US Treasury failing to track cyber-defense efforts or set financial-sector priorities, GAO says

The US Treasury Department, which is responsible for coordinating cyber defenses in the financial sector, is failing to track efforts among banks, mutual funds and insurers — leaving the sector potentially exposed to increasing threats, a congressional watchdog said.

The department under Secretary Steven Mnuchin also hasn’t set priorities for the $108 trillion financial industry’s attempts, nor has it developed ways to measure the sector's progress in meeting established goals, the Government Accountability Office report said.

Unless Treasury “undertakes more widespread and detailed tracking and prioritization of efforts, based on explicit metrics that measure progress against the sector’s goals and requirements, the sector will remain unable to determine whether its efforts are effective at reducing cyber risk,” said the report, released yesterday (see here).

“This, in turn, could leave the sector insufficiently prepared to deal with primary-sector risks, such as insider threats and unauthorized access to sector data by third parties,” it said.

The Trump administration also has failed to update a March 2016 Treasury plan that provides the strategic framework for the financial sector, the report said. This plan, created during the Obama administration under Treasury Secretary Jacob Lew, is now out of date, it said.

— Treasury’s responsibility —

Since 2013, Treasury has been responsible for coordinating cyber defenses among financial regulators such as the Federal Reserve and Securities and Exchange Commission, as well as industry.

Private-sector firms, as well as their regulators, have faced an increase in attacks from “well-organized attackers with significant resources,” the report said. These hacks could compromise firms’ and customers’ assets, as well as clients’ confidential information.

Among the targets of attacks in recent years have been Equifax, the SEC’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system, and JPMorgan Chase.

The Treasury Department responded to the report by saying it has only limited authority to require federal regulators or industry to provide data on their efforts, or information on how those attempts reduce risks.

“Treasury’s authorities are limited to requesting that regulators and firms share information voluntarily that would allow Treasury to track and monitor sector risk mitigation efforts,” the department’s Aug. 31 letter said. “Without data, Treasury is unable to devise metrics and measure progress toward such metrics.”