Understanding the Biden Administration’s Cybersecurity Executive Order


By John Hintze

JThe Biden administration is timely and unusually broad Executive Decree released on May 12 came in the wake of attacks on large corporations and most directly affects the federal government and the private companies it contracts with. This includes a relatively small number of banks, but the Ordinance’s requirements are likely to spread and have a wider impact on banks, and some may face inquiries from examiners about whether their systems are at height.

In one fact sheet Issued with the order, the administration notes the high-profile attacks on SolarWinds, Microsoft Exchange and the Colonial Pipeline as “sobering” reminders of malicious cyber activity by nation states and cybercriminals. In fact, Microsoft revealed on May 27 that the Russian-based cyber attacker that compromised SolarWinds and numerous government computer networks is continuing a new wave of attacks against organizations in the United States and abroad.

“These incidents share commonalities, including insufficient cybersecurity defenses that make both public and private sector entities more vulnerable to incidents,” the statement noted, adding that the order is the “first of many ambitious steps” that the administration is taking to modernize national cyber defenses.

And the administration moves widely. Executive orders are generally directed at executive branch agencies and departments, but the recent one covers all federal government agencies, including independent agencies overseeing banks such as the Federal Reserve, FDIC, and OCC.

ABA Vice President and Senior Counsel Denyette DePierro said the order would directly affect private companies contracting with the federal government. “The primary focus of EO is not financial services, but the universe of third parties who provide products, services and software to the federal government, who do not have substantial banking-like cybersecurity processes. “, says DePierro. That includes the relatively small group of banks facilitating federal services, such as transaction accounts or credit cards to distribute government benefits, she adds.

DePierro says banks are already properly regulated and supervised and must meet substantial cybersecurity, privacy and information security requirements that are not present in other industries. In addition, she explains, many banks have already adopted the National Institute of Standards and Technology’s cybersecurity framework as their primary cyber risk management tool, and the NIST framework will serve as the executive order cyber standard.

However, many banks are still seeking to meet these standards, and the comprehensive order will likely cover areas where practice is changing. Given the federal government’s massive footprint, these institutions will likely feel the ripple effect of the order, assuming its provisions are enforced. Troy La Huis, principal and head of digital security services at Crowe, which the ABA endorses for risk management, compliance and governance consulting, notes that less enforced orders generally don’t require the same attention, and so far, the enforcement mechanisms of the cybersecurity order remain unclear. .

Another key question is whether the federal banking regulators implementing the order themselves will in turn apply its requirements to the banks they regulate. That remains to be seen, says La Huis. “But if its provisions are important enough to government agencies, they are likely to seek enforcement within the financial community as well.”

Given the workings of the regulatory process, reviewers could start asking how banks’ cybersecurity compares to the ordinance’s standards as early as next year, La Huis said. One potentially challenging area for banks, he added, is the Section 3 requirement — on “federal government cybersecurity modernization” — to develop a plan to implement a “trust architecture.” zero” which incorporates the migration steps described by NIST.

The Zero-Trust architecture aims to minimize the threat of cyber attackers infiltrating an organization and impersonating user credentials to take control of a network by limiting user access. However, it can be expensive to implement and usually requires locking down significant parts of the network. Many banks are just beginning to consider it.

“Based on our discussions, the banks’ information security managers are putting this one on the roadmap,” says Sekhara Gudipati, senior manager of the La Huis team at Crowe. And if examiners were indeed to start quizzing banks on their zero-trust policies and procedures and relevant technologies, he adds, “that’s where the seriousness and the pressure comes” to implement them.

Other parts of the order can benefit banks. Section 4 – “Enhancing Software Supply Chain Security” – outlines the process by which the federal government will develop security guidelines for critical software within 270 days of issuance of the order. By March 2022, the Office of Management and Budget must take action to require federal agencies to comply with the guidelines.

Jordan Rae Kelly, Head of Cybersecurity for the Americas at FTI Consulting, points out that Section 4 is particularly impactful for the private sector and especially banks, as it essentially creates an “Energy Star” type label to which software developers must join. First used by the public sector, companies in the private sector will also be able to use it to assess the security of software.

The financial sector tends to be the “spearhead” in terms of cybersecurity investment, Kelly says. “And what’s going to happen here is that EO will make it even easier to make those choices.”

DePierro says there is “industry optimism” that as large government contractors, including cloud, telecom and other tech companies, are required to meet cyber standards of the Executive Order, this could facilitate banks’ own due diligence efforts.

“As third parties to the federal government, businesses are more likely to comply with NIST without banks having to beg, cajole and harangue them to adopt NIST standards and bank-like security” , says DePierro.

Another area that could impact banks is Section 2 on “Removing Obstacles to Threat Intelligence Sharing”. This section is intended to remove contractual barriers that may prevent suppliers of sophisticated technology services contracted by the government from sharing threats they discover with the appropriate federal department or agency.

La Huis, which has worked with financial institutions since 2004, says banks’ anti-money laundering and cyber-fraud functions traditionally share little information, despite the frequently overlapping malicious actors they defend against. The order’s directive could be a catalyst for banks or their examiners to push for the removal of these barriers, at least for anti-money laundering and cyber fraud to work more closely together.

“It may not be a huge boost, but it could very likely lead to a reorganization, or even a convergence, between these units within the banks,” says La Huis.

Other provisions could mainly affect small banks, with $10 billion in assets or less. Section 7, for example, requires the federal government to take all possible steps to promptly detect vulnerabilities and cybersecurity incidents in its networks, while Section 8 calls on the government to improve its investigation and remediation capabilities. .

In both cases, says La Huis, smaller banks with fewer resources have been slower to adopt comparable measures in their own institutions, and reviewers can learn about their plans.

Section 6 requires the government to establish a council to review and assess the impact of significant cyber incidents affecting the federal government. If such breaches involve a private sector company such as Solar Winds, which the government contracts with, it raises the question of what data the board should have access to. One of the ambitious next steps the Biden administration alludes to in its fact sheet can solve this problem.

Private companies, including banks, tend to keep this information handy, given the reputational damage it could cause. However, the topic has been discussed candidly at recent security conferences, Kelly says. Although government officials participating in the panels declined to express opinions one way or the other, “they made it clear that there are challenges that we continue to encounter without having mandatory reporting of violations.”

John Hintze is a frequent contributor to ABA Risk and Compliance.

Previous 2021-2028 Carbon Nanotubes Market Opportunities with Industry
Next Saving Money with Sinead Campbell: Budgeting for Back to School - Sinead Campbell