New FS-ISAC Program Strengthens Supply Chain Security Dialogue

Third Party Risk Management, Business Continuity Management/Disaster Recovery, Cybercrime

Akamai Technologies, a founding member, will lead the evolution and development

Devon Warren-Kachelein (devawarren) •
January 21, 2022

Source: (Pixabay)

The Financial Services Information Sharing and Analysis Center, known as FS-ISAC on Wednesday launched a new platform called the Critical Supplier Program, which will give members and service providers a way to strengthen communications related to high profile supply chain security threats in the financial sector. Akamai Technologies, a content delivery network service provider and long-time FS-ISAC vendor partner, leads the program as a founding member.

See also: Zero Trust Webinar: Research Overview Exploring Actionable, Holistic, and Integrative Approach to Security

Teresa Walsh, global head of intelligence at FS-ISAC, told ISMG that the new program was developed in response to growing concerns and an “unprecedented” increase in supply chain cyber incidents involving suppliers. third parties, business partners or suppliers – in particular in the financial sector. FS-ISAC invited select vendors to participate and offered them the opportunity to communicate with financial companies sensitive information regarding threats, including but not limited to general security updates, technology outages, cyber incidents and software vulnerabilities.

As a benefit of membership, all members will have access to the pilot through FS-ISAC’s chat platform, Connect, accessible via a mobile app.

“As financial services embrace new technologies to evolve the way they operate and serve customers, critical vendors have become both an important industry ally and a target for cybercriminals,” Walsh said in a statement. . “The program will ensure that our members effectively receive accurate and timely security information from their critical suppliers. In the event of a large-scale incident, this will enable our members to act and/or remediate quickly, while arming them with relevant information to inform key stakeholders.”

FS-ISAC, which is headquartered in the United States and was originally formed in 1998, includes members from over 70 countries representing credit unions, exchanges, fintechs and more. According to the FS-ISAC website, its members manage assets totaling over $35 trillion, as well as offices in Singapore and the UK.

Origins of the program

FS-ISAC developed the Critical Supplier Program in partnership with Akamai based on its mission statement to reduce cyber risk and provide the platform for suppliers to establish “a strategic and tactical working relationship industry-wise,” according to FS-ISAC’s Walsh. .

“Last year, for the first time, FS-ISAC Regional Threat Intelligence Committees (Americas, EMEA, APAC) increased cyber threat levels an unprecedented three times in one year due to incidents from the supply chain with potential impact on the financial sector,” says Walsh. , adding that several of the incidents were “major third-party cyber incidents” and that the association does not see these trends abating as businesses continue to digitize.

Akamai, which provides services to FS-ISAC and has a long-standing relationship with the association, felt like a natural choice, according to the spokesperson.

“During system-wide or industry-wide incidents, Akamai can leverage the unique perspective of its globally distributed edge platform and immediately respond and connect with the financial industry to provide insights that help businesses quickly determine what to focus on first,” says Walsh. “On an ongoing basis, Akamai can share actionable and relevant information to improve the protection and preparedness of the financial services industry.”

The program can also open a two-way dialogue between vendors and finance-focused companies on evolving attack vectors and techniques. Additionally, Walsh says she hopes open communication will provide a way to collaborate on methods to mitigate current and future risks.

Bridging the gap between vendors and security communications

Critical vendors can use a dedicated channel on the Connect chat platform, giving CISOs, executives, and other network advocates a way to communicate about issues relating to a variety of security-related topics, software changes that could affect members to cyberattacks with a large scope.

“Vendors will also provide information specifically tailored to member financial institutions, work with FS-ISAC’s Global Intelligence Office to research systemic threats, and potentially join relevant FS-ISAC working groups,” Walsh said.

While the program can benefit an organization of any size, FS-ISAC says it can provide critical information to organizations with “less mature markets” and “less security capabilities.”

Critical vendors will not have access to other vendors’ network channels, and the association strictly prohibits commercial conversations. Before granting vendor access, Walsh says FS-ISAC will review and validate them for approval.

“[Critical Providers] do not have access to the broader range of intelligence, research and briefing alerts that are part of the members’ offerings for financial firms,” she says.

Phil Reitinger, President and CEO of the Global Cyber ​​Alliance, said he believes this new program will fill an important need and “enable major suppliers and service providers in the financial industry to work with customers at scale” to resolve an incident or vulnerability. The program, he says, will complement existing communication channels.

Supply chain risks

The launch of the program comes just over a year after one of the most crippling supply chain attacks, SolarWinds, and at a time when cybercriminals and state actors are actively seeking to disrupt supply chains. (see : Lazarus Adds Supply Chain Attack To Abilities List).

The US government is also currently working to pass legislation targeting software supply chain and telecommunications security, known as the Department of Homeland Security Software Supply Chain Risk Management Act of 2021.

“The internet and the seamless connection in the physical world it enables has created interdependence like we’ve never seen before,” says Reitinger, who was a former member of the New York Governor’s Cybersecurity Advisory Council, on supply chain risk response. “We must act at all levels, from the largest suppliers to the smallest.”

Additionally, he urges CEOs of financial organizations, especially small businesses or startups, to implement “basic cyber hygiene” and seek help with threat prevention toolkits.

Equifax CISO Jamil Farshchi, who has led security teams at large organizations such as Home Depot during high-profile cyberattacks, joined ISMG for a conversation about supply chain security just last year. after the SolarWinds attack. Visibility between businesses and suppliers should be a priority, he says, while focusing on how organizations can make changes internally (see: Equifax CISO Jamil Farshchi on SolarWinds Supply Chains).

Ryan H. Bowman