The global financial industry’s dedicated cyber intelligence consortium, the FS-ISAC, has called on critical tech infrastructure providers to enlist in a new program to help tackle cyber threats targeting the industry’s supply chains, with one major tech and cybersec developer already signed on.
The new Critical Providers Program (CPP) will enable non-FSIs to collaborate and share critical information on cyber threats targeting supply chains – attacks that could potentially cripple financial services providers anywhere in the world.
The FS-ISAC (Financial Services Information Sharing and Analysis Centre) said the CPP, which is currently being piloted, will open up opportunities for firms that “host, connect and protect a substantial percentage of financial institutions’ infrastructure” to share data and strategies on cyber threats targeting the industry.
“FS-ISAC created the program to foster continuous collaboration and information sharing between its member firms and their providers,” it said.
This, the FS-ISAC added, “will bolster the industry’s protections and preparedness against sophisticated cyber threats”.
Critical providers will be able to reach “thousands of financial firms easily and efficiently” through a dedicated channel (the FS-ISAC’s ‘Connect’ platform), enabling them to communicate critical and sensitive information related to their security environments. All Tier 1-8 members will have access to the Critical Provider team.
This information might include large-scale security upgrades, technical outages, cyber-based vulnerabilities or incidents, software/hardware misconfiguration, or changes that may impact multiple FS-ISAC members.
In the event of a large-scale cyber threat or incident, the FS-ISAC added, this relationship will expedite and simplify communications to the sector as well as provide key data back to the providers.
Akamai Technologies, a global cybersecurity company, has been announced as the first critical provider to sign up to the program.
‘Critical providers’ are defined by the FS-ISAC as non-financial organisations that provide network infrastructure and services that, if impacted by an incident, would in real-time interrupt a significant amount of core financial services across the sector, and in turn impact the public’s ability to manage financial transactions.
The creation of the CPP was triggered by an unprecedented influx of supply chain cyber threats and incidents recently, the FS-ISAC said, many of which have had significant potential to disrupt the financial sector.
“We do not anticipate this subsiding, as firms continue to digitise their business models to better serve customers and optimise operations.”
Cybersecurity company Argon estimates that supply chain-based cyberattacks tripled in 2021, with hackers utilising “open source vulnerabilities and poisoning, code issues, software supply chain process or exploiting supplier trust, to distribute malware or backdoors to non-suspecting application users”.
Among the more notable supply chain attacks of the last two years was the breach of managed services provider Solar Winds, which impacted a slew of major tech companies, including Microsoft, Intel and Cisco, as well as the US Government. Russian state actors were believed to be behind the attack, which was estimated to have affected more than 15,000 organisations across the globe.
Australian financial services firms could be particularly vulnerable to supply chain attacks, with corporate watchdog ASIC noting, in its recent cyber resilience report, that local FSIs recorded “no material improvement” in their mitigation of supply chain and third-party cyber security risks over the last two years.
FS-ISAC’s global head of intelligence Teresa Walsh stressed that, with the adoption of new technologies from managed services providers, “critical providers have become both an important ally to the industry and a target for cybercriminals”.
“The program will ensure our members efficiently receive accurate and timely security information from their critical providers,” she said.
Akamai chief security officer Dr Boaz Gelbord said the company was “honoured” to be among the founding members of the program, praising the FS-ISAC “for taking a leadership role in facilitating direct communication between critical providers and the financial sector”.
“We are looking forward to sharing what we are seeing from the unique vantage point of our globally distributed edge platform, listening to the members’ experiences, and collaborating on ways to mitigate current and future risks,” Gelbord said.