By Walt Williams
As cyberattacks grow increasingly sophisticated and the expense of bank cybersecurity swells, the Treasury Department has rolled out free tools to help banks of all sizes keep up in the arms race.
This article is part of ABA Banking Journal’s bank tech trends for 2025 special report.
In recent years, the Treasury Department has had many discussions with bank CEOs about the increasing cost of cybersecurity, with some of the larger financial institutions spending more than $1 billion a year to secure their systems, says Todd Conklin, chief AI officer and deputy assistant security for cyber at the department, who spoke during an ABA webinar on Project Fortress. Federal officials are concerned that local and community banks will not be able to keep pace as cybersecurity costs continue to rise, he says.
“We thought that the timing was right, given the threat environment and the significant uptick in expenditures that were all making in the cyber defense ecosystem, to rethink our approach,” Conklin says. “What we came up with is what we’re now publicly calling Project Fortress, which is a menu of options that we’re offering to the spectrum of financial institutions, ranging from our largest to our smallest institutions.”
The automated threat information feed is the core offering of Project Fortress. It seeks to fill a hole in how federal officials alert financial institutions about current cyberthreats. In recent years, the Treasury Department has worked to declassify much of the information it receives about new and emerging threats, but there is often a time lag when that critical info is shared with the financial sectors, Conklin says. The issue came to a head earlier this year when the department learned of a threat to financial institutions but sent out an email alert on a late Friday evening on a holiday weekend, meaning many banks didn’t receive it until the following Tuesday. Unfortunately, by that time, more than 30 institutions were affected by the threat.
“This feed offers us an opportunity for the first time to directly connect Treasury intel feeds and intel flows — and by proxy, intelligence community and intel flows — directly into your technical ecosystem,” Conklin said. “It takes the human layer and the email gap time issue out of it and makes it a real-time, automated feed.”
The service is currently available only through the content delivery network Cloudflare, so banks will need a Cloudflare subscription to access it. Conklin said the Treasury is working to find a second service provider so banks that are not Cloudflare customers can access the feed.
Treasury also has opened a new physical office in downtown Washington, D.C. — the Treasury Classified Cyber Collaboration Suite — where it will host all its classified and unclassified threat exchanges with financial services representatives, Conklin says. “The goal of that is to deepen the communication channels, to offer more direct access to intelligence information, and then also have more strategic conversations,” he says.
The final piece of Project Fortress is CISA’s cyber hygiene scanning service, which provides participating institutions with weekly reports of any vulnerabilities found in their internet-facing systems. The tool also generates monthly snapshots for Treasury Department officials about common vulnerabilities discovered, although no institution-specific information is shared with regulators. The department is already using the service to test its systems, Conklin says.
“On a weekly basis, I get an email telling me where my top vulnerabilities are within the Treasury’s public-facing infrastructure so I know where our weak spots are,” he says. “It’s a really nice way to get a third-party review on the vulnerabilities in your ecosystem.”
TOOLBOX > To help bankers better understand critical vendor market segments, ABA Product Assessments provide a roadmap. With the support of a banker-led advisory board and an independent consultant, ABA researches and evaluates a selection of available products with no commercial considerations. Download the first two assessments — on middleware and digital account opening, with more to come — at aba.com/productassessments.
