Office of Innovation

Valerie McNevin, Esq.
Chief Information Security and Privacy Officer
Office of Innovation
225 E. 16th Street, Suite 900
Denver, Colorado 80203

Ms. Jennifer J. Johnson, Secretary,
Mr. Jeffrey Marquardt
Board of Governors of the Federal Reserve System
20th Street & Constitution Avenue, N.W.
Washington, D.C. 20551
Docket No. R-1128
Regs.comments@federalreserve.gov

Ralph Sharpe
Office of the Comptroller of the Currency
250 E. Street, S.W.
Public Information Room
Mail Stop 1-5
Washington, D.C. 20219
Attention: Docket No. 02-13
Regs.comments@occ.treas.gov

Mr. Jonathan G. Katz, Secretary
Mr. Dave Schillman
Securities & Exchange Commission
450 5th Street, N.W.
Washington, D.C. 20549-0609
File No. S7-32-02
Rule-comments@sec.gov

Thank you for the opportunity to provide comments on the Draft Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System. I reviewed the Draft and submit the following comments together with the attached paper entitled Electronic Security: Risk Mitigation in Financial Transactions recently published by the World Bank.

During the past decade I worked extensively in the e-finance arena, specializing in public and private International Banking Law and Electronic Commerce. I continue to practice in e-finance but now also serve as the Chief Information Security Officer for the State of Colorado. For the last three years, members of the World Bank have engaged in extensive discussions and interviews with the global financial services industry, publishing several reports on e-finance, particularly in emerging countries. Recently we collaborated, the result of which is the attached paper entitled Electronic Security: Risk Mitigation in Financial Transactions and in Global Dialogues dealing with issues related to electronic security in the financial services arena.

The following comments are based on my conceptual and operational knowledge of the financial services industry, knowledge on the state of IT security within the industry, and the extent of the interdependencies between the financial services industry and other aspects of the country's critical infrastructure. Given today's economic and political environment and the ability of the financial services industry to detrimentally infect much of the rest of our critical infrastructure it is critical to honestly assess the particular threats and vulnerabilities that it faces. And because complex international collaborative work is required to resolve these issues and strengthen our overall critical infrastructure immediately, it is essential that regulators take a more proactive approach than they have in the past. To that end the following comments are offered.

COMMENTS:

First, the financial services arena is a part of every country's critical infrastructure. In fact it is the only critical infrastructure component that impacts every other critical infrastructure element. Certainly in the United States it is the critical infrastructure element that is most heavily dependent on telecommunications, energy and computer services outside of the Department of Defense. Moreover, our financial system is highly interdependent with other financial and payment systems, which exponentially increases the risk of collateral damage to us if another system is damaged. As a result, I agree with the interagency finding that it is imperative to assure the resilience of the overall U.S. financial system and its respective U.S. financial centers. However, assuring the resilience of our financial system means that we must look to the health of other financial systems as well. To the extent that those systems are not operating in a safe and sound manner we must find ways to assist them and in the meantime interface with their systems as little as possible until they operate in a safe and sound manner as well.

In order to build a resilient system we must first identify the potential threats and who or what is most likely to take advantage of the system's inherent vulnerabilities. First the financial system is faced with four particular categories of threats: Insider threats, Political threats, Criminal threats and Force Majeure threats. Insider threats emanate from employees or third party contractors that use their access to information about the system to sabotage or compromise it for personal or other reasons. Political threats arise from entities or persons with a political mission or agenda that either targets harm to the financial services industry to send a message or to extort capital from the industry to finance its agenda. Criminal threats usually require the simplest agenda,that of financial gain, but often use the most sophisticated techniques to deplete the system, thereby making it one of the most difficult challenges to the system. Finally, force majeure threats are those threats that one normally has little control over, "acts of God" such as weather or other natural disaster. Force majeure threats are the hardest to anticipate or prevent. The Draft appears to have focused attention on force majeure threats and on the physicality of the threat. The comments set forth below address the first three threats.

Addressing the resilience of the financial system from a risk management - risk mitigation approach requires that we anticipate, plan and prevent. Therefore, the Draft should recognize that: the first step in risk analysis is to prepare against a future event by acknowledging and identifying vulnerabilities and threats; the first step in risk management is to adequately secure and harden all system vulnerabilities that could be compromised by such threats.

In today's' global, interdependent and complex environment regulators share corporate, social and fiduciary responsibility with financial service participants to anticipate, plan and prevent. Together they should identify the stakeholders, utilize the "shared risk and responsibility" approach set forth in the Paper, and require "all" financial service or related financial service entities to engage in aggressive risk mitigation to adequately prepare the system to withstand events, rather than focus on after the fact activities.

September 11, 2001 provided indisputable evidence to every country that it is crucial for the financial services industry to anticipate, plan and prepare for both physical and cyber events. 9-11 was a "blended event", meaning that hitting the target was mean to result in a physical catastrophe and mass disruption of telecommunication and financial activity with attendant cascading effects. The Draft provides some sound suggestions for shoring up the physical readiness of the financial services infrastructure on an individual basis in certain "strategic" locations. However, it contains several significant deficits that should be addressed. It does not address readiness or resilience from a systemic perspective, nor does it address cyber resilience. Furthermore, it fails to identify significant stakeholders and is silent as to the role of regulators. As such, the Draft does not appear to be sufficiently in sync with the OECD Guidelines on creating a "Culture of Security", the Homeland Security Strategy or the National Cyber-security Strategy. As importantly, it is internally inconsistent with the three areas of consensus identified on page 4.

The Draft identifies the following three business continuity objectives that have special importance subsequent to 9-11:

  • Rapid recovery and timely resumption of critical operations following a wide-scale, regional disruption.

  • Rapid recovery and timely resumption of critical operations following the loss or inaccessibility of staff in at least one major operating location; and

  • A high level of confidence, through ongoing use or robust testing, that critical internal and external continuity arrangements are effective and compatible.

These objectives all speak to the importance of the computer and telecommunication functions of the financial system. However, it provides no guidance on operationalizing these objectives. At present the Draft presents a one-dimensional approach to a multi-disciplinary, multi-dimensional problem. For example, how will the specific entities that present "systemic risk" be identified and by whom? And since the objectives are dealing with systemic risk, who will oversee the plans, preparations and testing? Moreover, attaining these objectives is not something that the financial services industry can do without the significant cooperation of other industries, including telecommunications, energy and computer services. Who will oversee this? Who will set priorities among and between the stakeholders? And what criteria will be used to determine success? Moreover, what if the initial disruption occurs to a US financial service provider located in another part of the world and the US assets sustain collateral damage as a result? How do we contain the damage, not just to the financial system but also on other entities that are deeply reliant on the financial system? Resumption is a goal but may not necessarily be the most important-many times the most important goal is to contain.

For example, the Draft defines "critical markets" as a location or as a "knowledge resource in terms of human beings". But from a "systems perspective" a critical market is one of function, not location. Therefore if a critical location is affected, the goal is to contain first, provide the function (in terms of data processing and human knowledge resources) with as little downtime as possible, then recover. Containment and restoring function no matter where it is located takes priority over resumption in terms of their criticality.

Moreover, the activities identified as critical for recovery in a location-based scenario on page 6 are data or judgment related, not location dependent. Formalizing this activity requires the entity to identify the elements of the critical function that must be capable of operating and locations where that function can best be performed given a set of assumptions. It may mean deploying key personnel to other physical locations now or providing them with access to such locations when an event occurs. It also requires the cooperation of the telecommunication and other industries to be prepared with contingency plans if an event occurs. In essence the Draft does not apply or appear to expect financial service providers to use project management principles and integrated multi-disciplinary planning to achieve the desired result. Yet, the Homeland Security Strategy and the Cybersecurity Strategy make it clear that financial institutions must cooperate with other entities in developing these plans. It is well known that most IT related projects fail for lack of proper management. We cannot afford to fail in this project. Moreover, financial institutions are often found lacking in this core competency. For example, if an event occurs, every financial institution should have a Chief Security Officer that can assume leadership until the event is over, however that may be defined (See layer one of the twelve layers identified in the Paper).

However, planning for potential disruptions begs the initial strategic question of whether the system can be reconfigured to better address the threat and if so, how?

On page 9, Subsection A. of II states that "The agencies have found that industry participants generally recognize their respective roles in improving the overall resilience of the financial system and have made it a priority to complete internal preparations, share information and coordinate efforts. Firms indicated that economic trade-offs and competitive considerations exist in making strategic decisions about business continuity that require the continuing leadership of senior management and should not be left to the discretion of individual business units." This finding fails to recognize or seriously address the criticality of the issues on the table or the interrelated, multi-disciplinary effort needed to shore up the nations' financial service infrastructure. Also it is important to recognize that in a crisis, priorities and assumptions feeding those priorities change and the institution needs someone who is seasoned in handling wide scale crises.

Moreover, this position does not track best practices for risk mitigation or risk management for a large widely distributed system. For instance, the Draft fails to identify much less recognize the critical systemic importance that ISPs or money transmitters now play in the U.S. economy, neither of which have been regulated as yet by federal regulators and most of which operate with little if any security.

In Section II, Subsection B. Recovery of Critical Activities on page 9, the term "enterprise wide" is used. This is an extremely important term that has a multitude of meanings. From the context the meaning is unclear and should be defined. Assuming the term refers to all of the systems of an individual financial institution, please note that testing of systems should not be limited to its Business Continuity Plan. If a Bank's primary systems are attacked, the attack mechanism may have infected the back-up systems as well.

Therefore a comprehensive testing should follow an attack if certain criteria are met.

On page 10, the Draft acknowledges states that a "financial system is only as strong as its `weakest link'".

Yet, it provides no clear guidance as to what is expected of the "industry" so that a participant is not the weak link, nor does it define the "industry" within the paradigm of IT. In truth, the Draft alludes to the "safety and soundness" of the U.S. financial system, but chooses to do so, after the fact, instead of providing guidelines and minimum standards expected of financial institutions and financial service-related entities prior to or in anticipation of an event.

What does "safety and soundness" mean in an ever increasingly integrated and interrelated system? What is unsafe and unsound in today's new open architecture environment? What ramifications does an institution face if it is found to be operating its "systems" in an unsafe and unsound manner? Will it be removed from the system until its vulnerabilities are resolved? What mandatory reporting requirements exist that could be used to anticipate or prevent an attack? The reporting requirements are not enforced and are not mandatory, as most institutions do not report security breaches or incidents. Nevertheless the FDIC should be used as a central repository of this information and should be used to analyze and consolidate this data to monitor and address risks to the fund and anticipate and prevent further attacks.

Page 13 of the Draft discusses Confidence in recovery and resumption plans through use or testing. Firms need to widen the scope of testing particular systems and processes for functionality/connectivity to include penetration testing and vulnerability assessments. Firms and regulators need to constantly undertake vulnerability testing, particularly after an incident occurs as the event itself may introduce new vulnerabilities into the system, including back-up as well as primary systems. Secure systems should be a safety and soundness pre-requisite to doing business electronically. Penetration testing and vulnerability assessments should be used to verify the safety and soundness of a system after any significant event occurs.

Because of the scope of the issues and the extent of integrated planning necessary to successfully attain the objectives set out on page one, it is essential that regulators step up to the plate and provide consistency where possible, and minimum standards where appropriate. For example, on page 15 the Draft states that financial institutions are expected to determine the extent to which it would be practicable to achieve the broader business recovery objectives for critical activities in the near future" ...and "To the extent that these sound practices require revisions of the plans, firms should largely complete the planning process, including adoption of implementation plans, no later than 180 days after issuance of the agencies' final views and implement them as soon as practicable." This fails to underscore the importance of the planning and implementation activities or to leverage resources to deal with its complexity. A better approach would be to require all financial institutions and related parties to submit implementation plans together with migration plans. The migration plan would set out the timetable and migration process that the institution and its related entities intend to use to meet the basic safety and soundness criteria. Regulators should review these plans for adequacy on an institutional basis, and adequacy and appropriateness on a regional basis and a systemic basis. Regulators can and should assist the industry in leveraging assets and resources to be compliant with the safe & sound criteria within a stated period of time. This approach provides a way for regulators to add a much-needed value to the public-private partnership in a "shared responsibility" model.

We applaud the agencies' initial efforts, however it is our belief that this work requires significantly more work and more dialogue and certainly more consensus among the industry, shareholders, regulators and the public. Current paradigms cannot adequately address the issues raised by the new financial services environment, specifically safety and soundness in an open network architecture. At a minimum we advocate that financial institutions and related entitities use the 12-layer matrix set out in the Paper. The Internet Security Alliance, the U.S. Secret Service, the NIPC and the Presidential Critical Infrastructure Protection Board have endorsed this as a best practice methodology. In any event, we remain ready to discuss in detail any of the points raised in the Paper or in this Comment.

Responses to Questions Asked on Page 15.

In defining "critical", affected entities first should define its Critical mission. Then it can identify those systems, assets, processes, procedures, and resources that must be operational for it to carry out its mission critical objectives. Next it should identify the critical interdependencies it has and the extent to which that critical interdependency must be operational for it to succeed. Also it should identify the stakeholders in its circle of influence and work to leverage assets, resources and functions to "carry" one another through a critical event if necessary. This planning should mirror the ripple in a pond process-working out from the center of the ripple.

The time element for recovery will depend on the element affected and the event scenario, including the nature of the threat; the collateral damage sustained by the event and the recovery priorities. Further it depends on the level and intensity of disruption.

Expectations have not been adequately discussed or identified. Minimum distance from primary sites, in and of itself, is not a sufficient criterion. For example, a location a short distance away from the primary site may be sufficient because it uses a different power grid, or a different routing facility. By thoroughly identifying and reviewing an institution's interdependencies with other critical infrastructure elements, an institutions options are better realized, resulting in better and more flexible planning. The industry should, together with regulators, practice scenario response-by far when an event occurs, the quality of the human resource is still the first line of defense.

Interoperability, access and availability should be the mantra among and between the stakeholders.

A staggered timetable should be implemented. Project Safe and Sound should be an ongoing program. In reality, a business continuity plan is critical to safety and soundness; security is the fundamental pre-requisite to a safe and sound system and is the first line of defense in anti-money laundering and terrorist-financing. To guard on the front end we must secure the system, to protect on the back end we must implement recovery and in the meantime, question, prod and poke at present system's configuration, changing it where necessary to work better in an open network architecture. For example, what role might the Financial ISAC play in this process? Who will be the lead agency in dealing with these issues?