Where the Competition Stops: How Banks Work Together to Stop Cyber Attacks

The financial industry is not for the faint of heart. Financial institutions engage in intense competition for investors, depositors and borrowers, intent on winning new business while keeping their clients from fleeing to rival institutions. But there's at least one area where the industry puts competition aside in favor of collaboration: cyber-security.

Financial institutions have been working together to fight physical and cyber threats, to their businesses through the Financial Services Information Sharing and Analysis Center, or FS-ISAC, since 1999. Large financial institutions founded the center in response to a 1998 executive order by President Bill Clinton mandating that public and private sectors share information to safeguard critical U.S. infrastructure.

The FS-ISAC aims to do that for the financial industry by maintaining a "trusted community" through which member firms share information about threats and potential security vulnerabilities, said John Carlson, the center's chief of staff. The organization today has some 7,000 members, including large and small banks, credit unions, and even more than 30 non-U.S. based financial institutions.

Members report an average of 400 threats and vulnerabilities each day, Carlson said. While some may be weather-related — such as an impending storm that may knock out a server center — or simply discoveries of potential software vulnerabilities, other threats come from hackers committed to wreaking havoc and stealing personal information and funds, or hackers simply looking to build their credential among other hackers by cracking a harder target. The center acts quickly to alert the membership to such threats.

Of course, it’s hard to entirely put competitive impulses aside, so FS-ISAC has certain protocols in place to ensure its member feel confident that submitting information to the center won’t lead to the disclosure of confidential information. Members reporting a cyber attack can choose to submit the information anonymously, and even if they choose to identify themselves, member firms can specify how much information fellow members are allowed to make public.

Such restrictions, Carlson said, helps create "a safe zone" for firms concerned about appearing vulnerable.

"A firm could say, we have been targeted by a distributed denial of service attack, the impact has been x, y and z. We want you to be aware that we've been a target, but we don't want other people to reference the name of our company," he said. "Firms don't necessarily want to be identified as being a victim of a crime."

FS-ISAC also encourages communication between its members by grouping them into more than a dozen smaller communities. Those communities include groups based on geographic region and business type, including a group just for securities exchanges, and another for insurance companies. Members communicate with one another through listservs as well as committee meetings.

In one instance of notable collaboration, between the fall of 2012 and spring of 2013, a series of coordinated distributed denial of service attacks prompted firms to begin sharing information as often as every hour.

"The efforts really helped firms that had yet to be targeted so they could be better prepared to respond," Carlson said. "It was a good example of how practitioners can come together and distribute tremendous amounts of information in rapid fashion."

Financial institutions often employ cybersecurity professionals to help safeguard their networks from cyber attacks. FS-ISAC supplements their efforts by providing information from industry experts on addressing specific threats. The center also organizes and participates in simulations of cyber attacks, including simulations organized in partnership with the U.S. Treasury, to test how the sector responds to such threats in real-time.

The exercises allow participants to think through their plans should they find themselves "in the hot seat" during a cyber attack, Carlson said. "In many cases," he said, "that serves as a pretty significant motivator for people to get into place the things they'll need to be prepared, regardless of what side they're on."