By John Hintze
The Biden administration’s timely and unusually broad executive order issued May 12 arrived in the wake of attacks against major corporations and most directly affects the federal government and the private companies with whom it contracts. That includes a relatively small number of banks, but the order’s requirements are likely to ripple and impact banks more broadly, and some may face inquiries from examiners about whether their systems are up to snuff.
In a fact sheet issued with the order, the administration notes the highly publicized attacks against SolarWinds, Microsoft Exchange and the Colonial Pipeline as “sobering” reminders about the malicious cyber activity from nation-states and cyber criminals. In fact, Microsoft disclosed May 27 that the Russia-based cyber attacker that compromised SolarWinds and numerous government computer networks is pursuing a new wave of attacks against organizations in the U.S. and abroad.
“These incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents,” the statement notes, adding the order is the “first of many ambitious steps” the administration is taking to modernize national cyber defenses.
And the administration is moving expansively. Executive orders are typically aimed at executive branch agencies and departments, but the recent one covers all federal government agencies, including independent ones overseeing banks such the Federal Reserve, FDIC and OCC.
ABA VP and Senior Counsel Denyette DePierro says the order will directly affect private companies contracting with federal government. “The primary focus of the EO is not financial services but the universe of third parties that provide products, services and software to the federal government, that do not have bank-like substantive cybersecurity processes,” DePierro says. That includes the relatively small group of banks facilitating federal services, such as transactional accounts or debt cards to distribute government benefits, she adds.
DePierro says that banks are already adequately regulated and supervised, and must abide by substantial cybersecurity, privacy and information security requirements not present in other industries. In addition, she explains, many banks have already adopted the National Institute of Standards and Technology’s Cybersecurity Framework as their primary cyber risk management tool, and the NIST framework will serve as their executive order cyber standard.
However, many banks are still seeking to meet those standards, and the comprehensive order is likely to cover areas where practice is evolving. Given the federal government’s massive footprint, those institutions will likely feel the order’s ripple effect, assuming its provisions are enforced. Troy La Huis—principal and digital security services leader at Crowe, which ABA endorses for risk management, compliance and governance consulting—notes that less-enforced orders don’t typically demand the same attention, and thus far the cybersecurity order’s enforcement mechanisms remain unclear.
Another key issue is whether federal banking regulators implementing the order themselves will in turn apply its requirements to the banks they regulate. That remains to be seen, La Huis says. “But if its provisions are important enough for the government agencies, then it’s likely they will in turn seek to enforce them within the financial community.”
Given the nuts and bolts of the regulatory process, examiners may start asking about how banks cyber security measure up against the order’s standards as soon as next year, La Huis says. One potentially challenging area for banks, he added, is a requirement in Section 3—on “Modernizing Federal Government Cybersecurity”—to develop a plan to implement “zero trust architecture” that incorporates the migration steps outlined by NIST.
Zero-trust architecture seeks to minimize the threat of cyber attackers infiltrating an organization and usurping user credentials to take control of a network by limiting what users can access. However, implementing it can be costly and typically requires locking down significant parts of the network. Many banks are just starting to consider it.
“Based on our discussions, banks’ chief information security officers are putting this one on the road map,” says Sekhara Gudipati, senior manager on La Huis’ team at Crowe. And should examiners indeed start asking banks about their zero-trust policies and procedures and the relevant technologies, he adds, “that’s when the seriousness and pressure comes” to implement it.
Other portions of the order may benefit banks. Section 4—on “Enhancing the Software Supply Chain Security”—describes the process by which the federal government will develop security guidance for critical software within 270 days of the order’s issuance. By March 2022, the Office of Management and Budget must take steps to require the federal agencies comply with the guidance.
Jordan Rae Kelly, head of cybersecurity for the Americas at FTI Consulting, highlights Section 4 as particularly impactful for the private sector and especially banks, since it is essentially creating an “Energy Star”-type label that software developers must adhere to. First used by the public sector, private-sector companies will also be able to use it to gauge software security.
The financial sector tends to be the “tip of the spear” in terms of investing in cybersecurity, Kelly says. “And what’s going to happen here is the EO will make it even easier to make those choices.”
DePierro says there is “industry optimism” that as large government contractors, including cloud, telecom and other technology companies are required to meet the executive order’s cyber standards, it may ease banks’ own third-party due diligence efforts.
“As federal-government third parties, companies are more likely to become NIST-compliant without banks having to beg, cajole and harangue them into adopting NIST standards and bank-like security,” DePierro says.
Another area that could impact banks is Section 2 on “Removing Barriers to Sharing Threat Information.” This section seeks to remove contractual barriers that may prevent sophisticated technology service providers the government uses from sharing threats they uncover with the appropriate federal department or agency.
La Huis, who has worked with financial institutions since 2004, says banks’ anti-money laundering and cyber fraud functions traditionally share little information, despite the frequently overlapping bad actors they are defending against. The order’s directive could be a catalyst for banks or their examiners to push removing those barriers, at least so AML and cyber fraud work more closely together.
“This may not be a huge lift, but it could quite possibly lead to re-organization, possibly convergence, among those units within banks,” La Huis says.
Other provisions could affect mainly smaller banks, with $10 billion in assets or less. Section 7, for example, requires the federal government to take all possible steps to detect early on the cybersecurity vulnerabilities and incidents in its networks, while Section 8 calls for the government to improve its investigative and remediation capabilities.
In both those instances, La Huis says, smaller banks with fewer resources have been slower to adopt comparable measures in their own institutions, and examiners may inquire about their plans.
Section 6 requires the government establish a board to review and assess the impact of significant cyber incidents impacting the federal government. If such breaches involve a private-sector firm such as Solar Winds, which government contracts, it raises the issue of what data the board should be privy to. One of the next ambitious steps the Biden administration alludes to in its fact sheet may address that issue.
Private companies, including banks, tend to hold that information close to the vest, given the reputational damage it could cause. However, the topic has been discussed candidly in recent security-related conferences, Kelly says. While government officials participating in panels have declined to express views one way or the other, “they’ve made it clear there are challenges we continue to encounter without having mandatory breach reporting.”
John Hintze is a frequent contributor to ABA Risk and Compliance.