On April 1, the current administration's fourth executive order related to cybersecurity was signed into action. This executive order shows an ongoing commitment to securing cyberspace. In 2009, the executive office released its Cyberspace Policy Review, which triggered a flurry of cybersecurity policy. (Relatedly, the government's "Buy Secure" initiative to increase payment security mandated the issuance of chip-and-PIN cards for all federal employees and benefits programs beginning in January 2015.) This week, Take On Payments summarizes the four cybersecurity-related executive orders that have ben signed over the last six months and what these orders could mean for the banking and payments industries.
Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities (4/1/15)
Authorizes swift and severe sanctions by the Treasury Department to those engaged in malicious cyber activities that pose a significant threat to national security, foreign policy, economic health, or the financial stability of the United States. This action occurs regardless of where the offenders are domiciled, and can include the freezing of assets and denial of entry into the United States for individuals and entities. These malicious activities include, but are not limited to, distributed denial-of-service (DDOS) attacks and misappropriation of financial information for financial gain. According to an insider, attacks on banks and the financial sector, including the unauthorized access of payment credentials, would likely qualify as significant enough to warrant these new sanctions. While critics debate the enforceability of these sanctions, the banking and payments industry should find this development promising. Law enforcement is often challenged to bring these individuals to swift justice.
Promoting Private Sector Cybersecurity Information Sharing (2/13/15)
Encourages the Secretary of Homeland Security to establish information sharing and analysis organizations (ISAOs) as well as standards and guidelines to establish a robust information-sharing network related to cybersecurity incidents and risks. ISAOs can be organized on the basis of multiple attributes, including industry sector or region. Information sharing would take place both within and across ISAOs. Although the financial services industry has had some success with information sharing within their sector through organizations such as Financial Sector-Information and Security Center, the private sector generally remains challenged to share information across sectors. We hope this order will lead to the development of standards and better coordination to allow for information sharing of cybersecurity incidents and risks between the financial services sector and other industries.
Improving the Security of Consumer Financial Transactions (10/17/14)
Although cybersecurity wasn't the main focus of this executive order, two cybersecurity components are included in it. The first relates to the remediation of identity theft. It specifies that the Attorney General will issue guidance to promote regular submissions by federal law enforcement agencies of compromised credentials to the National Cyber-Forensics and Training Alliance (NCFTA) Internet Fraud Alert System. Secondly, the order requires that all federal agencies that make personal data accessible develop a plan to implement multifactor authentication. While directed towards federal agencies, it is possible that this order will pressure financial institutions and other private industry entities within the payments industry to adopt similar compromised credential submission and multifactor authentication practices, if they have not already.
The current cybersecurity activity isn't just limited to executive orders. Several cyber-related bills have circulated the congressional floor the past several years. A future Take On Payments post will highlight several bills that have been introduced in 2015 on Capitol Hill and what they could mean for banking and payments.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed