WASHINGTON - Michael A. Dawson has a clear message for executives: Even the smallest banks must assume they are targets of terrorists, hackers, and other menaces and must take the same protective steps that big companies do.
"We know that criminals target institutions that they perceive as more vulnerable to attack," Mr. Dawson, the Treasury Department official responsible for ensuring the financial system is steeled against such threats, said in an interview this month. "And some criminals suppose that larger institutions will be more sophisticated about their security and smaller institutions will be less sophisticated. It's not always true, but it is a supposition that criminals make."
For that reason, the Treasury last month invested $2 million in the private-sector Financial Services Information Sharing and Analysis Center, or FS-ISAC. The center allows companies to anonymously share warnings of attacks in progress or potential ones, advice on defense, and fixes such as software patches.
The Treasury money will help the center upgrade its technology and broaden its mission and membership.
Formed in 1999 by a group of the largest financial services companies to ward off computer viruses and other electronic attacks, the center will now also provide warnings about physical risks such as bomb threats. It has opened its doors to financial services companies of all sizes and is offering free and discounted memberships that include limited e-mail alerts and other basic services to attract small banks, credit unions, and other financial firms.
"There are many thousands of financial institutions in the United States, and we want the FS-ISAC to serve them all," Mr. Dawson said. "After Sept. 11, as we are focused as a nation on enhancing the resiliency of our national infrastructure, it became more important to include everybody."
Byron Yancey, the Reston, Va., center's executive director, said its founders had sought minimal influence from the government, but they came to see the value of expansion and realized they needed the government's help to do so.
He lauded Mr. Dawson's efforts and was blunt about the importance of including smaller companies.
"For financial services companies, the weakest link can break the chain - or cause damage to the infrastructure - because we are interconnected," Mr. Yancey said.
The center, which currently has 70 paying members, hopes to have 1,200 by yearend, so it can stay out of the red, Mr. Yancey said. (Annual dues range from $750 to $49,950 a year, depending on the level of service.)
Government officials and private-sector groups such as the Financial Services Sector Coordinating Council have been working hard to get the word out about such programs. The Treasury, the Federal Deposit Insurance Corp., and public-private groups have held meetings with thousands of financial executives in more than two dozen cities in the past 18 months.
Mr. Dawson said that since he was sworn in a year ago as the Treasury's first deputy assistant secretary for critical infrastructure protection and compliance policy, he has met with "scores of financial institutions and hundreds of people" in cities such as New York, Chicago, Los Angeles, Charlotte, and Cleveland. In the latter half of this month alone, he was scheduled to travel to Minneapolis, Baltimore, and Philadelphia.
In his speeches, he has emphasized four priorities of critical infrastructure protection - or "CIP" to policy wonks: protecting employees and customers, preserving public confidence, staying operational in times of stress, and promoting private-sector decision-making so that financial companies do not wait for Washington officials to tell them what to do.
New threats emerged throughout last year to provide fresh examples. There was the Slammer worm in January, the BugBear.B virus in June, the blackout in the upper Midwest and Northeast in August, Hurricane Isabel in September, and the bombing of HSBC Holdings PLC's Istanbul offices in November.
In general, Mr. Dawson gave the industry high marks for its handling of these crises.
For example, in a speech last month in Charlotte, he discussed the response to the blackout. "With one exception, the bond and major equities and futures markets were open the next day at their regular trading hours. Major market participants were well prepared, having invested in contingency plans, procedures, and equipment such as backup power generators."
Yet other events demonstrated vulnerabilities. The Slammer worm temporarily knocked out part of Bank of America Corp.'s automated teller machine network and other operations and affected First Data Corp.'s processing system.
Without naming names, Mr. Dawson said Slammer showed the need for sound software and up-to-date patches and underscored the risks of an interconnected financial system.
"Big banks can be made vulnerable to viruses not through any fault of their own, but as a result of connections that they have with third parties who may be running a portion of their operations," he said.
The tough assignment for Mr. Dawson is keeping financial services officials on their toes without sounding alarmist.
A lawyer who joined the Treasury nearly three years ago after a stint at a Web-based broker/dealer, he said his legal training makes him cautious with words. He began the answers to several questions with long, pensive pauses, and most of his replies contained systematic lists.
In his office, Mr. Dawson keeps FS-ISAC performance statistics that are depicted as gauges on a dashboard. He showed them to a reporter on the condition that the scores be kept confidential, but he said two of the most important measures were the percentage of financial institutions submitting data and the degree to which members felt that information from the FS-ISAC prevented damage to their companies.
In general, he is "extremely pleased" with the center's performance, but "we still have work to do to improve the usefulness of the information."
Mr. Dawson's metrics may be technical, but his office's goals are basic.
"We are really talking about protecting the confidence of people in the financial system, and people depend on a wide array of financial institutions," he said. "Because confidence is so important and so fragile, it's important that we cover everyone."
