The ISTS report, titled "Survey and Analysis of Security Issues in the U.S. Banking and Finance Sector," finds that while the industry has acted to prepare for and respond to malicious acts and emergency situations, it remains vulnerable to large-scale terrorist attacks, such as the attack on 9/11, and to sophisticated physical or cyber attacks targeted at "choke points," such as major trading exchanges, clearing firms, large brokerage firms, and transaction and payment systems.
"Banks and financial services organizations really have come a long way in defending the sector against all kinds of threats," says the report's lead author, Eric Goetz, a senior security analyst at ISTS. "However, pivotal systems and data remain at risk from large-scale physical events or more targeted attacks against the sector."
The report, intended primarily for policy makers, highlights past and ongoing security efforts at individual companies and sector wide, and it provides a clear, concise and timely overview of the current state of security of the financial services industry. It is based on open source information and discussions with industry insiders, and it's available on the ISTS website at http://www.
The U.S. banking and finance sector processes billions of dollars daily in transactions conducted through a complex network of institutions and systems underpinning the national and global economies. Since September 11, 2001, financial companies, regulatory agencies and the government have worked together to introduce robust security throughout the sector, including key assets and systems, such as the payment, clearing and settlement systems that are crucial to the industry. Individual companies have put in place sophisticated procedures and technologies to protect data and infrastructures.
The report states vulnerabilities at the choke points, whether exploited directly or indirectly through terrorist attacks on nearby targets, could prove damaging to the financial sector. It also underscores financial services firms' reliance on other critical infrastructures, including telecommunications, power and transportation systems. The report points out that the sector is further at risk from hacking, computer viruses and worms, and cybercrimes of all sorts that threaten to undermine the confidentiality, integrity or availability of financial data or transactions.
The report finds that, in the face of threats, the sector and government have coordinated their efforts to maintain reliable service in times of crisis. The ISTS report suggests that lawmakers and government agencies need to continue to work with sector experts to understand and analyze both the vulnerabilities and the possible consequences of public or private action.
This is the fourth in a series of ISTS papers studying the security of critical infrastructures. Past reports examined information and telecommunications systems, cybersecurity of the electric power industry, and transportation security issues.
Goetz explains that, "The reports are part of an ongoing effort to cast light on the current state of national infrastructure protection, with special focus on interdependencies between different sectors that have the potential to cause cascading disruptions."
Bob Gray, a senior researcher at ISTS, adds, "The reports not only provide awareness of critical security issues to the law enforcement and computer security communities, but also make researchers aware of important application domains that can benefit from further research and development. These researchers can design future research programs specifically to address identified infrastructure vulnerabilities."
The Institute for Security Technology Studies is a national center for cyber and homeland security technology research, development and analysis. The complete study was supported under Award number 2000-DT-CX-K001 (S-2) from the Office for Domestic Preparedness, Department of Homeland Security.
* The 13 critical infrastructure sectors, according to the National Strategy for Homeland Security (http://www.