As critical service providers increasingly host, connect, and protect a substantial percentage of financial institutions’ infrastructure, FS-ISAC created a new program to ensure its member firms and their critical providers have a strategic and tactical working relationship at the sector level.
This program will enable critical providers to reach thousands of financial firms easily and efficiently to communicate critical and sensitive information related to their security environments.
Additionally, in the event of a large-scale cyber threat or incident, this relationship will expedite and simplify communications to the sector as well as provide key data back to the providers.
The Program creates an official conduit for sensitive, timely, and industry-specific security information. It enables critical providers to use FS-ISAC channels to communicate during large-scale security upgrades, technical outages, cyber-based vulnerabilities, software and hardware misconfigurations, and/or changes that could impact multiple FS-ISAC members. All financial institutions, regardless of their size, maturity, and location, receive the best and most current security information. It also helps critical providers understand the security needs of the global financial sector in real time.
2021 saw an unprecedented number of supply chain cyber threats and incidents with potential to impact the financial sector. We do not anticipate this subsiding, as firms continue to digitize their business models to better serve customers and optimize operations.
As FS-ISAC’s mission is to reduce cyber risk in the global financial system, FS-ISAC created the Program to ensure its member firms worldwide and their critical providers have a strong strategic and tactical working relationship at the sector level.
Critical Providers are defined as non-financial organizations providing network infrastructure and services that, if impacted by an incident, would interrupt a significant amount of core financial services across the sector, in turn impacting the public’s ability to manage financial transactions.
For the pilot program in 2022, FS-ISAC has invited a select number of critical providers based on the scale of their criticality to the sector.
Akamai is the first critical provider to join the program. We are in discussions with other key service providers and will announce them as they are confirmed.
Akamai will help drive the evolution of the program based on its experience to maximize its effectiveness so that we can expand to other critical providers.
The invitation to join this pilot program is strictly based on the criticality – scope and scale – of services provided to the financial sector, irrespective of specific incidents.
Critical providers will have a dedicated channel on FS-ISAC’s chat platform Connect which will enable the providers’ security points of contact and regional senior technical experts or executives to communicate with members during:
This will enable providers to coordinate with the whole sector at once during large-scale cyber incidents. Providers will also provide briefings tailored specifically for member financial institutions, collaborate with FS-ISAC’s Global Intelligence Office to research systemic threats, and potentially join relevant FS-ISAC work groups.
The program will primarily utilize FS-ISAC’s member chat platform, Connect. All Tier 1-8 members will have access to the Critical Provider team. Within the team, each Critical Provider will have a dedicated channel for them to communicate with member financial firms. Critical Providers will not have access to each other’s channels. There is also a read-only Town Square channel for FS-ISAC staff to communicate to all Tier 1-8 members and providers regarding the program. Any commercial conversations are strictly forbidden.
Only security-related information can be discussed on Critical Provider channels. Commercial conversations of any kind are strictly prohibited. The points of contact from Critical Providers will be security executives, who will be validated by FS-ISAC staff.
Relevant FS-ISAC staff members will have full access to all channel discussions.
All Tier 1-8 members have access to the channel(s) in the Critical Provider team in Connect.
Members can leave channels that are not applicable to them or mute channels to reduce notifications. Please note, members who leave channels in the Critical Provider team cannot be re-added. The team will be a default for all Connect users as a benefit of their membership.
Critical providers have access to dedicated channels to communicate with members around relevant security issues. They do not have access to the broader array of intelligence alerts, research, and briefings that are part of the member offerings for financial firms. Critical providers may collaborate with the Global Intelligence Office on industry-level trend research and may be invited to join select work groups where relevant.
After running the pilot with select providers, FS-ISAC will look to expand the program and invite a larger pool of critical providers in 2023.
Yes, the Connect channel is live as of Wednesday 19, January.
Given the large role each invited critical provider plays in financial services infrastructure, every critical service provider member helps the sector further secure supply chain security and reduce third-party cyber risk.
For questions on how the program works, email email@example.com.
For questions on access to the Critical Providers team in Connect, email firstname.lastname@example.org.
*Please note that all tier 1-8 members in Connect were automatically added to the Critical Provider team and can leave the team on their own at any time. But, members who leave channels in the Critical Provider team cannot be re-added.