President Donald Trump signed an executive order last week to strengthen the federal government’s cybersecurity networks, a move that has drawn praise and some concern from financial industry trade groups.
The presidential executive order consists of three sections: cybersecurity of federal networks, cybersecurity of critical infrastructure, and cybersecurity for the nation.
The first section calls on federal agencies to use the cybersecurity framework developed by the National Institute of Standards and Technology to manage and mitigate their cybersecurity risk. It also directs each agency to provide a cybersecurity risk management report to the Secretary of Homeland Security and director of the Office of Management and Budget within 90 days.
The second section calls on the Secretary of Homeland Security, in coordination with the Secretary of Defense, Attorney General, and directors of National Intelligence and the FBI, to identify authorities and capabilities that agencies could employ to support the cybersecurity efforts of critical infrastructure entities at greatest risk of attacks that could result in catastrophic regional or national effects. The order also calls on the secretaries of Commerce and Homeland Security to lead “an open and transparent process to identify and promote action by appropriate stakeholders to improve the resilience of the internet and communications ecoystem and to encourage collaboration with the goal of dramatically reducing threats perpetuated by automated and distributed attacks (e.g., botnets.).”
Finally, the order directs the secretaries of State, Treasury, Defense, Commerce, Homeland Security, Attorney General, the U.S. Trade Representative, and Director of National Intelligence to issue a report to the president on the “nation’s strategic options for deterring adversaries and better protecting the American people from cyber threats.”
The American Bankers Association issued a statement May 11 praising the president’s executive order on cybersecurity.
In the statement, ABA President and CEO Rob Nichols said the executive order will “enhance the security of government systems and help protect our critical financial infrastructure — and ultimately bank customers — through enhanced information sharing and greater cross-industry collaboration.”
“The financial services industry is committed to help protect our country’s critical sectors and economic security,” Nichols continued in the statement. “America’s banks will continue to work closely with the White House, Congress and others to establish clear lines of public-private communication, while avoiding inconsistent or duplicative regulation that might undermine our efforts to protect banks and the customers they serve.”
The Credit Union National Association said in a statement it generally supports the use of the National Institute of Standards and Technology cybersecurity framework as a tool for credit unions but is “concerned that mandatory use by federal agencies could eventually lead to making a mandatory standard for financial institutions.”
“It should not create additional requirements, nor should it apply a one-size-fits all approach for credit unions to demonstrate readiness,” the CUNA statement said. “CUNA also believes that, should regulators determine new or additional cybersecurity requirements are necessary, those should be incorporated into existing frameworks and guidance.”
The president’s signing of the cybersecurity order was issued one day before a massive ransomware attack on May 12 that affected more than 300,000 computers in 150 countries.
The ABA said in a statement issued May 15 that it was monitoring the attack through its membership in the Financial Services Information Sharing and Analysis Center. As of Monday, the ABA said it was aware of no known effects on the U.S. financial sector.
“ABA encourages all banks to become FS-ISAC members to receive the latest updates on cyber threats to the financial industry,” the ABA statement read. “ABA has also produced several resources to help banks and their customers — in particular business clients — understand ransomware and respond should they become victims of an attack.”
To learn more about ways to protect your financial institutions from cyber threats, see our new Cybersecurity Guide.