Incentivizing High-Performing Cybersecurity Programs in the Banking Sector

The U.S. banking environment has been beset by increasingly disruptive cyberattacks targeting financial institutions and their supply chains. These attacks underscore the importance of incentivizing high-performing cybersecurity programs across the banking sector, including many small to mid-sized institutions with limited resources. Most discussion of regulatory incentivization centers around the use of regulatory “sticks,” but using “carrots” could actually drive performance that is both faster and more effective against changing threats.

A rough model for such an approach (though in a historically physical security context) already exists in the trade sector: The Customs Trade Partnership Against Terrorism (CTPAT) was established after the 9/11 terrorist attacks to incentivize cargo supply chain stakeholders to invest in higher levels of security. Participants voluntarily agree to implement specified security measures and have those measures independently validated. In return, CTPAT members are considered to be low risk and are therefore less likely to be examined at a U.S. port of entry by U.S. Customs and Border Protection. The concept has also been applied internationally through bilateral mutual recognition programs as well as through multilateral dialogue at the World Customs Organization. 

There are several key distinctions between CTPAT and this banking proposal, however. Banks have very different operational profiles than members of the customs trade. Moreover, CTPAT incentivizes baseline measures (including, more recently, on cybersecurity) that members of the trade are not otherwise required to apply, whereas this proposal would incentivize higher-performing capabilities on top of minimum security measures that are already required. That said, the core concept of providing a programmatic benefit for enhanced and independently validated security measures is broadly applicable and viable, in principle, across both environments. 

This cybersecurity incentivization program would follow a similar structure to CTPAT. Participants would voluntarily commit to (a) implementing independently defined threat-informed cyber defenses, (b) having such defenses independently validated by qualified assessors based on threat-informed testing priorities, and (c) sharing incident-derived threat information with a predesignated entity even where not required by regulatory mandates. Eligible participants would include both banks and their technology service providers. While notional benefits would need to be defined, they could include elements such as streamlined regulatory assessments, expedited regulatory approvals, and related actions.

Complementing required regulatory “sticks” with a voluntary “carrot” approach would offer several key benefits. First, it would free up limited pools of regulatory talent with cybersecurity expertise to focus on higher-vulnerability use cases. Second, it would foster a more nimble process for tailoring cyber defenses to changing threats. And third, it would advance business outcomes by offering more streamlined regulatory interactions and thereby freeing up bank resources.

To determine whether a cybersecurity program is high performing, its performance must somehow be measurable in a scalable fashion. To achieve this, a program would need to be transparent, accurate, and precise. Transparency would require a program to be traceable and auditable to some objective framework or frameworks. Accuracy would require a program to reflect a technically accurate mapping of business profile to threat, of threat to defense, and of defensive measures to testing procedure. Precision would require a program to reflect whether countermeasures have been applied specifically to assets supporting critical operations and core business lines.

How would threat-informed defenses be transparently and accurately defined? The MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework would provide the basic structure. ATT&CK is the most comprehensive approach to the mapping of threat actors and related tactics, techniques, and procedures (TTPs) openly available today. MITRE also contains a detailed mapping from each technique to corresponding mitigations and detection data sources. Paul Rosenzweig and I have written previously on Lawfare about the value of a threat-informed defense in measuring cybersecurity performance, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has standardized threat reporting around ATT&CK and measures testing results against it. As such, the ATT&CK framework could be utilized in two ways: first, to transparently establish baseline threat models and, second, to define prioritized defenses based on MITRE mappings. Such threat models and prioritized defensive measures could be developed by “honest broker” third parties, such as sector-specific information sharing and analysis organizations (ISAOs), or by MITRE, based on threat sightings reported by participants plus U.S. government and open-source threat intelligence.

Existing bank regulatory frameworks establish the concept of “core business lines” for resolution planning and resiliency purposes (see, for example, 12 CFR § 360.10 and 12 CFR § 243.2). Cybersecurity frameworks also establish the concept of a “high-value asset,” that is, “information or an information system that is so critical to an organization that the loss or corruption of this information or loss of access to the system would have serious impact to the organization’s ability to perform its mission or conduct business.” The program I’m suggesting would add precision by focusing on prioritizing and testing defenses around core business lines and supporting high-value assets.

Another important aspect of this program is independent validation. What would independent validation look like? The Bank of England’s Prudential Regulation Authority adopted a program for threat-intelligence-driven penetration testing known as CBEST to promote cyber resiliency for core regulated entities. The intent is to enhance resiliency through an assessment approach that “mimics the actions of cyber attackers’ intent on compromising an organisation’s important business services (IBS) and disrupting the technology assets, people and processes supporting those services.” Testing must, in turn, be conducted by an accredited set of qualified providers. 

Who would conduct such validation? In some programs, such as CTPAT, government personnel conduct validation while private-sector consultants conduct readiness assessments and help prepare companies for validation. In others—for example, CBEST, the Federal Risk and Authorization Management Program (FedRAMP), and the U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program—validation is provided by accredited private-sector assessors. For its part, MITRE has created “MITRE ATT&CK Defender” (MAD) training and certification programs also tied to ATT&CK. Regardless, testing would be focused on priority TTPs with prioritization based on threat and impact to high-value assets.

How would incident-related threat information sharing work? Participants would be required to contribute threat TTP sightings (or permit their incident response providers to do so on their behalf) to an honest broker third party, even where not required by existing or expected regulations. These sightings would, in turn, be anonymized and used to help to define priority threats for mitigation and testing. 

One noncyber model for incident information sharing is the aviation sector’s Aviation Safety Information Sharing & Analysis System (ASIAS) initiative, which obtains and fuses data from a cross-section of aviation industry stakeholders so that aviation safety incident trends can be identified before accidents and other serious incidents occur. The Federal Aviation Administration (FAA) selected MITRE to facilitate ASIAS, which analyzes anonymized data from the FAA, airlines, manufacturers, and other sources to identify and share safety issues. Consider the opportunity to apply this model to crowdsource threat sightings from across the banking sector as the basis for threat model refinement, plus countermeasure and testing prioritization. The intake and analysis function could be supported by an existing information sharing and analysis organization, such as the Financial Services Information Sharing and Analysis Center, a nonprofit federally funded research and development center, such as MITRE, or a related organization.

Here are several additional features that could be included in a voluntary cybersecurity program for the banking sector:

• Controls inheritability: FedRAMP provides a mechanism for certifying cloud services for use by government customers based on achieving specified security criteria. While this program is not comparable to banking supervision, several aspects bear relevance. First, under FedRAMP, certification audits are conducted by certified third-party assessor organizations (3PAOs). Second, a set of “FedRAMP accelerator” offerings have been released by “platform as a service” providers to enable smaller companies to “inherit” a supermajority of FedRAMP controls and thereby expedite FedRAMP compliance. Consider the opportunity to apply the FedRAMP accelerator concept to enable smaller banking organizations to inherit security controls provided by participating third-party service providers. 
• Insurance: Participation in such a program could be internalized by insurance underwriters to be reflected in more favorable premiums, coinsurance requirements, and capacity.
• Additional sectors: The principles behind such a program could plausibly apply in a similar fashion across additional sectors—transport, water and others.
• Mutual recognition: CTPAT is applied internationally through bilateral mutual recognition programs. Consider mutual recognition of a cyber-threat-informed defense program to facilitate participation by stakeholders with cross-border operations. Benefits may vary by country, but requirements would be made compatible across jurisdictions for ease of application by participants.

A number of important details—including thresholds for acceptable levels of mitigation and testing success—would need to be worked out. That said, incentivizing threat-informed security measures would enable participating businesses to defend their organizations more effectively while also streamlining regulatory measures. Doing so would allow regulatory agencies to prioritize limited resources on more vulnerable entities. In this way, a level of resiliency would be achieved that reflects adaptive threats and is durable over time.