|Organization:||Division of Banks|
|Referenced Sources:||Financial Services-Information Sharing and Analysis Center|
To the Chief Executive Officer of the Financial Institution Addressed:
The Division of Banks, as part of its ongoing commitment to promoting cyber security in the financial services industry, encourages all Massachusetts state-chartered depository institutions, to become members of the Financial Services-Information Sharing and Analysis Center (FS-ISAC) and to be aware of and subscribe to reliable and recognized resources that can help quickly identify cyber risks as they emerge. The FS-ISAC is a member-owned, nonprofit and private financial sector initiative. Its primary function is to share timely, relevant, and actionable physical and cyber security threat and incident information to enhance the ability of the financial services sector to prepare for, respond to, and mitigate the risk associated with these threats. Both the U.S. Department of Treasury and the U.S. Department of Homeland Security rely on the FS-ISAC to disseminate critical information to the financial services sector in times of crisis. Membership in this type of organization is an important component of a comprehensive cyber security program, with membership viewed as a best practice.
Typically the time associated with chasing down any specific threat indicator is substantial. FS-ISAC membership has multiple benefits. Members receive timely notification and authoritative information specifically designed to help protect critical systems and assets from physical and cyber security threats. In addition, the FS-ISAC provides an anonymous information-sharing capability across the entire financial services industry that enables institutions to exchange information regarding physical and cyber security threats, as well as vulnerabilities, incidents, and potential protective measures and practices. This automated solution increases the speed, scale, and accuracy of information sharing and speed time to resolution. This solution removes a large burden of work for financial organizations of all sizes, including those that rely on third parties for monitoring and incident response.
While the FS-ISAC is a non-profit run by its members, membership does require an annual fee which can range from $250 to $49,950 depending upon the size and complexity of the institution participating and the level of service selected. Institutions with less than $1 billion in assets can get a basic membership for $250/year. The Division does not recommend one level of membership over another. Each institution should determine the appropriate level of membership tailored to its risk profile. Additional information about the benefits of FS-ISAC membership can be found at www.fsisac.com.
Government and government-sponsored resources that financial institutions should also consider include the following organizations:
- United States Computer Emergency Readiness Team (US-CERT)
- The Department of Homeland Security's US-CERT facilitates the coordination of cyber information sharing and provides cyber vulnerability and threat information through its national Cyber Awareness System. Financial institutions may learn more about US-CERT and subscribe to receive security alerts, tips and other updates through its website.
- U.S. Secret Service Electronic Crimes Task Force (ECTF)
- The Electronic Crimes Task Force teams local, state and federal law enforcement personnel with prosecutors, private industry, and academia to maximize what each has to offer in an effort to combat cyber criminal activity. Visit their website for more information on the Electronic Crimes Task Forces.
- FBI InfraGard
- InfraGard is an information sharing forum between the FBI and the private sector. InfraGard operates more than 60 chapters that conduct local meetings pertinent to their area. Obtain information about InfraGard online.
Financial institutions also are reminded that they may obtain information specific to products or applications they use at the applicable vendor websites. Additionally, financial institutions that utilize third party service providers should check with their provider about the existence of user groups that also could be valuable sources of information.
David J. Cotney
Commissioner of Banks