Banks Should Be Privy to Classified Cyber Threat Data: Treasury's Raskin

BALTIMORE — Deputy Treasury Secretary Sarah Bloom Raskin on Tuesday called for prompt declassification of certain types of cyber-threat information to get it in the hands of banks working to enhance their security procedures.

Raskin, speaking before an American Bankers Association conference, said she is pushing for an interagency effort to declassify the information quickly and effectively. She called cybersecurity information-sharing a "two-way street," where banks share information they gather but also receive useful information back from regulators and law enforcement about threats they may soon face.

While federal rules on classified information often get in the way of such sharing, Raskin said the interagency "campaign" under way is meant to make useful but relatively benign information — such as IP addresses or "malware hashes" — available to banks sooner rather than later.

"We have been undergoing a campaign in which, government-wide, we are figuring out ways in which we can declassify information more quickly and put it into the hands of people who can use it," Raskin said. "It makes no sense for the government to be sitting on this information."

Raskin's comments come as high-profile hacking incidents at the Office of Personnel Management and Sony Pictures have heightened attention to the banking sector's ability to fend off a similar attack. The Government Accountability Office earlier this month published a report saying that bank regulators need to collect and analyze more and better data from banks in order to identify cyber-related trends and emerging threats.

The Office of the Comptroller of the Currency said in its semiannual risk perspective report that cybersecurity remains the top threat facing the industry. As larger and midsize banks get more sophisticated in their defenses, the OCC said, smaller banks are becoming more vulnerable. In April, the House passed a bill that would allow private firms to share cybersecurity information so long as personal customer information is not involved. The Senate is considering a similar bill.

But Raskin said bank-to-bank information-sharing should only be the starting point.

There is already sharing between the government and financial institutions through the Financial Services Information Sharing and Analysis Center, where banks can get access to unclassified intelligence including certain hacker IP addresses. Raskin said that the arguments against releasing other pieces of similar information because they may be classified or proprietary are counterproductive.

"It's not competitive information," Raskin said. "We're talking about IP addresses. We're talking about particular codes that were used to attack another institution. That should be shared, so you can have access to it and know this is an IP address that could be used to attack your institution. I think it makes complete sense."

Raskin also made a number of suggestions for banks to improve their resistance to cyber-attacks. Integrating cybersecurity into the governance, control and risk management systems — and changing those systems to suit cybersecurity needs, if necessary — are musts for banks to fend off cyberattacks, she said.

Raskin said banks should also be evaluating their cybersecurity insurance policies to ensure that they cover all contingencies, and should take practical steps to reduce their volumes of sensitive data and the number of people with access to it.

But reaching a state of security in an increasingly connected financial sector will always be an ongoing process, she said.

"Cyber risk and the challenges posed by cybersecurity seem daunting and insurmountable," Raskin said. "We are confronting this challenge the only way we can, and that is one step at a time."

For reprint and licensing requests for this article, click here.
Law and regulation Bank technology Cyber security Data breaches
MORE FROM AMERICAN BANKER