure 1-2. FSSCC Members 15

Figure 1-3. Regional Partnerships 18

Figure 1-4. Locations o Regional Partnerships 19Figure 1-5. Vision Statement or the Banking and Finance Sector 19

Figure 2-1. Vulnerability Assessment Methodology 21

Figure 3-1. Vulnerability Assessment Methodology 28

Figure 3-2. Dependent Relationships 30

Figure 4-1. Vulnerability Assessment Methodology 32

Figure 5-1. Vulnerability Assessment Methodology 33

Figure 6-1. Vulnerability Assessment Methodology 41

Figure 8-1. Inormation Flow 53

List o TablesTable 6-1. Implementation Actions 44

Table A-1. Comparison Matrix: FSSCC R&D Challenges vs. NIPP R&D Themes 103

Table o Contents

7/31/2019 Nipp Ssp Banking

8/116

7/31/2019 Nipp Ssp Banking

9/116

Executive Summary

The Banking and Finance Sector accounts or more than 8 percent o the U.S. annual gross domestic product and is the back-

bone or the world economy. As direct attacks and public statements by terrorist organizations demonstrate, the sector is a

high-value and symbolic target. Additionally, large-scale power outages, recent natural disasters, and a possible fu pandemic

demonstrate the wide range o potential threats acing the sector. With this understanding, nancial regulators and private

sector owners and operators work collaboratively to maintain a high degree o resilience in the ace o a myriad o potential

disasters, be they intentional or unintentional, manmade or natural. This collaboration has led to a comprehensive ramework

or a strong public-private sector partnership. This partnership has developed several programs that currently provide protec-

tion and crisis management, which are continuously improving.

Working through this public-private partnership, the Department o the Treasury, as the Sector-Specic Agency (SSA) or the

Banking and Finance Sector, has developed this Sector-Specic Plan (SSP) in close collaboration with the Financial and Banking

Inormation Inrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council or Critical Inrastructure

Protection and Homeland Security (FSSCC). This SSP, along with the SSPs rom the 16 other critical inrastructures identied

in Homeland Security Presidential Directive 7 (HSPD-7), are part o the overall National Inrastructure Protection Plan (NIPP).

This SSP contains the Banking and Finance Sectors strategy or working collaboratively with public and private sector partners

to identiy, prioritize, and coordinate the protection o critical inrastructure. This SSP also summarizes the extensive activitiesthe sector has undertaken already to reduce vulnerabilities and share inormation.

1. Sector Profle and Goals

The Banking and Finance SSP provides a description o the complex nature o the sector and an overview o the sectors provi-

sion o products and services, which are: (1) deposit, consumer credit, and payment systems; (2) credit and liquidity products;

(3) investment products; and (4) risk-transer products (including insurance).

Essential to this sector overview is a description o the Federal and State regulatory authorities as well as sel-regulatory organi-

zations. The Banking and Finance Sector is highly regulated with regulators providing oversight and, in some cases, guidance

to and examinations o the nancial institutions within their statutory purview. The nancial regulators work together throughthe FBIIC to coordinate eorts with respect to critical inrastructure protection issues. In October 2001, the President estab-

lished the FBIIC. The Presidents Working Group on Financial Markets currently sponsors the FBIIC, which is chaired by the

Treasury Departments Assistant Secretary or Financial Institutions.

The private sector pillar o the security partnership is organized through the FSSCC, the Financial Services Inormation Sharing

and Analysis Center (FS-ISAC), and the regional coalitions, which all promote voluntary inormation sharing eorts through-

out the sector. The FSSCC membership is comprised o individual institutions, trade associations, and regional coalitions.

Executive Summary

7/31/2019 Nipp Ssp Banking

10/116

Collectively, its members control the majority o assets o the nancial services sector. The FS-ISAC is the operational arm o the

FSSCC, sharing specic inormation pertaining to physical and cyber threats, vulnerabilities, incidents, and potential protective

measures and practices. The regional coalitions work to build relationships and share inormation among nancial institutions

and rst responders, emergency management, and ocials at the local level.

The public and private sectors share the ollowing vision statement:

Vision Statement or the Banking and Finance Sector

To continue to improve the resilience and availability o fnancial services, the Banking and Finance Sector will work throughits public-private partnership to address the evolving nature o threats and the risks posed by the sectors dependency upon other

critical sectors.

To meet this shared vision, the Banking and Finance Sector has three primary goals. As with all endeavors ocused primarily on

security, the goals orm a triad o prevention, detection, and correction o harm:1. To maintain its strong position o resilience, risk management, and redundant systems in the ace o a myriad o intentional,

unintentional, manmade, and natural threats;

2. To address and manage the risks posed by the dependency o the sector on the Communications, Inormation Technology,

Energy, and Transportation sectors; and

3. To work with the law enorcement community, the private sector, and our international counterparts to increase the amount

o available resources dedicated to tracking and catching criminals responsible or crimes against the sector, including cyber

attacks and other electronic crimes.

The Banking and Finance Sectors eorts are supported by strong value propositions that address voluntary collaboration or

both the public and private sectors. For the nancial regulators, voluntary programs provide unique insights into sector-wideresilience eorts and allow or important inormation-sharing and risk management procedures outside traditional regulatory

discussions and processes. These eorts provide a means or addressing dynamic risks through voluntary collaboration rather

than solely through regulation.

For the private sector, the voluntary collaborative eorts provide institutions with the opportunity to gain unique insight into

their regulators perspectives and priorities. Most importantly, the private sector participates in voluntary eorts because o the

concrete value they provide to their companies and, in turn, their customers.

2. Identiy Assets, Systems, Networks, and Functions

The products oered by the Banking and Finance Sector are largely intangible. Thus, eorts to identiy assets are largely

ocused on critical processes rather than physical assets. The FBIIC agencies, through their oversight authority and being shaped

by 217 years o experience, obtain a vast amount o inormation on institutions, critical assets, and processes. These data are

veried and updated through the continual process o regulatory examinations and mandated reporting.

Banking and Finance Sector-Specifc Plan

7/31/2019 Nipp Ssp Banking

11/116

3. Assess Risks

Risk assessments are a long-standing practice within the Banking and Finance Sector and accepted by both the regulators and

the private sector. The Treasury Department and the FBIIC agencies meet continually with nancial institutions to determine

whether any new assets are critical to the operations o the sector and thus require special attention regarding potential vulner-

abilities.

The Banking and Finance Sector assesses consequences based on whether the loss or impairment o an asset or process would

impact the sectors ability to operate in an orderly and ecient manner. The sector participants also consider the potential

impact on the publics condence in the nancial system as a whole. Through vulnerability assessments, the sector has deter-

mined that some o its greatest challenges are its dependency on telecommunications, the power grid, inormation technology,

and transportation. Along with understanding vulnerabilities, the Banking and Finance Sector integrates threat analysis into its

protective programs and shares threat inormation through the FBIIC and the FSSCC as necessary.

4. Prioritize Inrastructure

The Treasury Department, in conjunction with the FBIIC agencies and the private sector, identies and prioritizes key inra-

structures and updates this list annually. This prioritization is based on the impact to the orderly and ecient operation o thesector and public condence i the inrastructure were no longer able to operate or were impaired. Factors or prioritization

include: the degree o dependence on the asset; the presence or absence o alternatives to the inrastructure; the public need or

the services provided by the asset; the potential impact o disruption to the nancial system; and the potential impacts on the

economy resulting rom a cascading disruption o other critical inrastructures and key resources.

5. Develop and Implement Protective Programs

Both the public and private sectors have key roles to play in implementing protective programs. Through direct mandates

and regulatory authority, nancial regulators have specic regulatory tools that they may implement in response to a crisis.

Additionally, the Treasury Department, along with the FBIIC agencies, the members o the FSSCC, the FS-ISAC, and the regional

coalitions, have developed and begun implementing numerous protective programs to meet the stated security goals. Theseprotective programs range rom developing and testing robust emergency communication protocols to conducting and partici-

pating in a variety o exercises.

Successul programs already have been implemented, including sector-specic crisis communication acilities or events in

progress, coordination o regional resources to mitigate known physical security threats, and coordination between regulatory

and private sector organizations or pandemic planning. Protective programs still in progress include building ormal inorma-

tion-sharing networks, subscribing to warning and alert systems, conducting targeted outreach, supporting the development o

regional coalitions, and reaching out to other sector coordinating councils and law enorcement.

6. Measure Progress

The Treasury Department is working with our public and private sector partners to develop sector-specic metrics aligned

with the sector security goals. The process or developing these metrics will incorporate collaboration and insights rom sector

participants, regulators, as well as other sectors government and sector coordinating councils as appropriate. These include

processes or developing metrics to address vulnerabilities stemming rom gaps in sector dependencies, continuous improve-

ment to the inormation-sharing ramework, and unique challenges posed by cyber crime. The Treasury Department will

coordinate with the FBIIC agencies and the FSSCC to validate, update, and implement these metrics.

Executive Summary

7/31/2019 Nipp Ssp Banking

12/116

Due to its complexity, measurements o the resilience eorts in the Banking and Finance Sector are dicult to quantiy using

standard business measurements. Thereore, a one-size-ts-all approach would be inapplicable to all aspects o the sector and

also would weaken creativity and vitality in the sector, which would harm the Nations economy overall.

7. CI/KR Protection Research & Development (R&D)

In 2006, the FSSCC ormed a R&D Committee to develop plans and programs that would provide the most benet to the

specic critical inrastructure and key resources (CI/KR) requirements o the nancial services sector. The R&D Committee has

identied eight areas that present signicant issues to the ability o the Banking and Finance Sector to meet its challenges: (1)

Secure Financial Transaction Protocol (SFTP); (2) Resilient Financial Transaction System (RFTS); (3) enrollment and identity

credential management; (4) suggested practices and standards; (5) understanding and avoiding the insider threat; (6) nan-

cial inormation tracing and policy enorcement; (7) testing; and (8) standards or measuring return on investment o critical

inrastructure protection and security technology.

Accordingly, the R&D Committee views the ollowing three themes to have the greatest impact to the nancial services sector

in terms o R&D projects: (1) protection and prevention systems; (2) advanced inrastructure architecture; and (3) human and

social issues.

8. Managing and Coordinating SSA Responsibilities

The Secretary o the Treasury designated the Assistant Secretary or Financial Institutions as the Treasury ocial with the

responsibility or carrying out the Treasurys duties as the SSA or the Banking and Finance Sector. The Assistant Secretary

designated the Oce o Critical Inrastructure Protection and Compliance Policy (OCIP) to provide the necessary unctions

on a daily basis. As such, the OCIP is the lead or all SSP activities and will continue to work with the FBIIC agencies and the

FSSCC to coordinate any necessary updates and implementation eorts in conjunction with the triennial review o the National

Inrastructure Protection Plan (NIPP) Base Plan.

Additionally, the Treasury Department will work with the FBIIC agencies and the FSSCC to provide any necessary training on

the SSP, as well as training and education on business continuity, inormation sharing, emergency response protocols, andcross-sector dependencies.

Fortunately or the Banking and Finance Sector, a robust public-private sector partnership is already in place. The Treasury

Department will continue to acilitate this partnership through our daily activities, outreach eorts, sponsoring o exercises,

and through regularly scheduled meetings with the FBIIC and the FSSCC. The Treasury Department will continue to support

and acilitate inormation-sharing eorts through the FBIIC, the FSSCC, the FS-ISAC, and regional coalitions.

Banking and Finance Sector-Specifc Plan

7/31/2019 Nipp Ssp Banking

13/116

Introduction

According to Homeland Security Presidential Directive 7 (HSPD-7),1 signed by the President on December 17, 2003, the

Department o the Treasury, as the Sector-Specic Agency (SSA) or the Banking and Finance Sector, is required to develop a

Sector-Specic Plan (SSP) or critical inrastructure protection. This SSP provides the Banking and Finance Sectors strategy or

working collaboratively with public and private sector partners to identiy, prioritize, and coordinate the protection o critical

inrastructure. This SSP also summarizes the extensive activities the sector has already undertaken to reduce vulnerabilities and

share inormation.

The Banking and Finance SSP is part o the overall National Inrastructure Protection Plan (NIPP). As such, the Banking and

Finance SSP conorms to the guidance provided by Department o Homeland Security so that the Banking and Finance SSP may

be included in the NIPP. The NIPP provides the structure or integration o this SSP and the SSPs o the other 16 critical inra-

structures and key resources identied in HSPD-7, thereby bringing together the eorts o these sectors into a single national

program.

1 Homeland Security Presidential Direct ive 7 (HSPD-7), December 17, 2003, www.whitehouse.gov/news/releases/2003/12/20031217-5.html.

Introduction

7/31/2019 Nipp Ssp Banking

14/116

7/31/2019 Nipp Ssp Banking

15/116

1. Sector Profle and Goals

The United States nancial services sector is the backbone o the world economy. With assets estimated to be in excess o $48

trillion,2 this large and diverse sector accounted or more than $900 billion in 2005 or 8.1 percent o the United States gross

domestic product (GDP).3 Descriptions o the sectors prole and goals necessarily include the diversity o its institutions and

the services they provide. Most important to this prole is the understanding that the nancial services sector is primarily

owned and operated by the private sector whose institutions are extensively regulated by Federal and, in many cases, State

government. In addition to these public sector entities, sel-regulatory organizations (SROs), such as the Municipal Securities

Rulemaking Board (MSRB), NASD, and the National Futures Association (NFA), and exchanges, such as the Chicago Mercantile

Exchange (CME), the New York Stock Exchange (NYSE), and designated utures exchanges also play an important role in

industry oversight.

The nancial services sector is complex and diverse. From the largest institutions with assets greater than one trillion dollars to

the smallest community banks and credit unions, this diversity provides the ability or the sector as whole to meet the needs o

its large and diverse customer base. Whether it is an individual savings account, nancial derivatives, credit extended to a large

corporation, or investments made by a oreign country, nancial institutions provide a broad array o products. These prod-

ucts: (1) allow customers to deposit unds and make payments to other parties (more than $12 trillion in assets);4 (2) provide

credit and liquidity to customers (more than $14 trillion in assets); (3) allow customers to invest unds or both long and shortperiods (more than $18 trillion in assets); and (4) transer nancial risks between customers (more than $6 trillion in assets).5

Despite this diversity, a uniying mission o the U.S. nancial sector is to ensure the continued eciency in and continuity

o the sector and its institutions. Through the extensive regulatory regime and ormalized inormation-sharing organizations

detailed in this plan, the sector has wide-ranging transparency and accountability, which ensures an orderly and ecient

nancial system that serves a broad range o needs or both investors and consumers. In turn, these actors create a sense o

condence that enables customers to entrust their assets to the care o nancial institutions and to avail themselves o credit

and liquidity.

As this plan details, todays U.S. nancial regulatory regime consists o both Federal and State agencies, whose oversight assists

in ensuring the integrity o individual institutions and the overall U.S. nancial system. Working together, the public and

private sectors encourage a highly competitive market where identiying and managing a myriad o nancial and non-nancialrisks is essential to success. Through numerous laws enacted by Congress over the past 150 years, Federal nancial regulators

have implemented a complex regime that in many instances provides or examinations o institutions operational, nancial,

2 www.nancialservicesacts.org/nancial2/today/assets.

3 GDP in 2005, www.bea.gov/bea/dn2/gdpbyind_data.htm.

4 www.dic.gov/bank/statistical/stats/2e05dec/industry.html.

5 www.ederalreserve.gov/releases/Z1/20060309/Coded/coded-4.pd.

Sector Profle and Goals

7/31/2019 Nipp Ssp Banking

16/116

and technological systems. These examinations are designed to determine the extent to which the institution has identied its

nancial and non-nancial risks, such as inormation technology inrastructures, and to evaluate the adequacy o controls and

applicable risk management practices at the institution.

Additionally, nancial regulators update guidance to nancial institutions regularly. This guidance assists the sector in staying

abreast o the evolving nature o both nancial and non-nancial risks. Financial risk guidance addresses a variety o issues

including credit risk, reinvestment risk, interest rate risk, currency risk, and others. Guidance on non-nancial risks addressespotential means or increasing risk management and resilience in the ace o potential impacts that may result rom a terrorist

attack, natural disaster, or other incident. To the extent possible, these regulators have identied critical vulnerabilities, whether

they are nancial or operational, including Internet and inormation technology vulnerabilities. (See appendix 2 or a list o

statutory authorities and examples o regulators examination tools and guidance.)

Furthering the Nations ability to respond appropriately to and manage terrorism related risks, the President issued Homeland

Security Presidential Directive 7 (HSPD-7). Among its primary objectives, HSPD-7 designates SSAs to lead collaborative eorts

or the critical inrastructures. The Treasury Department is the SSA or the Banking and Finance Sector. As the SSA, the Treasury

Department works with all relevant Federal departments and agencies, State, local and tribal governments, and the private

sector, including key persons and entities in the nancial services sector, to coordinate eorts to improve the sectors ability to

prepare, respond, prevent, and mitigate against terrorism, natural disasters, and other intentional or unintentional risks.The Treasury Assistant Secretary or Financial Institutions implements the Treasury Departments responsibilities under

HSPD-7. As part o ullling the responsibilities outlined in HSPD-7, the Assistant Secretary chairs the Financial and Banking

Inormation Inrastructure Committee (FBIIC). The FBIIC is the working group comprised o the Federal nancial regulators

and agencies and State nancial regulatory trade associations. Through the FBIIC, the Assistant Secretary coordinates certain

policies, procedures and responses to crises or the Federal and State nancial regulators. (See section 1.2 or urther details.)

To meet objectives set orth by HSPD7 or collaboration with the private sector, the Treasury Department also works closely

with the Financial Services Sector Coordinating Council or Critical Inrastructure Protection and Homeland Security (FSSCC).

The FSSCC serves as the primary means or public-private sector collaboration and coordination. Members o the FSSCC

include trade associations and nancial institutions rom all components o the private sector. Furthermore, the Secretary o

the Treasury designates the private sector coordinator who, as a matter o practice, has been selected by the nancial servicesindustry to serve as the chair o the FSSCC. (See section 1.2 or urther details.)

Along with the FSSCC, the Treasury Department supports the Financial Services Inormation Sharing and Analysis Center (FS-

ISAC) and provides ongoing support o regional coalitions. (See section 1.2 or urther details.)

1.1 Sector Profle

The Banking and Finance Sector is a service-based industry providing a wide variety o nancial services in the United States,

and many such services throughout the world. These services range rom the simple cashing o a check to highly complex

arrangements that acilitate the transerring o nancial risks. Financial institutions are organized and regulated based on the

services the institutions provide. Thereore, the sector prole is best described by dening the services oered. These categories

include: (1) deposit and payment systems and products; (2) credit and liquidity products; (3) investment products; and (4)

risk-transer products.

Banking and Finance Sector-Specifc Plan

7/31/2019 Nipp Ssp Banking

17/116

With more than 17,000 depository institutions,6 15,000 providers o various investment products,7 more than 8,500 providers

o risk-transer products,8 and many thousands o credit and nancing organizations, the nancial services sector is both large

in assets and in the number o individual businesses.

1.1.1 Deposit, Consumer Credit, and Payment Systems Products

Depository institutions o all types (banks, thrits, and credit unions) are the primary providers o wholesale and retail pay-ments services, such as wire transers, checking accounts, and credit and debit cards. These institutions use and/or operate the

payments inrastructure, which includes electronic large value transer systems, Automated Clearinghouses (ACH), and auto-

mated teller machines (ATM). These institutions are the primary point o contact with the sector or many individual custom-

ers. Additionally, these institutions may be Federal or State-chartered banks or credit unions; however, in most instances, the

Federal nancial regulators have at least some authority over these institutions.

Along with the aorementioned payment systems, these depository institutions provide customers with various orms o

extensions o credit, such as mortgages and home equity loans; collateralized and uncollateralized loans; and lines o credit,

including credit cards. Consumers have multiple ways o accessing these services. For example, customers can make deposits

in person at a depository institutions branch oce, through the mail, at an ATM, or via direct deposit using ACH transactions.

Customers can make withdrawals at a branch oce, at an ATM, or by using a debit card or check. Customers also can accesscredit lines through other retail banking services using the telephone or the Internet. In the United States, customers typically

have deposit, checking, and loan accounts with more than one depository institution. The average household may have up to

18 account relationships spread among 12 nancial institutions.9

1.1.2 Credit and Liquidity Products

Customers seek liquidity and credit or a wide variety o needs. For example, individuals may seek a mortgage to purchase a

home, businesses may obtain a line o credit to expand their operations, and governments may issue sovereign debt obliga-

tions. Many nancial institutions, such as depository institutions, nance and lending rms, securities rms, and Government-

Sponsored Enterprises (GSE) meet customers long- and short-term needs through a multitude o nancial products. Some o

these entities provide credit directly to the end customer, while others do so indirectly by providing wholesale liquidity to

those nancial services rms that provide these services on a retail basis.

Essential to the credit and liquidity market is the assurance that these products are available with integrity and airness. The

law provides or consumer protections against raud involving these products, as well as certain other consumer protections,

many o which are tied directly to the specic type o credit and liquidity product. Furthermore, credit and liquidity products

are governed by a complex body o laws. These laws include Federal and State securities laws, banking laws, and laws that are

tailored to the specics o a particular class o lending activity.

1.1.3 Investment Products

A strong investment environment is essential to the growth o the U.S. economy. Moreover, the diversity o investment service

providers and products ensures that U.S. nancial markets are the best in the world. These products provide opportunities or

both short- or long-term investments and include debt securities (such as bonds and bond mutual unds) and equities (such asstocks or stock mutual unds), and derivatives (such as options and utures). Securities rms, depository institutions, pension

unds, and GSEs all oer nancial products that are used or investing needs. These investment products are issued and traded

6 www2.dic.gov/sod/sodSumReport.asp?barItem=3&sInoAsO=2006 and www.ncua.gov/data/FOIA/oia.html.

7 www.iciactbook.org/06_b_sec1.html.

8 National Association o Insurance Commissioners, 00 Insurance Department Resources Report, p. 46.

9 Sheshuno Bank Proft Improvement Manual.

Sector Profle and Goals

7/31/2019 Nipp Ssp Banking

18/116

0

in various organized markets, rom physical trading foors to electronic markets. Certain securitiesU.S. Treasuries and equi-

ties o some multinational companiesare traded around the globe 24 hours a day. The Treasury, the Securities and Exchange

Commission (SEC), the Commodity Futures Trading Commission (CFTC), banking regulators, and insurance regulators all

provide nancial regulation or certain investment products. The SEC and CFTC have legally designated SROs. Notably, the SEC

has the power to delegate authority to its SROs, national stock exchanges and NASD, to enorce certain industry standards and

requirements related to securities trading and brokerage. Similarly, the CFTC oversees exchanges and the industry SRO, i.e.,designated utures exchanges, and the NFA, which have regulatory authority to enorce industry standards and requirements

related to utures trading and participants. These regulatory requirements are directed toward consumer protection, air and

orderly markets, and the ongoing capability o nancial services rms to meet their nancial obligations.

1.1.4 Risk-Transer Products (Including Insurance)

The transer o nancial risks, such as the nancial loss due to thet or the destruction o physical or electronic property result-

ing rom a re, cyber attack, or other loss event, or the loss o income due to a death or disability in a amily, is an important

tool or the sustainability o businesses and economic vitality o individuals and their amilies. A wide variety o nancial

institutions provide risk-transerence products to meet this market need.

The U.S. market or nancial risk-transer products is among the largest in the world, measuring in the trillions o dollars.These products range rom straightorward to exceedingly complex. For example, insurance companies, utures rms, and

orwards participants oer nancial products that allow customers to transer various types o nancial risks under a myriad

o circumstances. Marketplace eciency oten requires that market participants engage in both nancial investments as well as

in nancial risk transers that enable risk hedging. Financial derivatives, including utures and security derivatives, can provide

both o these unctions or market participants.

1.1.5 Federal and Sel-Regulation o Financial Services Firms

All nancial services rms are subject to the discipline o the nancial market, and these markets have strong, though oten

inormal, market discipline and sel-regulation. Many o these nancial rms are subject to additional governmental and legally

mandated regulation and sel-regulation. Such regulation is designed to provide reasonable assurance that consumers are pro-

tected and that the nancial services rm is able to meet its nancial obligations on an ongoing basis.

1.1.6 State Regulation o Financial Services Firms

Some nancial services may be regulated at both the Federal and State levels. Insurance services are unique in that they are

primarily regulated by States. Under the McCarran-Ferguson Act o 1945,10 Congress armed the exclusive right o the States

to regulate the insurance industry. Except or a ew Federal laws and regulations, State insurance commissioners generally

have regulatory authority over all aspects o a rms business, including rates and terms o policies, qualications or licensing,

market conduct, and nancial structures and practices. (See appendix 2 or a listing o State statutory authorities.)

The chie insurance regulatory ocials rom each State collaborate through the National Association o Insurance

Commissioners (NAIC). The NAIC is a member o the FBIIC. Many o the State insurance regulators review the disaster

response and business continuity plans o insurers and conduct periodic examinations o these plans. Some States, such asNew York, also are doing stress-testing o insurer plans ollowing an event. This helps regulators be certain that the insurers

are ready to serve their policyholders when disaster strikes. The NAIC developed a handbook or State insurance regulatory

response to disasters entitled, The State Disaster Response Plan.

10 15 U.S.C. 1011 et seq.

Banking and Finance Sector-Specifc Plan

7/31/2019 Nipp Ssp Banking

19/116

In addition to the insurance industry, State agencies regulate State-chartered banks, thrits, and credit unions. Membership

in the Federal Reserve System is optional or State-chartered banks, but all o the banks are insured by the Federal Deposit

Insurance Corporation (FDIC). The Oce o Thrit Supervision (OTS) also regulates State- chartered savings associations with

FDIC insured deposits. The National Credit Union Administration (NCUA) may regulate State-chartered credit unions that have

Federal deposit insurance. State agencies also regulate the purchase and sale o securities and the provision o investment advice

regarding securities.

1.2 Security Partners

As the SSA or the Banking and Finance Sector, the Treasury Department recognizes the vital role o both the nancial regula-

tors and the private sector. These regulators and the private sector are committed to the Banking and Finance Sectors security

partnership. Working collaboratively, this partnership achieves its security goals and addresses the evolving nature o the sector

and its potential risks.

The Treasury Department has ormalized the collaboration o the sectors regulators, associations, and individual market par-

ticipants through the FBIIC, the FSSCC, and the FS-ISAC, as well as an increasing number o regional coalitions. These organiza-

tions are the recognized structures through which public and private nancial services sector participants: (1) share inorma-

tion both at the national and local levels; (2) assess and mitigate sector-wide risks; (3) develop and maintain key relationships;

(4) conduct periodic testing o emergency protocols to be used during times o crisis; (5) establish research priorities; (6)

organize and conduct exercises; and (7) act as a ocal point or inormation sharing between the public and private sectors.

Furthermore, the Treasury Department works closely with the Department o Homeland Security (DHS) to meet the sectors

security objectives. As a member o various key working groups led by, the Treasury Department apprises DHS o situ-

ational priorities and remains ully engaged with DHS. Some o these working groups include the Inormation Technology

Government Coordinating Council, the Emergency Support Function Leader Group, the Homeland Security Integrated

Intelligence Board Task Force, the Inosec Research Council, the National Cyber Response Coordination Group, the Strategic

Homeland Inrastructure Risk Assessment, and the Cyber Security and Inormation Assurance.

1.2.1 Relationships with Federal and State Regulators and Related Associations

In October 2001, the President established the FBIIC.11 The Presidents Working Group on Financial Markets currently sponsors

the FBIIC, which is chaired by the Treasury Departments Assistant Secretary or Financial Institutions. The FBIICs role is to

coordinate the eorts o Federal and State nancial regulators with respect to critical inrastructure issues, including prepara-

tion or and response to cyber or physical attacks against the nancial system or indirect attacks or events that may impact the

sector. The FBIICs membership includes experienced regulators rom the ollowing agencies and associations:

11 Executive Order 13231, 66 Federal Register (FR) 53063 (2001).

Sector Profle and Goals

7/31/2019 Nipp Ssp Banking

20/116

Figure 1-1: FBIIC Members

FBIIC Members

Commodity Futures Trading Commission (CFTC)

Conference of State Bank Supervisors (CSBS)

Farm Credit Administration (FCA)

Federal Deposit Insurance Corporation (FDIC)

Federal Housing Finance Board (FHFB)

Federal Reserve Bank of New York

Federal Reserve Board (FRB)

National Association of Insurance Commissioners (NAIC)

National Association of State Credit Union Supervisors

Office of the Comptroller of the Currency (OCC)

Office of Federal Housing Enterprise Oversight (OFHEO)

Office of Thrift Supervision (OTS)

Securities and Exchange Commission (SEC)

Securities Investor Protection Corporation (SIPC)

The Homeland Security Council

U.S. Department of the Treasury

Banking and Finance Sector-Specifc Plan

These agencies have regulatory authority over dierent sections o the nancial services sector and currently address inrastruc-

ture protection issues through routine regulatory interactions.

In ullling its mission, the FBIIC:

Identies critical inrastructure assets and their locations, and prioritizes their importance to the nancial system;

7/31/2019 Nipp Ssp Banking

21/116

Establishessecurecommunicationscapabilityandprotocolsorcommunicatingduringanemergencyamongthenancial

regulators;

Ensuresthatsucientstaexistateachmemberagencywithappropriatesecurityclearancestohandleclassiedinormation

andcoordinateintheeventoanemergency;

Encouragestheprivatesectortoconductvoluntarytestingtoimproveemergencypreparednessocriticalnancialinstitutions; IdentiesthecriticalinterdependenciesotheBankingandFinanceSectorwiththeEnergy,Transportation,Communications

andInormationTechnologysectors;and

PromotesinormationsharingamongandbetweentheFederal,State,local,andtribalauthorities,aswellastheprivatesector.

TheTreasuryDepartmentalsoworkswithFederal,State,local,andtriballawenorcement,includingDHSandtheDepartment

oJustice(DOJ).Areasinwhichcollaborativeinitiativesarebeingundertakenincludetheollowing:

Fightingnancialcrimes,suchasraudandidentitythet;andcybercrimes,suchasphishing,directedatnancial

institutions;12

Providingprotective-responseplanningexercisesdesignedtoprotectkeyassetsandcriticalinrastructuresandcreatea

responseplanthatincorporatesState,local,andtriballawenorcement;and

Enhancingcommunicationsandcoordinationacrossthesector.

Asnotedpreviously,theseagencieshaveextensivemeanstoidentiy,assess,andassistwithmitigatingrisksattheinstitutions

withintheirlegalpurview.(Seeappendix2,PublicSectorRegulatoryTools,Guidance,andReports,orspecicexamples

romtheseagencies.)Specically,theseagenciesinclude,butarenotlimitedto,authorityovertheollowingcomponentsothe

nancialsectormarkets:

TheBureauothePublicDebtadministerstheauctionrulesorTreasurymarketablesecuritiesandtheGovernmentSecurities

ActregulationsorparticipantsinthesecondarymarketorU.S.Governmentsecurities;

TheCFTCregulatesuturescommissionmerchants,introducingbrokers,commoditytradingadvisors,commoditypool

operators,uturesmarkets,andderivativesclearingorganizations.Thisisdoneinconjunctionwithexchangessuchasthe

CMEandtheNewYorkMercantileExchange,andtheindustrySRO,theNFA;

TheCSBSmembersregulateState-charteredbanks;

TheFCAregulatestheFarmCreditSystem;

TheFDICregulatesState-charteredbanksthatarenotmembersotheFederalReserveSystemandinsuredStatebrancheso

oreignbanks;

TheFHFBregulatestheFederalHomeLoanBanks;

TheFRBregulatesnancialandbankholdingcompaniesandState-charteredmemberbankswithintheFederalReserve

System;

TheNAICassistsStateinsuranceregulatorsinachievingtheirgoals;

MembersotheNorthAmericanSecuritiesAdministratorsAssociationrepresentStatesecuritiesregulators;

12 Phishingisaraudulentschemewhereane-maildirectsitsrecipientstoWebsiteswheretheyareaskedtoprovidecondentialpersonalornancialinormation.Reportsophishingattacksrosedramaticallyinthelastyear.

Sector Profle and Goals

7/31/2019 Nipp Ssp Banking

22/116

Banking and Finance Sector-Specifc Plan

TheNCUAregulatesFederallycharteredcreditunionsandsharessomesupervisionresponsibilitywiththeStateSupervisory

AuthoritiesortheFederallyinsuredState-charteredcreditunions;

TheOCCregulatesnationalbanksandtheFederalbranchesandagenciesooreignbanks;

TheOFHEOregulatesFannieMaeandFreddieMac;

TheOTSregulatessavingsassociationsandsavingsandloanholdingcompanies;

TheSECregulatesinvestmentcompanies,investmentadvisors,broker-dealers,transeragents,securitiesmarkets,andsecuri-

tiesclearingorganizations.ThisisdoneinconjunctionwithSROssuchasMSRB,NASD,andNYSE;

Stateinsurancecommissionersregulateinsurancecompaniesandproducers;and

TheTreasuryDepartmentdevelopstheAdministrationseconomicandnancialservicessectorpolicies.

1.2.2 Relationships with Private Sector Owner/Operators and Organizations

TheTreasuryDepartmenthasormedastrongbondwiththeprivatesectorthroughtheFSSCC,theFS-ISAC,andtheregional

coalitions.Membersotheseprivatesectororganizationsincludedepositoryandlendinginstitutions,aswellasexchanges,

tradeassociations,andotherorganizationswithinthesector.TheTreasuryDepartmentalsoconsultsindividuallywiththeseinstitutionsonthedevelopmentorimplementationovariouspolicies,suchasenhancingthesectorsresilience.

FSSCC

UndertheauspicesotheFBIIC,theTreasuryacilitatedthecreationotheFSSCCinJune2002astheprivatesectorarmoits

protectionstrategy.TheTreasuryDepartmentdesignatestheSectorCoordinatorortheBankingandFinanceSector,whoasa

matteropractice,ischosenbytheFSSCCtobethechairotheFSSCC.TheFSSCC,whosemembershiprepresentsthesector

throughnancialtradeassociationsandorganizations,ostersandacilitatesthecoordinationosector-widenancialservices

voluntaryinitiativestoimprovecriticalinrastructureprotectionandhomelandsecurity.Theorganizationscomprisingthe

FSSCCholdthemajorityotheassetsothenancialservicessectorandincludenancialinstitutions,tradeassociations,and

regionalpartnerships.TheFSSCCssuccessisduetothestrongcommitmentoitsmembersandtheirsignicanttimecontribu-

tionbyhigh-levelexecutiveswhoareocusedonproblemsolvinganddrivenbyachievableoutcomes.Theollowinginstitu-tionsandorganizationsaremembersotheFSSCC:

7/31/2019 Nipp Ssp Banking

23/116

Figure 1-2: FSSCC Members

Americas Community Bankers

American Bankers Association

American Council of Life Insurers

American Society for Industrial Security International

BAI

BITS/The Financial Services Roundtable

ChicagoFIRST

Chicago Mercantile Exchange

CLS Group

Consumer Bankers Association

Credit Union National Association

Fannie Mae

Financial Information Forum

Financial Services Information and Sharing

and Analysis Center (FS-ISAC), LLC

Financial Services Technology Consortium

Futures Industry Association

Independent Community Bankers of America

Investment Company Institute

Managed Funds Association

NACHA - The Electronic Payments Association

National Association of Federal Credit Unions

National Futures Association

New York Board of Trade

Securities Industry Association

Securities Industry Automation Corporation

The Bond Market Association

The Clearing House

The Depository Trust & Clearing Corporation

The NASDAQ Stock Market, Inc.

The Options Clearing Corporation

Visa USA & Visa International

FSSCC Members

ThemissionotheFSSCCisto:

Providebroadindustryrepresentationorcriticalinrastructureprotectionandhomelandsecurity(CIP/HLS)andrelated

mattersorthenancialservicessectorandorvoluntarysector-widepartnershipeorts;

FosterandpromotecoordinationandcooperationamongparticipatingsectorconstituenciesonCIP/HLS-relatedactivities

andinitiatives;

Sector Profle and Goals

7/31/2019 Nipp Ssp Banking

24/116

6 Banking and Finance Sector-Specifc Plan

IdentiyvoluntaryeortswhereimprovementsincoordinationcanostersectorpreparednessorCIP/HLS;

EstablishandpromotebroadsectoractivitiesandinitiativesthatimproveCIP/HLS,suchasaddressinginterdependencies

amongthenancialandothersectors;

Identiybarriersandrecommendinitiativestoimprovethesharingoinormationandknowledgeamongthenancial

servicessector;and ImprovesectorawarenessoCIP/HLSissues,sectoractivities/initiatives,andopportunitiesorimprovedcoordination.

TheTreasuryDepartmentalsoworkswithprivatesectorinstitutionsbyconductingresponseplanningexercises.Theseexer-

cises,whichinthepasthaveincludedlawenorcement,Government,andintelligenceagencies,coordinateresponseandcom-

municationamongFederal,State,local,andtribalrstresponderstospecicinstitutions.

ThejointsuccessesotheFBIICandtheFSSCCincludetheollowing:

SuggestionsornancialinstitutionsordierentthreatconditionsundertheHomelandSecurityAdvisorySystem.This

documentwasoriginallydevelopedbyFSSCCmembersBITSandSecuritiesIndustryAssociation(SIA);

Exchangeoinormationandbestpracticesorcriticalinrastructureprotectionissues;

Post-incidentanalysisocyberattacksandotherdisruptiveevents,suchastheNortheastBlackouto2003andHurricane

Katrinain2005,toimproveGovernmentandprivatesectorremediationandresponse;

Developmentoanintegratedsetocrisismanagementcallsandactionsacrossthesector;and

Severalprotectiveresponseexerciseswiththeprivatesectortoimprovepublicandprivateemergencypreparednessocritical

nancialinstitutions.

FS-ISAC

TheTreasuryDepartmentalsoworkscloselywiththeFS-ISAC,13oneotheoldestprivateinormation-sharinginitiativesinthe

UnitedStates.TheFS-ISACwassetupasthenancialsectorresponsetotherequirementsoPresidentialDecisionDirective63

(ProtectingAmericasCriticalInrastructures)inMay1998.

ThemissionotheFS-ISAC,incollaborationwiththeTreasuryDepartmentandtheFSSCC,istoenhancetheabilityothe

nancialservicessectortoprepareorandrespondtocyberandphysicalthreats,andvulnerabilitiesandincidents,andtoserve

astheprimarycommunicationschannelorthesector.

TheFS-ISACisthedesignatedoperationalarmotheFSSCCandsupportstheprotectionotheU.S.nancialservicessectorby

providingassistancetoboththeFSSCCandtheTreasurytoidentiy,prioritize,andcoordinatetheprotectionocriticalnan-

cialservices,inrastructureservice,andkeyresources;andtoacilitatesharingoinormationpertainingtophysicalandcyber

threats,vulnerabilities,incidents,andpotentialprotectivemeasuresandpractices.

TheFS-ISAChasidentiedtheollowingstrategicobjectivestoaccomplishitsmission:

Provideaneectiveorumorinormationsharingwithinthenancialservicessector,withothercriticalinrastructureand

keyresources(CI/KR)organizations,andwiththeU.S.Government;

IdentiycriticalnancialservicessectoroperationalsupportissuesandrequirementsandarticulatethosetotheTreasuryand

DHS;

13 AsoutlinedintheNationalStrategytoSecureCyberspace(February2003),inormationsharingandanalysiscenters(ISACs)arethecornerstoneoindustryinormationsharing,www.whitehouse.gov/pcipb.

7/31/2019 Nipp Ssp Banking

25/116

Serveasthesectorcommunicationshubconveyingtimelyandaccuratecyberandphysicalthreatinormation,andvulner-

abilityandincidentalertstothemembership;

Serveasthesectorcommunicationshubduringemergencies,throughthedeliveryorapidnoticationsandcommunication

toandamongtheFS-ISACandtheFSSCCmembers;

IdentiyandimplementnewservicesthataddvaluetothemembershipandsupportthemissionotheFS-ISAC;and CollaboratewiththeTreasuryandtheFSSCCto:

Fosterawarenessothebenetsoinormationsharingwithinthesector,amongotherCI/KRorganizations,andwithin

theGovernment;

Educatethenancialservicessectoronkeyinrastructureprotectionissues,vulnerabilities,threats,riskmanagement,and

complianceissues;and

CoordinatewithotherpublicandprivatesectorCI/KRorganizationstoensuresectorawarenessandemergencypreparedness.

TheFS-ISACisalsoamemberotheISACCouncil,whichosterscollaborationandsharingoinormationwiththeothercriti-

calinrastructuresectors.

In2003and2004,theTreasuryDepartmentacquired$2millioninservicesromtheFS-ISAC,whichhadtheaddedbeneto

enhancingtheFS-ISACscapabilities.TheenhancedFS-ISACnowhasthecapacitytobetterservethenancialservicessector.

TheFS-ISACintegratesphysicalandcyberthreatinormationandprovidesastate-o-the-arttechnologyplatormorthecon-

dentialexchangeoinormation.

Regional Partnerships

Theresilienceothenancialservicessectorisenhancedbyecientandeectivecollaborativeeortsosectorparticipants.

TheFBIICandtheFSSCCormapublic-privatepartnershipatthenationallevel,andtheyablyaddressCIP/HLSissuesthatcut

acrossmost,inotall,othenancialsector.However,naturalandmanmadedisastersoccurlocally.Enhancingandmaintain-

ingtheresilienceonancialinstitutionsintheaceoacrisisthusdependsupontheollowing:

Howwellthebusinesscontinuityandsecurityplansoinstitutionsincorporateemergencyresponseandrecoverymeasuresopolice,re,andotherlocal,State,andFederalparticipantsintheregionalemergencymanagementsphere;

HowwellthebusinesscontinuityandsecurityplansareinormedbyregionalpartnersintheCommunications,Inormation

Technology,Transportation,andEnergysectors;and

Thedevelopmentoinormation-sharingrelationshipswithothernancialinstitutionswithineachregion.

TheprecursorotherstregionalpartnershipwastheSIABusinessContinuityCommitteeormedinDecember2001.This

committeewasanoutgrowthotheNewYork-basedcoalitionolargenancialservicesrmsknownasSIBCMG(Securities

IndustryBusinessContinuityManagementGroup).Theinormalrelationshipsestablishedbythiscommitteehaveenhancedth

resilienceothesermsandtheNationssecuritiesmarkets.

MoreormalinitiativesinotherregionshaveollowedtheeortsinNewYork.Forexample,in2003,ChicagoFIRSTbecametherstormalregionalpartnershipwithinthenancialsector,andithassincebeenollowedbynumerousothers.Thecom-

positionotheseorganizationsvariesromthevariousnancialcharterswithinChicagoFIRSTandFloridaFIRSTtothecombi-

nationonancialandnon-nancialmembersopartnershipsinMinneapolisandSanFrancisco.

TheTreasury,theFBIIC,andtheFSSCChaveencouragedandsupportedregionalpartnerships.Toaidthisprocess,theTreasury,

ChicagoFIRSTandBITS,aFSSCCmember,createdacookbookguideorestablishingregionalcoalitions,Improving Business

Sector Profle and Goals

7/31/2019 Nipp Ssp Banking

26/116

Banking and Finance Sector-Specifc Plan

Continuity in the Financial Services Sector: A Model for Starting Regional Coalitions.14Inaddition,Congresspromotedtheestablish-

mentoregionalpartnershipswithinthenancialsectorintheIntelligenceReormandTerrorismPreventionActo2004.15

FollowingthesuccessoChicagoFIRSTandthesubsequentpromotionotheregionalpartnershipconcept,regionalpartner-

shipshaveormedinmanyareasothecountry,includingtheollowing:

Figure 1-3: Regional Partnerships

Regional Partnerships

Chicago (ChicagoFIRST)

Miami (FloridaFIRST)

Tampa (FloridaFIRST)

San Francisco (Bay Area Response Coalition (BARC FIRST))

Los Angeles (SoCalFIRST)

Minneapolis (MN-ISAC and Minnesota Security Board)

Birmingham (Alabama Recovery Coalition for the Financial Sector)

Houston (HoustonFIRST)

Inadditiontotheseormallyestablishedpartnerships,severalotherregionsintheUnitedStatesareaggressivelypursuingthe

ormationosuchorganizationsintheirregionorState.

In2006,inordertosharebestpractices,assistoneanother,andplugintotheexistingnationalpublic/privatepartnership,these

regionalpartnershipsormedtheRegionalPartnershipCouncil,calledRPCFIRST.Theorganizationmeetsquarterlyandis

developingaWebsite.

14 www.treas.gov/press/releases/reports/chicagorst_handbook.pd.

15 www.gpoaccess.gov/serialset/creports/intel_reorm.html.

7/31/2019 Nipp Ssp Banking

27/116

Figure 1-4: Locations o Regional Partnerships

BARC FIRST

MN-ISACand MinnesotaSecurity Board

ChicagoFIRST

FloridaFIRSTHoustonFIRST

Alabama RecoveryCoalition forthe Financial

Sector

SoCal FIRST

1.3 Sector Security Goals

TheBankingandFinanceSectorisstrongandresilient,withaninrastructurethatisdesignedtorespondquicklyandappro-

priatelytodetect,deter,prevent,andmitigatephysicalandcyber-basedintrusions,attacks,orotheremergencies.Thisability

ensuresthecontinuityandecientoperationothesectorsinstitutions,andtherebyservestostrengthenpubliccondencein

theU.S.economicsystem.

Vision Statement or the Banking and Finance Sector

To continue to improve the resilience and availability o fnancial services, the Banking and Finance Sector will work throughits public-private partnership to address the evolving nature o threats and the risks posed by the sectors dependency upon other

critical sectors.

Sector Profle and Goals

7/31/2019 Nipp Ssp Banking

28/116

0 Banking and Finance Sector-Specifc Plan

TheBankingandFinanceSectorhasthreeprimarygoalstoachievethisvisionstatement.Aswithallendeavorsocusedprimar-

ilyonsecurity,thegoalsormatriadoprevention,detection,andcorrectionoharmwiththeollowingobjectivesorthe

sector:

1.Tomaintainitsstrongpositionoresilience,riskmanagement,andredundantsystems,intheaceoamyriadointentional,

unintentional,manmade,andnaturalthreats;

2.ToaddressandmanagetherisksposedbythedependenceothesectorontheCommunications,InormationTechnology,

Energy,andTransportationsectors;and

3.Toworkwiththelawenorcementcommunity,theprivatesector,andourinternationalcounterpartstoincreasetheamount

oavailableresourcesdedicatedtotrackingandcatchingcriminalsresponsibleorcrimesagainstthesector,includingcyber

attacksandotherelectroniccrimes.

Theagenciesaremindulotheriskthatanunanticipatedevent,suchasaterroristattack,couldoccurinamannerthatwe

havenotseenbeoreandorwhichwemaynotbecompletelyprepared.Moreover,welivewiththecontinuingthreato

turbulentweather,whichcouldseverelydamagethecriticalinrastructureandacilitiesonancialservicesrms.Inaddition,

thenancialservicesindustrycannotullyprotectagainstinrastructuredisruptionsotelecommunications,anditcanprovide

onlylimitedresilienceagainstdisruptionsinotherelementsothecriticalinrastructure,suchaspower,transportation,andwater.16

1.4 Value Proposition

Thepublicandprivatesectorshaveequallycompellingvaluepropositionstosupporttheirvoluntaryparticipationinsector-

wideresilienceeorts,includingthisSSP.

Fornancialregulators,workingcollaborativelywiththeprivatesectorurtherstheimportantmissiontopromotetheorderly

andecientoperationothenancialservicessector.Whilenancialregulatorsenorceextensiveregulationandconduct

regularexaminationsotheinstitutions,voluntarycollaborationwiththeprivatesectorhasprovedtobeaneectivemethod

togarnerindustry-wideparticipationintheidenticationoemerginganddynamicrisksandpreparationoresponsecapabili-

ties.Throughinormationsharing,testing,andexercises,regulatorsareabletobetterunderstandsector-widevulnerabilities

andresilience.Theseeortsprovideameansoraddressingdynamicrisksthroughvoluntarycollaborationratherthansolely

throughregulation.

Forprivatesectorinstitutionsandorganizations,participationinvoluntarycollaborativeeortsprovidesvalueinseveralways.

Workingalongsidethepublicsectorprovidesuniqueinsightsintoregulatorsconcerns,perspectives,andpriorities.Through

relationshipbuilding,inormationsharing,testing,andexercises,nancialinstitutionsareabletodiscussmattersoutsideothe

normalregulatoryramework.Mostimportantly,nancialinstitutionsandnancialservicesorganizationsparticipateinthese

voluntaryeortsbecauseotheconcretevaluetheyprovidetotheircompaniesand,inturn,theircustomers.Customersmust

havecondenceintheirnancialinstitutionsabilitytomaintainorderlyoperationsandtobehighlyresilient.Participatingin

thesevoluntarysector-wideeortsprovidesinstitutionswithabetterunderstandingovulnerabilitieswithinthesectoraswell

asrisksposedbyitsdependenceonothersectors.Insightsgainedthroughvoluntarycollaborationassistnancialinstitutionseortstotailorresponsestomanagetheirspecicriskaswellassector-widerisk.Inturn,thenancialinstitutionsarebetter

abletomeettheircustomersdemandorahighdegreeoresilienceandreliability.

16 www.ederal reserve.gov/boarddocs/rptcongress/soundpract ices/soundpractices200604.pd.

7/31/2019 Nipp Ssp Banking

29/116

2. Identify Assets, Systems,

Networks, and Functions

EssentialtoconductingariskassessmentotheBankingandFinanceSectoristheawarenessthattheproductsothefnancial

servicesindustryarenotoverwhelminglyphysicalinnature.Thus,identiyingandassessingassetsinthesectorisocused

largelyonidentiyingcriticalprocessesbasedontheorganizationothesectorasdescribedinchapter1,andtheinstitutions

thateitherownandoperateorparticipateintheseprocesses,ratherthanocusingonphysicalassets.

Figure 2-1: Vulnerability Assessment Methodology

Manyinstitutionsplayimportantrolesinthefnancialsystem.Identiyinginstitutionsthathavesystemicallycriticaloperational

rolesisrelevanttomakecertainotheirrapidrecoveryromadisruptionotheircriticalunctions,regardlessothecause.

Identiyingthoseinstitutionsalsoisnecessaryorimposingappropriatebusinesscontinuityplanningandrecoverystandards

andensuringtheircompliancewiththosestandards.Atercareulconsideration,theTreasuryDepartmentandtheFBIICagen-

cieshaveidentifedasmallnumberosystemicallycriticalinstitutionswhoseoperationsormthebackboneothefnancial

Identify Assets, Systems, Networks, and Functions

7/31/2019 Nipp Ssp Banking

30/116

Banking and Finance Sector-Specifc Plan

system.AllothesystemicallycriticalinstitutionsaresubjecttosomeormoGovernmentoversight,andtheirresilienceisa

matterokeeninterest.Astechnologyandinnovationadvancetheoperationsonancialservicesrms,thelistosystemically

criticalinstitutionsmayevolveovertime.

Therearealsoinstitutionsorgroupsoinstitutionsthat,whilenotsystemicallycritical,playsignicantrolesincriticalnancial

markets.Consequencesodisruptionattheseorganizationswouldvary.Forexample,anoperationaldisruptionatthelargest

banksandrmswithsignicantpaymentormarketactivitiescouldbetoleratedoralimitedtime,whiledisruptionsatothersmaybetoleratedorlongerperiods,especiallyitheiroperationscouldbeshitedorperormedbyothermarketparticipants.

AterSeptember11,2001,thesecuritiesmarketsandseveraluturesexchangeswerecloseduntiltelecommunicationsandother

serviceswererestoredtolowerManhattan.Theactthatthesemarketsandnewtransactionswereaectedorashortperiodo

timedidnotresultinsignicantdamagetoorlossocondenceintheU.S.nancialsystem.

Diversitywithinthenancialservicessectorandgeographicdispersionoitsinstitutionslendsignicantresiliencetothe

BankingandFinanceSector.Inadditiontothesystemicallycriticalinstitutionsdescribedabove,theU.S.nancialsystem

consistsomanythousandsodepositoryinstitutions,securitiesanduturesrms,insurancecompanies,andothernancial

servicecompanies,andsupportsanumberoexchangesandover-the-countermarkets,allowhichprovideahighdegree

oredundancyacrossthesector.Thecompetitivestructureothenancialindustryandthebreadthothenancialinstru-

mentsprovidealeveloresiliencyagainstattackandothertypesophysicalorcyberdisruptions.Accordingly,orpurposesodeterminingsystemicvulnerabilities,theseinstitutions,whilecertainlyimportanttothenancialsystem,arenotconsidered

systemicallycritical.

2.1 Defning Inormation Parameters

TheBankingandFinanceSectormaybedividedintoseveralunctions:depositandpaymentssystems;creditandliquidity

products;investmentproducts;andrisktranserproducts.VariousmembersotheFBIICregulateeachotheseunctionsas

outlinedinsection1.1.Thenancialregulators,throughtheiroversightauthority,obtainavastamountoinormationon

institutions,criticalassetsandprocesses,andpotentialvulnerabilities.Sector-widerisksassessmentsareprocess-drivenand

addressinterdependence.Individualinstitutionsalsoconducttheirownriskassessmentstoidentiyandmitigateinternalvul-

nerabilitiesandexternaldependencies.

TheTreasuryDepartment,throughcollaborationandinsightsobtainedromthemembersotheFBIICandtheFSSCC,gathers

sector-specicinormation.Althoughthedenitionoassetdataislimitedtothecategoriescollectedbytheregulators,regula-

toryexaminationsandtradeassociationsurveysarethoroughandprovideadequateinormationordeningnancialassets.

Generalinormationorassetsmayincludeasappropriatetoeachcomponentothesector:

Assetname,mailingaddress,physicallocation,owner/operatorname;

Functionortypeotransaction:depositandpaymentssystems;creditandliquidityproducts,includinginvestmentandrisk

transer;

Geographicregion,nancialcenter;

Numberoemployees;

Economiccontribution:totalmarketvalueonancialtransactionsconductedbyorthroughtheassetonadaily,weekly,

monthly,andyearlybasis;

Internationalconsiderations,iany;

Existingandplannedprotectivemeasures;

7/31/2019 Nipp Ssp Banking

31/116

MembershipinaregionalpartnershiporISAC;

Dependenceonothersectors:Communications,Energy,InormationTechnology,andTransportation;

Interactionwithotherassets:thoseothercriticalnationalassetsdirectlyandindirectlyaectedbytheoperationoeachasset

Backupcapability:locationandunctionobackupacilities(datacenterandbusinessresumption);and

Substitutability:whetherotherindustrysystemsorinrastructureswouldbeabletoservethesameunction.

Intangibleassets,suchassystems,databases,ornetworks,areinonewayoranotherlinkedtophysicalassetsandlocations.

Systemicallysignicantassetsarestratiedbytheirexaminationagencywithrespecttocriticalitytothenancialservicessector

asawhole.

2.2 Collecting Inrastructure Inormation

TheTreasuryDepartmentsandtheFederalandStatenancialregulatorsexpertiseinthenancialservicessectorhasbeen

shapedby217yearsoexperience.Continuousnancialregulatoryexaminationsandreportingrequirementsprovidethe

nancialregulatoryagencieswithvoluminousandconsistentlyupdateddataoninstitutionsoperationsandnances.Through

thecollaborativeeortsotheFBIIC,thenancialregulatoryauthoritieshaveassessedtheBankingandFinanceSector,iden-

tiyingstrengthsandweaknesseswithinthedomesticnancialsystem,aswellaspinpointingsomeinstitutionsthatplaya

systemicallycriticalrolewithinthesector.

Intheprivatesector,nancialtradeassociationsregularlycollectandshareinormationontheirmemberinstitutionsor

policydevelopment.Forexample,theFSSCCmemberssurveyedtheirmembersonlessonslearnedromtheNortheast

Blackouto2003andHurricaneKatrinain2005.Thiseorthelpstoguidepolicymakersinunderstandingtheneedsothe

sectorinpreparationorutureevents.TheFSSCCmembersalsogatheredinormationontheparticipationotheirmembers

inprogramssuchasGovernmentEmergencyTelecommunicationsService(GETS),WirelessPriorityService(WPS),and

TelecommunicationsServicePriority(TSP).Thisinormationhelpstotargetthoseorganizationsthatqualiyortheseservices

butarenotyettakingadvantageothem.

2.2.1 Deposit and Payment System Products

Thedepositoryinstitutionsystemissupportedbyelectronicpaymentsystemsthatlinktheseinstitutionstooneanotherandto

theircustomers.Examplesothesesystemsandnetworksarethemanyregional/nationalATMnetworks17thatpermitconsum-

erstoaccesstheirundsrommorethan1.5millionATMsitesworldwide;18ourmajorcreditcardsponsors;19andtheACH

operators,whichprocessednearly14billionpaymentsworthmorethan$27.9trillionin2005.20Businessesandconsumers

increasinglyuseACHpaymentsystemstomakerecurringpayments(e.g.,creditorwithdrawalothecustomersmonthlymort-

gageandotherrecurringpayments).21

Severalotherpaymentsystems,suchastheClearingHouseInterbankPaymentsSystem(CHIPS)andFedwire,supportlarger

valuepayments.In2005,theFedwirepaymentssystemssent132millionpayments,valuedat$518trillionperyearoveritssys-

tem,withanaveragetransactionsizeo$3.9million.Duringthesameperiod,theCHIPSpaymentnetworksent71millionpaymentsvaluedat$350trillionwithanaveragesizeo$4.9millionperpayment.Itisimportanttonotethatthesesystemsmayb

17 ATMnetworksgenerallysupportbothATMandPersonalIdenticationNumber(PIN)-baseddebitcardtransactions.

18 ATMIndustryAssociationEurope.

19 Thesemerchantshave55millionlocations(merchantsandATMs)worldwide.TheourmajorcreditcardcompaniesareVisa,MasterCard,AmericanExpress,andDiscover

20 www.nacha.org/News/news/pressre leases/2006/Pr050806/pr050806.htm.

21 Bycomparison,$2.3trillionworthopaymentsandanother$1.2trillionworthosecuritiessettlementstypicallyaremadedailythroughtheFederalReserveslarge-valuepaymentsystem,whileanother$1.7trillionaremadeoverCHIPS,alsoalarge-valuesystem.

Identiy Assets, Systems, Networks, and Functions

7/31/2019 Nipp Ssp Banking

32/116

Banking and Finance Sector-Specifc Plan

linkedtopaymentsoccurringinsystemsoutsidetheUnitedStates.Also,thesecuritiesclearingsystemssuchastheDepository

Trust&ClearingCorporationortheequitiesandgovernmentsecuritiesmarketsandTheOptionsClearingCorporationorthe

securitiesderivativesmarkets,processmorethan8.35billiontransactionsworth$1.01quadrillionannually.22

RetailcustomersareincreasinglyprocessingtheirtransactionswiththeirdepositoryinstitutionsviatheInternet.Financial

regulatorshaveissuedextensiveguidancetotheseinstitutionsonhowtomanagethisactivityandmitigatetherisksassociated.

Thesedepositandpaymentsystemproductsaregovernedbyacomplexsystemorequirements,generallypromulgatedby

Federalbankingagencies,theSEC,orprivateSROsorrule-makingbodies.Theorganizationsoperatingpaymentsystemsare

examinedorcompliancepurposesbytheappropriateagencies.Forexample,distinctFederalregulationsgoverntheprocessing

oundsstemmingromchecks,andinter-bankundstransers,whileACHpaymentsaregovernedbyrulespromulgatedby

NACHA-TheElectronicsPaymentAssociation.

2.2.2 Credit and Liquidity Products

Creditmarketsarenotormalmarketswitheitheraphysicallocationoronenarrowsetomethodsthatdenethem.Rather,

thereareawidevarietyonancialrmsthatprovidecreditandnancing,includingmorethan17,000depositoryinstitutions

intheUnitedStates,23andawidevarietyonon-depositoryproviders,includingmortgagenancingrms,andmanyothers.

Moreover,manyothenancialrmsthatprovidenancingatretailinstitutionsrequireliquiditytoundtheirnancingactivity

Thenumberonancialservicesprovidersocreditandliquidityisextremelylarge,duetothemanyspecializednichemarkets

servicedandtheotenhighlytailorednancialservicesprovided.Giventhemanytypesoproducts,thereisnosingleseto

systemsatworkthatdominatesthesenancialproducts.However,throughouttheentirenancialservicessectortherearerigid

goalsosaeguardingtheassetsoclientsandensuringthatclientassets,thenancialrmsassets,andrecordkeepingsystems

arehighlyresilienttoanyoreseeableevent.

2.2.3 Investment Products

Collectively,thethousandsoinvestmentserviceprovidersownmorethan$16trillion24innancialassets.Manyothese

providersoperateinahighlyregulatedenvironmentgovernedbyacomplexlegalstructure.

Someotheseinvestmentproductsareprovidedonhighlyormalizednancialmarkets,whileothersareprovidedbyregulated

nancialservicesprovidersnotactingspecicallyinaormalnancialmarket.Examplesohighlydevelopedormalnancial

marketsincludenancialexchanges,atwhichnancialassetsaretradedinatightlyregulatedmannersoastoachievethe

desiredpurposesomarketparticipants.

Theseormalnancialmarketshavehighlydevelopedandextremelyecient,redundantnetworksandsystemsthatprovidea

highdegreeoresilienceorthesemarketsintheaceoavarietyopotentialsituations.Additionally,thesenetworksincorpo-

ratestrongsaeguardstoprotectclientsassetsandprovideboththecustomersandinstitutionswithconsistentaccesstotheir

undsandrecords.

2.2.4 Risk-Transer Products

Risk-transerproductsincludeinsuranceandhedginginstrumentssuchasuturesandoptions.Hedginginstrumentsvaluedat

closeto$1quadrillionaretradedannually.25Insurancecoversinexcesso$6trillion26worthoassets.Financialrisk-transer

22 www.dtcc.com/AboutUs/2005annual/dtcc2005_annual.pdandwww.theocc.com/about/ann_rep/ann_rep_pd/annual_rep_05.pd.

23 www2.dic.gov/sod/sodSumReport.asp?barItem=3&sInoAsO=2006andwww.ncua.gov/data/FOIA/oia.html.

24 www.ederal reserve.gov/releases/Z1/Current/annuals/a1995-2005.pd.

25 www.cme.com/about/ins/caag/FacFigu2803.htmlandwww.theocc.com/about/ann_rep/ann_rep_pd/annual_rep_05.pd.

26 www.ederal reserve.gov/releases/Z1/Current/annuals/a1995-2005.pd.

7/31/2019 Nipp Ssp Banking

33/116

productsotenaretailoredtotheuniquenatureotherisksinvolved,althoughtherearenumerousstandardizednancialrisk-

transerproducts,suchasthosetradedonoptionsanduturesexchanges.Thus,thenetworksandsystemsusedbytheinstitu-

tionsprovidingtheseservicesotenaretailoredtotheindividualnancialrm.

2.2.5 Collecting Asset Data

Tomeetthechallengeomorecomplexnancialmarkets,products,anddeliverysystems,nancialinstitutionsinparticu-lar,largenancialinstitutionshavebeenimplementingmoreormalandcomplexriskmanagementsystems.Similarly,the

regulatorshaverenedtheirapproachtosupervisiononancialinstitutionsoallsizesbyadoptingarisk-ocusedapproach

tomeetnewchallenges.Someregulatorsassignastaoull-timeexaminers,whoworkonsite,tothelargest,mostcomplex

nancialinstitutions.Thison-sitepresenceallowsregulatorstoreceiveupdatedinormationaboutlargerrmsonadailybasis.

Federal,andattimesState,lawgivesnancialregulatoryagenciesbroadauthoritytoaccessrecordsheldormaintainedby

regulatednancialinstitutions.27Thatinormationgenerallyisprovidedexclusivelytothenancialregulatoryagency,although

intheeventopotentialcriminallawviolations,mechanismsexisttosharethatinormationwithlawenorcementagencies,

includingthosewithinDHS.

TheTreasuryDepartmentwillcontinuetocollectdataoncriticalassetsbycoordinatingwiththeFBIICagencies.

2.3 Veriying Inrastructure Inormation

TheTreasuryDepartment,throughthemembersotheFBIIC,usesathree-partprocesstoveriyassetinormation.First,a

dratingcommitteecollectsandveriestheinormation.Second,theFBIICmembersreviewtheinormationoraccuracyand

errors.Third,aspecialFBIICreviewcommitteesubjectseachassetassessmenttorigorousquestioningandreview.

2.4 Updating Inrastructure Inormation

TheinormationgatheredthroughtheexaminationprocessprovidesaccesstoinrastructureinormationontheBankingand

FinanceSector.TheTreasuryDepartment,throughthemembersotheFBIIC,updatesassetdataonanas-neededbasis.

Therequentexaminationsprocessesundertakenbythenancialregulatoryagenciesensurethatup-to-dateinormationis

maintainedregardingallacetsotheregulatednancialinstitutions,andthenancialservicesindustryregularlyupdatesits

regulatorsregardingbothhighlysignicantaswellasroutinechanges.

27 SomeothosesourcesoFederalstatutoryauthoritya recontainedinTitles12and15otheUnitedStatesCode.(Seeappendix2ordeta ils.)

Identiy Assets, Systems, Networks, and Functions

7/31/2019 Nipp Ssp Banking

34/116

7/31/2019 Nipp Ssp Banking

35/116

3. Assess Risks

BoththepublicandprivatemembersotheBankingandFinanceSectorconductriskassessments.Theseassessmentslookat

issuesandpotentialvulnerabilitiesbothwithinindividualorganizationsandsector-wide.Sinceriskmanagementispartothe

bankingandnanceculture,bothregulatorsandprivateorganizationhavealonghistoryoconductingregularriskassess-

ments.Intheprivatesectorsomeotheseriskassessmentsaremandatedthroughregulationandvalidatedbytheexamination

process.Furthermore,theprivatesectorinstitutionsconductvoluntaryriskassessmentstomeettheirbusinessneedsasparto

theircontinuitypanningand/orinconjunctionwithtradeassociationsrecommendationsandsel-regulatoryrequirements.

FollowingtheattacksoSeptember11,2001,thesectorsriskassessmenteortsbecamemoreormalizedandtookonarenewed

senseourgency.TheFBIICbegananorganizedannualeorttoexaminethenancialsectorsresilience.Theprocesshas

continuedandmaturedovertheyearstoincludephysicalandcyber-basedcomponentsothesectoraswellasdependencies

onothercriticalsectors.Inormationinthisprocessisgarneredthroughtheregulatorsextensiveknowledgeosectorpartici-

pants.Furthermore,thisinormationisveriedthroughconsultationwithkeyprivatesectororganizations.Inormationshared

betweenthemembersothesectorandthenancialregulatorsprovideinsightsintotheoperational,nancial,andsystemic

risksacingindividualorganizationsandthesectorasawhole.ThroughorganizationssuchastheFederalFinancialInstitutions

ExaminationsCouncil(FFIEC),variousprivatesectortradeassociations,andtheFBIIC,thereisongoingvericationandvalida-

tionupdatingoriskassessmentinormation.Furthermore,throughindividualinormation-sharingeortsbetweentheTreasuryDepartmentandindividualnancialinstitutions,thisprocessisurtheredinormedregardingnewandemergingthreats.

Throughthisprocess,theTreasuryDepartmenthasidentiedpotentiallimitationsandcreatedaprocesstoidentiyandassess

vulnerabilitieswithinthesector.

TheollowingsectionsreertotheeortsotheTreasuryDepartment,workingwiththeFBIICmembersandtheprivatesector

toidentiysectorvulnerabilitiesandassesstherisksacrosstheBankingandFinanceSector.

Assess Risks

7/31/2019 Nipp Ssp Banking

36/116

Banking and Finance Sector-Specifc Plan

Figure 3-1: Vulnerability Assessment Methodology

3.1 Use of Risk Assessment in the Sector

TheBankingandFinanceSectorhasalong-standingandacceptedpracticeoconductingriskassessmentsandmitigating

vulnerabilities.TheseriskassessmentstakeintoaccountNIPPbaselineassessmentcriteria,includingconsequences,vulner-

abilities,andthreatstotheessentialunderlyingclearing,payment,andsettlementssystemsothesector.Theseassessmentsalso

considervulnerabilitiesstemmingromdirectorindirectthreatstothephysicalandcyber-basedoperationsacrossthesector.

Furthermore,theseassessmentsconsiderthenatureotheincident,beitnaturalormanmade.Theocusothesesector-wide

assessmentsisonthepotentialimpactthatsuchrisks,iexploited,wouldhaveontheorderlyandefcientoperationothe

sector.

Intheprivatesector,consequenceanalysisassessmentmethodologyincludespotentialeconomicimpactstotheinstitution,

reputationrisktotheinstitution,andpotentialimpactstotheemployeesandsurroundingpopulationandacilitiesdepending

onthenatureotheincident.

Inthepublicsector,eachregulatoryagencyexaminestheindividualentitieswithintheirpurviewbaseduponariskman-

agementramework.Thisregimenhasbeenfne-tunedoveranextendedperiodotimetoaddressriskasitpertainstothe

resilienceandintegrityoboththeindividualinstitutionsandthefnancialsystemasawhole.Consequenceanalysisinrisk

assessmentmethodologiesinthepublicsectorincludepotentialeconomicimpact,impactonpublicconfdenceinthefnan-

cialsystem,andimpacttotheGovernmentsabilitytocontinuetoprovideitsservicestothepublic.Thesemethodologiesare

complete,accurate,andreproducibleinaccordancewiththeNIPPbaselinecriteria.Theassessmentsareupdateddailythrough

theintenseandextensiveregulatoryexaminationprocess.

Collectively,thepublicsector,undertheauspicesotheFBIIC,careullyanalyzestheentireU.S.fnancialsystemtoassessits

strengthandresiliencetomanmadeandnaturaldisasters.Relyingupontheircollectiveexpertiseandexperience,thememberso

theFBIICdevelopedaspecializedriskassessmentmethodologyortheBankingandFinanceSector.Basedonthismethodology,

7/31/2019 Nipp Ssp Banking

37/116

theFBIICagenciesidentiynancialinstitutionsthatplaysignicantrolesinkeynancialmarketseitherindividuallyorasa

group.Thevulnerabilitiesassessmentsaddressphysicalandcyberweaknessesinthenancialservicessectorandarerepresenta-

tiveobothkindsoincidents.Collectively,theseriskassessmentsprovideanoverallriskproleothesector.

3.2 Screening Inrastructure

Asstatedinsection1,theBankingandFinanceSectormaybedividedintoseveralunctions:depositandpaymentssystems;

creditandliquidityproducts;investmentproducts;andrisk-transerproducts.TheTreasuryDepartmentandmembersothe

FBIICuseascreeningprocesstoidentiycertainassetswithintheBankingandFinanceSectorthataresystemicallyimportant.

Thesectorisconstantlychanging,asarethedynamicscreeningeortsotheFBIICtoidentiythesesystemicallyimportant

assets.TheTreasuryDepartmentandtheFBIICcontinuallymeetwithnancialinstitutionsandregulatorstodetermineany

newassetsthatarecriticaltotheoperationsothesector.Whenanewassetisidentied,theTreasuryandtheFBIICtakeappro

priateactionstoaddressanyvulnerabilityrelatedtothatasset.

ThedescribedassetdataarecontrolledbytheTreasuryDepartmentandthemembersotheFBIIC.TheTreasuryandkeystake-

holdersinthepublicandprivatesectorsupdatetheassetdataonanas-neededbasis.

3.3 Assessing Consequences

TheBankingandFinanceSectorassessestheconsequencesoanassetslossorimpairmentwithinthecontextoitsimpacton

thesectorsabilitytooperateecientlyandinanorderlymanneranditspotentialimpactonthepublicscondenceinthe

nancialsystemasawhole.Severalactorsusedinthisassessmentincludediversity,redundancy,natureodependenceonthe

asset,networkorsystem,andsymbolicimportance.

3.4 Assessing Vulnerabilities

TheBankingandFinanceSectorconductsongoingvulnerabilityassessments.Thesevulnerabilityassessmentsincludeexamina-

tionsintothepotentialrisksresultingromcross-sectordependency,sector-specicvulnerabilitiesanddependenciesonkeyassets,systems,technologies,andprocesses.Theseassessmentsarebasedupontheextensiveknowledgeoregulatorsandguid-

anceissued,andtakeintoaccountphysical,cyber,andhumanvulnerabilities,availableredundancy,andthesectorsrelianceon

sector-specicassets,systemsandprocesses,andcross-sectorrelianceontheseactors.Consequenceassessmentsincludedirect

economicimpactsandnationalcondenceimpacts,andarebasedonexpertjudgmentandexercises.

Throughthevulnerabilityassessments,thesectorhasdeterminedthatsomeoitsgreatestchallengesareitsdependenceonthe

telecommunicationsnetworkandthepowergrid.Also,theTreasuryDepartmentandtheFBIIChaveidentiedtheollowing

additionalimportantsectordependencies:Communications,Energy,InormationTechnology,andTransportationsystems.As

addressedinchapter5onprotectiveprograms,variouseortsareunderwaytoaddressthesedependencerisks.

Assess Risks

7/31/2019 Nipp Ssp Banking

38/116

0 Banking and Finance Sector-Specifc Plan

Figure 3-2: Dependent Relationships

Anyvulnerabilityassessmentothefnancialservicessectorcannotbetrulyfnalbecausethesectorisevolvingconstantly.

Thus,theFBIICmemberscontinuetoupdateassessmentsregularlytoidentiyvulnerabilitiesandmanageandassessassetrisks,

especiallyasthesectoradoptsnewtechnology.Furthermore,theTreasuryDepartmentwillworkwithDHStocoordinatehow

tonormalizetheresultsotheBankingandFinanceSectorsvulnerabilityassessmentssothattheymaybecomparabletothe

overallNIPP.

3.5 Assessing Threats

Therehavebeenindividualsandgroupsthathaveattemptedtoexploitthesectorortheirownpecuniarygains.Overtime,the

sectorhasdevelopeddeensestothwarttheseattacks.However,criminalsandterroristscontinuetodevisenewmethodsand

schemes.Thereore,theTreasuryworkswithotherFederalagencies,includingtheDHSHomelandInrastructureThreatandRisk

AnalysisCenter,onadailybasistoassessphysicalandcyberthreatsthatareidentifedasspecifcallydirectedatthesectororat

anassetonanational,regional,orlocallevel.RelationshipswithDHSandotherSSAsprovidereal-timeinormationregarding

thesethreats.Additionally,whenthreatsareidentifed,requentcommunicationsbetweentheFBIICandtheFSSCCacilitatethe

efcientandeectivetranseropotentialthreatinormation,permittingthesectortomitigatevulnerabilities.

7/31/2019 Nipp Ssp Banking

39/116

4. Prioritize Infrastructure

InthewakeotheattacksoSeptember11,2001,theTreasury,inconjunctionwiththemembersotheFBIICandtheprivate

sector,undertookarenewedeorttoidentiyandprioritizethekeyinrastructures.Thiseortispartotheoverallriskassess-

mentandmanagementprocesstakingplaceinthepublicandprivatesectorsonanongoingbasis.Theriskassessmentmethod-

ologydiscussedinsection3ispartothesectorsoverallriskmanagementapproach,whichincludesprioritizationeorts.The

prioritizationwithinthisapproachassiststhesectorindeterminingtheocusorprotectiveprograms.

Intheprivatesector,thiseortisaninternalprocesstoanalyzeandprioritizetheprocessesandnetworksthattheindividual

institutionsneedtomeettheirbusinesscontinuitymanagementandplanningeorts.

Inthepublicsector,theTreasuryDepartment,throughoutreachtothemembersotheFBIIC,conductsanannualriskassess-

mentreviewothesector.Thiseortprovidesasector-wideprioritizationocusedonbusinesscontinuityandresilienceor

essentialprocessesintheBankingandFinanceSector.Theprioritizationisinormedbytheextensiveknowledgeothemem-

bersotheFBIICand,whereappropriate,inconsultationwithcertainprivatesectorownersandoperators.Asthesectoris

changingconstantly,so,too,aretheTreasuryandtheFBIICsprocessesoridentiyingandprioritizingthesystemicallyimpor-

tantassets,processes,andnetworks.TheTreasuryDepartmentandtheFBIICcontinuallymeetwithnancialinstitutionsand

regulatorstodetermineanynewassetsthatarecriticaltotheoperationsothesector.Resultsromtheseconsultationsareusedtoupdatetheannualprioritizationwhereappropriate.

TheTreasuryDepartmentusestheprioritizationtoinormsectorparticipantswhereappropriateandtoacilitatediscussions,

inecessary,toemployprotectivemeasureswiththeownersandoperators.Inspecicinstances,theTreasuryDepartment

reachesouttothesemembersothesectortoencourageparticipationinbusinesscontinuityexercisesandprograms.Froma

sector-wideperspective,theseprioritizationeortsinormtheFBIICsperspectiveonoverallsectorriskand,inturn,infuence

theTreasuryDepartmentsongoingdevelopmentonewoutreachprograms.

FurthermoretheTreasuryDepartmentworkswithitssecuritypartners,includingDHS,to