New FS-ISAC Program Boosts Supply Chain Security DialogueFounding Member Akamai Technologies to Lead Evolution, Development
The Financial Services Information Sharing and Analysis Center, known as FS-ISAC, launched a new platform Wednesday called the Critical Providers Program, which will give members and service providers a means to strengthen communications related to far-reaching threats to supply chain security in the financial sector. Akamai Technologies, the content delivery network service provider and longtime partner vendor for FS-ISAC, is spearheading the program as the founding member.
Teresa Walsh, global head of intelligence at FS-ISAC, tells ISMG that the new program was developed in response to the growing concerns and "unprecedented" rise in cyber incidents on the supply chain involving third-party vendors, business partners or suppliers - particularly in the financial sector. FS-ISAC invited select providers to participate and offered them the ability to communicate with financial firms about sensitive information concerning threats, including but not limited to broad security updates, technology outages, cyber incidents and software flaws.
As a benefit of membership, all members will have access to the pilot through FS-ISAC's chat platform, Connect, which can be accessed through a mobile app.
"As financial services adopt new technologies to evolve the way they operate and serve customers, critical providers have become both an important ally to the industry and a target for cybercriminals," Walsh said in a statement. "The Program will ensure our members efficiently receive accurate and timely security information from their critical providers. In the event of a large-scale incident, this will empower our members to act and/or remediate expeditiously, while arming them with the pertinent information to brief key stakeholders."
FS-ISAC, which has its headquarters in the U.S. and was initially formed in 1998, includes members from more than 70 countries representing credit unions, exchanges, fintechs and more. According to FS-ISAC's website, its members manage assets totaling more than $35 trillion, as well as offices in Singapore and the U.K.
FS-ISAC developed the Critical Provider Program in partnership with Akamai based on its mission statement to reduce cyber risk and to provide the platform for providers to build "a strong strategic and tactical working relationship at the sector level," according to FS-ISAC's Walsh.
"Last year, for the first time, FS-ISAC’s regional Threat Intelligence Committees (Americas, EMEA, APAC) raised Cyber Threat Levels an unprecedented three times in one year due to supply chain incidents with potential impact on the financial sector," says Walsh, adding that several of the incidents were "major third-party cyber incidents" and that the association does not see these trends subsiding as businesses continue to digitalize.
Akamai, which provides services to FS-ISAC and has a long-standing relationship with the association, felt like a natural fit, according to the spokesperson.
"During system or industrywide incidents, Akamai can draw on the unique vantage point of its globally distributed edge platform and react and connect immediately with the financial sector to provide information that helps firms quickly distill what they should focus on first," says Walsh. "On an ongoing basis, Akamai can share actionable and relevant information to improve the financial services industry’s protection and preparedness."
The program also can open up a two-way dialogue between providers and finance-centered firms about evolving attack vectors and techniques. Further, Walsh says she hopes the open communication will provide a means to collaborate on methods to mitigate current and future risks.
Bridging Vendor and Security Communications
Critical providers can make use of a dedicated channel on the Connect chat platform, offering CISOs, executives and other network defenders a way to communicate about issues related to a variety of security-related topics, from software changes that could affect members to cyberattacks with a large scope.
"Providers will also provide briefings tailored specifically for member financial institutions, collaborate with FS-ISAC’s Global Intelligence Office to research systemic threats and potentially join relevant FS-ISAC work groups," Walsh says.
Though the program can benefit an organization of any size, FS-ISAC says it can provide critical information to organizations with "less mature markets" and "fewer security capabilities."
Critical providers will not have access to the channels on other providers' network, and the association strictly prohibits commercial conversations. Before allowing the providers access, Walsh says FS-ISAC will vet and validate them for approval.
"[Critical Providers] do not have access to the broader array of intelligence alerts, research and briefings that are part of the member offerings for financial firms," she says.
Phil Reitinger, president and CEO of the Global Cyber Alliance, says he believes this new program will fill an important need and is "enabling important vendors and service providers to the financial sector to work with customers at scale" in terms of addressing an incident or vulnerability. The program, he says, will supplement existing channels of communications.
Supply Chain Risks
The program's launch comes just over a year after one of the most crippling supply chain attacks, SolarWinds, and at a time when cybercriminals and nation-state actors are actively seeking to disrupt supply chains (see: Lazarus Adds Supply Chain Attack to List of Capabilities).
The U.S. government is also currently working toward passing legislation targeting the software supply chain and telecom security, known as the Department of Homeland Security Software Supply Chain Risk Management Act of 2021.
"The internet and the seamless connection in the physical world it enables have created interdependency like we have never seen before," says Reitinger, who was a former board member of the New York Governor's Cyber Security Advisory Board, on responding to supply chain risks. "Action should be taken at all levels, from the largest suppliers to the smaller ones."
In addition, he urges CEOs of financial organizations, especially smaller or startup firms, to implement "basic cyber hygiene" and search out assistance with threat prevention toolkits.
Equifax CISO Jamil Farshchi, who has led security teams at large organizations such as Home Depot during high-profile cyberattacks, joined ISMG for a conversation about supply chain security last year shortly after the SolarWinds attack. Visibility between firms and suppliers needs to be a priority, he says, as well as focusing on how organizations can make changes on an internal level (see: Equifax CISO Jamil Farshchi on SolarWinds Supply Chains).