Gartner: Critical Infrastructure Protection Key Issues for FSPs


Financial services providers have long focused on security risks and the tracking of suspicious activities. The war on terror will force them to do more. FSPs should include cyberterrorism in all risk assessments.


The war on cyberterrorism will burden financial services providers (FSPs) because governments will continue to call on the financial industry for help in determining potential financial threats. Accordingly, compliance with legal and regulatory requirements and the spirit of enforcement will loom large for FSPs, especially small ones, and government regulators and supervisory agencies will have to take care to craft requirements than aren’t too financially onerous for FSPs to meet (such as duplicate processing environments). Nevertheless, the threat of cyberattack by terrorists still poses a risk that FSPs must pay attention to. “Security” lies at the heart of the value FSPs deliver, and the reputation for security of those that fall victim to cyberattacks will suffer. As a result, in increasingly competitive markets, a damaged reputation, financial insecurity and privacy exposures will likely translate into lost business and more-reluctant partners. Thus, boards of directors and business unit leaders of FSPs are wise to include the threat of terrorism in their enterprise risk analysis and recovery steps while IT security managers investigate which technologies and processes to implement to meet new requirements.

Our research concerning critical infrastructure protection (CIP) for FSPs will focus on these Key Issues:

How Will Terrorism Affect Enterprise Risk Management?

Cyberterrorism threatens an FSP’s reputation and intellectual property most directly. Therefore, cyberterrorism does not just represent an operational risk, but a market and liquidity risk as well. To the extent that cyberterrorists might be better organized and funded than mere cybercriminals, they could make more powerful attempts to “crack” enterprise systems. Moreover, they would share the economic motivation of criminals to steal intellectual property and other valuable secrets, while weakening economic confidence in our financial systems. Potential business partners and customers would likely be less forgiving about security breaches than those in other industries because the security of assets has always been the paramount consideration in the financial industry. As with bank robberies, the way FSPs handle cyberattacks and recover from them will also reflect on their reputation. Therefore, FSPs must include cyberterrorism scenarios in their business continuity planning.

More specifically, FSPs sizing up the higher risk of cyberterrorism and their response to attack should consider protection against:

    Loss of their revenue and that of their clientsInability to operateDecreased market positionInability to raise cashInability to respond to attacks in a timely mannerDamage to brandLoss of intellectual capital

Recovery scenarios should include:

    Timely identification of systems and data sources infiltratedCost of remediationCompliance with laws, regulations and industry standards relating to CIPSuccession, business continuity and disaster planning and execution

How Will FSPs Respond as Threats Increase and Decrease?

New government mandates, industry norms and enterprise risk assessments will lead FSPs to implement new technologies and processes. The pressure of future attacks will push FSPs to investigate current business processes and technologies, and that means:

    Adopting or designing new or revised methods of monitoring financial transactionsAdjusting contracts and service-level agreements to define FSPs security expectationsRevising capacity and scalability to detect volume or monetary anomaliesEvaluating new and established vendors and their products against FSP security and risk thresholdsCreating project implementation and timing priorities in conjunction with risk potential

The war on terror also means more-rigorous requirements for knowing with whom the FSP is doing business and for reporting irregularities. After the Sept. 11 attacks, all FSPs have become more vigilant and proactive. However, global, metropolitan, regional and community FSPs must remain vigilant. Terrorists will strike any target to satisfy their needs, so all FSPs must increase their awareness, regardless of their size or location – or how comfortable they are with the people and enterprises they do business with. The war on terrorism requires questioning even established relationships that FSPs accepted previously on trust.

Although the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act increased reporting requirements, traditional and nontraditional FSPs may lack the technology, training and real-time “help desk” assistance needed to effectively fulfill “suspicious activity reporting” (SAR) requirements. Currently, SAR reporting may be automated or paper-based, and reporting has had limited success. For example, a recent report by the Department of the Treasury found that many suspicious activity reports lacked details about the transactions in question, which hindered investigations. Two problems cited were:

    Lack of data qualityCompleteness of information reported

Without reporting consistency and interconnectivity of reporting results, the processing of information is left to manual review or the re-entry of information into a central database. With time-sensitive information, delayed reporting decreases the significance of the data, and the data is subject to misinterpretation. If the threat of cyberattacks increases, expect stronger reporting requirements. Implementing the technology to satisfy increased and timely reporting may prove too expensive for many small FSPs. To gain efficiencies and contain costs, they will need help from larger FSPs. If such assistance is not forthcoming, industry consolidation of small FSPs absorbed by large FSPs could result. Correspondent banking relationships may also provide some relief.

What Are the Appropriate Roles and Substance of Laws and Regulations in Mitigating Cyberterrorism Risks?

In the financial realm, the U.S. government’s response to the Sept. 11 attacks was necessarily reactive. No one had planned for an attack of that magnitude. Since Sept. 11, governments (federal and state) have recognized the interdependence of the public and private sectors. With national and economic security at stake, information sharing and risk assessment take on significant roles in recognizing and responding to cyberattacks. The joint collaboration of the private and public sectors is required to create the framework for data sharing and cross-industry risk assessment. An FSP must understand and participate in proposed regulatory actions, collaborate with the public sector to find the right solution and influence laws and regulations that reduce their financial, operational, market and liquidity risks. The degree of appropriateness must be balanced against the risks and costs to comply with proposed regulations.

Governments, FSPs and cross-industries share in the roles required to secure our financial networks. Critical infrastructure awareness and regulations that mitigate cyberterrorism will continue to affect the financial services industry. An FSP must be proactive in creating an environment that is financially reasonable for the FSP and supports the national infrastructure for homeland protection. Regulatory mandates that are impractical from a time and cost perspective may prove impossible to meet without harming the profitability of the FSP.

Key Issue

How will changes in technology and processes affect financial services? requirements and efficiencies?

Acronym Key

CIP – Critical infrastructure protection

FSP – Financial services provider

SAR – Suspicious activity reporting

USA PATRIOT – Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism

Entire contents