FS-ISAC Announces New Initiative to Strengthen the Financial Services Critical Infrastructure

The Financial Services Information Sharing and Analysis Center (FS-ISAC) has launched what it calls the Financial Systemic Analysis & Resilience Center (FSARC). While FS-ISAC is primarily about sharing threat intelligence between banks and other financial institutions, FSARC will provide a more strategic analysis and identification of emerging threats to help mitigate systemic cyber threats. Those results will be shared through the existing FS-ISAC structure.

FSARC is the brainchild of CEOs from eight leading banks who came together to discuss ways to improve the resilience of the financial services infrastructure. The banks concerned are Bank of America, BNY Mellon, Citigroup, Goldman Sachs, JPMorgan Chase, Morgan Stanley, State Street and Wells Fargo.

Information about how FSARC will operate is limited and provides only a high level overview. "The challenges associated with cyber-attacks and the financial fraud stemming from such incidents are bigger than any one institution, and this is something the financial sector must face together. We are stronger and more resilient when we work collectively to understand the evolving tactics of cyber adversaries and to deepen the layers of defense against such attacks,” said Bill Nelson, President and CEO, FS-ISAC in a recent statement. 

FS-ISAC shares threat intelligence with its members, and does so anonymously if required by the members concerned. It receives intelligence from US government agencies such as the Department of Treasury, the Department of Homeland Security and the Federal Bureau of Investigation; but will only share with them if approved by the member. FSARC is likely to increase this relationship with government agencies (the US Secret Service tweeted its congratulations on the launch); but it says it will maintain the existing structure and methods for disseminating information. 

"FSARC is a long-term strategic initiative that performs deep analyses of systemic cyber risk across financial products and practices. Findings and adaptable mitigation strategies will be shared across the financial sector through FS-ISAC and its membership," explains FS-ISAC in a statement.

So far we seem to know only who and where; but not how. FSARC is looking to establish its own physical location, understood to be in Arlington. It is also believed that for the time being at least it will use FS-ISAC's existing web structure. Bank of America's Siobhan MacDermott and JPMorgan's Greg Rattray will serve as interim Co-Presidents until the center reaches full operational capability. 

How FSARC will achieve a proactive analysis of emerging threats is not yet known, but it seems almost certain that it will leverage the expanding and improving technology of analytics based on machine learning. Machine learning analytics works best when there is a large pool of data from which to learn. The current FS-ISAC database has thousands of threats, vulnerabilities, and events dating back to its formation in 1999. What isn't known is whether FSARC will develop its own analytics, or will call on the security industry.

One firm already involved in machine learning threat detection for financial services is Corvil. "This newly established center enables banks to gain an upper hand in their ongoing asymmetric battle against cyber crime, through both collaboration and a preventative, longer term perspective," Corvil's Graham Ahearne told SecurityWeek.

"At the heart of what FS-ISAC provides is a platform that enables collaboration. This new resilience center takes all that works well from FS-ISAC and combines it with longer range perspective and planning, paving the way for more proactive and preventative measures."

Since prevention is always better than cure, the output from FSARC will provide a more holistic, broader view of both challenges and options for associated solutions.

"Financial services fuel the engine of our economy," he said, "and bold steps need to be taken in order to assure this engine is protected and resilient. This new initiative takes a promising step in that direction."

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:


SecurityWeek RSS Feed

Assaf Regev

Assaf Regev serves as the product marketing manager for the web fraud portfolio of Trusteer, an IBM Company, part of IBM’s Security Systems division. Assaf holds a BS.c in...

See All Posts

According to data from IDC, the worldwide smartphone market is in excess of 2 billion units. By 2017, the smartphone market share will reach 70.5 percent, up more than 10 percent compared to 2013.

In addition to IDC’s findings, the recent “Consumers and Mobile Financial Services 2016” report stated that 43 percent of mobile phone owners perform online banking via a mobile device, up from 39 percent last year. Additionally, 53 percent of smartphone owners use mobile banking.

A Stake in the Ground

It’s evident that consumers expect to interact with services such as e-commerce, gaming and online banking through their mobile devices. As a result, organizations offering new services must keep up with the ever-growing mobile landscape and any associated regulatory guidelines.

The Federal Financial Institutions Examination Council (FFIEC) recently issued guidance that focused on risks associated with mobile financial services (MFS). The publication also emphasized an enterprisewide risk management approach for more effective risk mitigation.

The agency put a stake in the ground, issuing a new set of security guidelines for mobile banking in late April 2016. This was an important update to the organization’s previously released handbooks. With these new guidelines, the FFIEC set the foundation for 24/7 online banking services of all types, including a set of detailed, actionable directives.

Read the white paper to learn to how to protect Mobile Financial Services

Protecting Mobile Financial Services

More generally, financial institutions looking into protecting existing and new MFS should consider the following:

  • The main channels for mobile banking, such as SMS messaging, mobile-enabled websites, mobile applications and wireless payments;
  • The risks and potential implications on the various aspects of the offered service, including strategic, operational, compliance and reputational risks;
  • The means of identifying, measuring, assessing and mitigating the risks across all applicable categories, which includes the likelihood and impact of such risks and their potential effect on the service and the organization; and
  • The processes and systems in place to help validate and report whether the offered product or service meets operational expectations.

Financial institutions looking to address the above issues must make sure these objectives can be aligned with their short- and long-term strategic plans. To help address security concerns related to mobile financial services, financial institutions can embed the IBM Security Trusteer Mobile SDK in proprietary mobile banking applications via a dedicated security library for Apple iOS and Google Android platforms.

For more information, download the white paper to see how IBM solutions can help protect mobile financial services and provide effective and sustainable fraud prevention.

Topics: Banking, Mobile, Mobile Banking, Mobile Devices, Mobile Security, Risk Management

Security Intelligence