The protection of our clients and customers from cyber threats is a foundational part of our business.
By: Craig Froelich, Chief Information Security Office, Bank of America
Even if there is no universally accepted definition for cyber risk, the experts in our field are very good at knowing it when they see it and, just as importantly, doing something about it.
During the past two decades, the public and private sectors have made incredible progress in identifying and addressing cyber risk across our critical infrastructure. We have built a robust community where we share information about threats, advance best practices and conduct exercises together that has improved both our individual and collective security.
The work that we do across critical infrastructure sectors is indispensable, as the cyber threats and vulnerabilities we face demand that we work closely with the government. Furthermore, the private sector needs the support of the diverse resources and capabilities that only unified government engagement can provide. These vital partnerships must continue to evolve and expand. However, the risk is not always the same from sector to sector or agency to agency.
When we think about risk in cyber, we of course look at things such as threats and vulnerabilities. Unfortunately, many of those are shared across industries as we all work around the clock and around the globe to keep our businesses and customers safe from nation states, criminals and a wide variety of determined, malicious actors.
Additionally, we often share a technology supply chain that can create widespread vulnerabilities across both public and private sector networks, such as Log4j or SolarWinds. In response to these challenges, we have created a robust and vibrant community of experts that actively collaborates and seeks to address shared challenges.
In operation for more than 20 years, the Financial Services Information Sharing and Analysis Center (FS-ISAC) has been a focal point for us to build trust, experience and expertise in sharing information about cyber threats. As we worked more closely together as an industry and with key government partners, we soon found expanded opportunities to share best practices and help protect the sector as a whole. Every day we collaborate across our sector, across industry, and with government partners as our experts engage through the FS-ISAC to discuss complex cyber issues such as emerging threats, mitigation strategies and incident response.
In addition to the deepening partnerships in our sector and critical infrastructure as a whole, the government is making real, tangible progress in its efforts to support the cyber security of the private sector. We have been encouraged by increased coordination and recent investments in the departments and agencies that support the security of critical infrastructure and reduce our collective cyber risk.
The establishment and growth of the Cybersecurity and Infrastructure Agency has created new opportunities for the government and private sector to improve national cyber security. The establishment of the Joint Cyber Defense Collaborative (JCDC) represents our shared interest in a deeper level of collaboration that can make us more proactive in how we plan for and respond to significant cyber incidents.
These efforts are necessary in identifying and reducing our cyber risk, but they are not sufficient. We must assess the consequences that could occur from them to truly understand our cyber environment and build resiliency into the financial system. For our sector, this brought the owners and operators of the nation’s most critical financial infrastructure together to establish the Financial Systemic Analysis and Resilience Center in 2016. As a result, our sector has invested in establishing a collective, focused view of our sector’s critical systems, assets and functions to ensure we could understand our shared cyber risk. Using this collective view, we have also identified ways we can proactively mitigate cyber risk through developing new initiatives, enhancing our resilience and improving our awareness of the threats we face. After several years of close collaboration among our sector and with government partners, we found that these new capabilities’ risks were making positive impacts for both our own firms and in the sector.
Following this successful sector-focused work, we expanded our partnerships in 2020 to include the energy sector with its common risk-based culture to improve our understanding of interdependencies and share best practices. The establishment of the Analysis and Resilience Center for Systemic Risk allows experts from the financial services and energy sectors to continue advancing this shared work along with our government partners to provide us with the most comprehensive, in-depth understanding of our cyber risk that we have ever had.
The private sector is not alone in its recognition of the increasing importance of looking at cyber risk through the unique lens of a sector to allow us to focus on our distinctive characteristics and capabilities. With the signing of the Cyber Incident Reporting for Critical Infrastructure Act, both the Administration and Congress recognized the importance of the federal government’s role in helping the private sector better mitigate our cyber risk by codifying and expanding the responsibilities of “Sector Risk Management Agencies.” Although this designation has existed in the federal government for a decade, this new legislation creates a new opportunity for our sector to leverage our cyber risk efforts and deepen our collaboration to advance the national unity of effort for which they were envisioned. Just as members of the financial services sector have a deep expertise into not only the cyber threats and vulnerabilities we face but their potential consequences for our operations, the Department of the Treasury has a unique insight into our financial structure and the government capabilities that could assist its owners and operators. In short, the Treasury sees the cyber risks that we see, and, together, we can find new ways to address it.
Building upon the partnerships that our sector maintains with cyber experts across the government, the Treasury can play a critical role as our Sector Risk Management Agency to ensure that the government and private sector can have a holistic view of both consequences and mitigations for our cyber risks. Their deep understanding of the financial system and infrastructure can help further our work and drive a collective government approach to support our sector as appropriate.
Additionally, the Treasury’s expertise can help enable collective, proactive action against cyber threats to our financial security. As we focus on security and resiliency for our critical operations, the Treasury can understand and access capabilities to support our national and economic security if a significant cyber incident were to occur. Our sector has a long partnership with Treasury on cyber issues, including through the Financial Services Sector Coordinating Council (FSSCC) to address strategic challenges and the Hamilton Series of exercises to improve cyber threat response within the U.S. financial sector. By fully embracing and investing in its role as the financial sector Risk Management Agency, the Treasury can truly advance our ability to identify and reduce cyber risk.
By partnering within the private sector and with our government counterparts, our firms have a better understanding of cyber risk than ever before. Decades of collaboration have built a shared perspective in our cyber community that helps us make each other and our customers safer every day, and these trusted relationships are helping us to pursue new, innovative ways to further improve our collective security.
With this foundation, our sector can do, and is doing, more to identify and mitigate cyber risk. Along with the expertise and capabilities of our government partners, we look forward to continuing making meaningful advancements for the cyber security and resilience of the U.S. financial sector.
About the Author, Craig Froelich
Craig Froelich is Chief Information Security Officer for Bank of America. He leads a team of 3,000 experts across 18 countries dedicated to protecting the financial data of the company’s individual consumers, small- and middle-market businesses and large corporations.
The Global Information Security (GIS) team defends against current and future threats to the company, and partners closely with industry and government associations to ensure the security of the sector as a whole. GIS inventors have filed or been granted more than 1,000 cyber security patents. The team has won more than 100 awards including the 2022 Hot Company Security Team of the Year award from Cyber Defense Magazine and the 2018 Information Security Team of the Year from SC Magazine. Craig has also received industry awards for his leadership, including being named to the Top 100 Global CISO list and CISO of the Year numerous times and Breakaway Security Executive of the Year.
Before joining Bank of America in 2001, Craig held executive management roles at technology companies where he acquired a decade of experience in product management, application development and infrastructure management. He has been granted eight information security patents.
Craig serves as the chair of the Analysis & Resilience Center. He is a former chair and current member of the Financial Services‒Information Sharing and Analysis Center’s board of directors, and he is a former chair and current member of the Executive Committee of Financial Services Sector Coordinating Council. He also serves on the board of Sheltered Harbor and the executive committee of BITS, the technology policy division of the Bank Policy Institute.