A chat channel for banks, tech firms to swap cyber-threat intel – American Banker

A cybersecurity consortium for the financial sector recently launched a program designed to help its bank members receive information about security threats and vulnerabilities that affect their vendors.

As part of its Critical Providers Program, the Financial Services Information Sharing and Analysis Center this week created a dedicated channel in its chat platform to put financial institutions and select tech vendors in the same group chat so providers can “coordinate with the whole sector at once during large-scale cyber incidents.”

Teresa Walsh, head of intelligence at FS-ISAC and Boaz Gelbord, chief security officer at Akamai

Teresa Walsh, head of intelligence at FS-ISAC, said the organization’s new communication channel for banks and their vendors would create a “direct line” between the two in cases of security breaches or outages. Boaz Gelbord, chief security officer at Akamai, said the new channel will help companies like his extend their expertise to smaller banks.

The consortium, which says it has more than 16,000 users, said the program would enable tech providers to confidentially communicate with thousands of financial institutions at once about sensitive information related to their security environments. An expert in the field said the program is promising, but would need to be combined with requirements for vendors to fix those vulnerabilities to be game-changing.

“Anything you do to help improve security is absolutely good,” said Tari Schreider, an advisor on cybersecurity practice with Aite-Novarica Group. “However, I don’t think this is going to be much more than security theater.”

According to Teresa Walsh, the FS-ISAC’s head of intelligence, the program will establish more trust between tech vendors and financial institutions, and that will attract participants to it.

“Having a direct line between critical providers and our member financial firms builds trust not only between vendors and individual customers, but also shows that the providers understand our sector as a whole and our resilience needs,” Walsh said.

The program will let vendors’ technical experts communicate with bank security staff during large-scale security upgrades, technical outages, cyber vulnerabilities or incidents, software or hardware misconfiguration incidents, and changes that may affect multiple member institutions. It will all happen in FS-ISAC’s instant messaging platform, Connect.

So far, only the content-delivery-service provider Akamai is participating. Boaz Gelbord, chief security officer at Akamai, said the company “is trusted by more than 325 of the world’s financial services firms,” including eight of the 10 largest banks.

As more providers join the program, the consortium will provide each with its own channel in the chat platform, connecting it to an audience of thousands of financial institutions. Among those will be smaller institutions that Gelbord said could derive special benefit because they typically don’t have as much clout with vendors.

“This program extends the collective visibility, experience and expertise we have as the critical providers to financial services organizations of any size or security posture, bolstering protection for those that don’t have the advanced capabilities,” said Gelbord.

Schreider said the program constituted a “great start” — the consortium itself described the program as a “pilot” at launch time — but added that it would need additional work to become practical.

“There are disclosure protocols that need to be changed in order for this to be effective,” Schreider said. He pointed to disclosing and fixing “zero-day” vulnerabilities as an important case. A zero-day vulnerability is a security hole that hackers can exploit because the system vendor doesn’t know about it or, if it does, has not fixed it. In some cases, the vendor discovers the hole and patches it before anyone can exploit it. In other cases, hackers find the hole first or react to publicity about it faster than the vendor.

In November, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Federal Reserve jointly issued a final rule that requires federally regulated banks to notify their primary federal regulator within 36 hours after determining that a computer-security notification incident occurred. The requirement, which will apply to banking organizations and service providers, takes effect in April.

According to Schreider, if the Critical Providers Program came with agreements between providers and financial institutions that providers have 45 or 60 days to fix a vulnerability before the institutions publicly disclose it, “that would really be something.”

Such a program, Schreider said, would ensure a confidential avenue for providers and banks to discuss vulnerabilities, give providers time to implement a fix and allow banks to bolster their own systems in the meantime. 

But Schreider said he was skeptical that the program in its current form would amount to much.

“In theory, it’s a great start, but the devil’s in the details, so how do you really make this pragmatic?” Schreider said.


Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.