CI/KR Performance Measurement

The Treasury Department, in its role as the SSA, will work with the FBIIC and the FSSCC to collect the necessary informa- tion for the descriptive, process, and outcome metrics. Because of the great diversity within the financial services sector, the Treasury Department must rely on the expertise and knowledge of the financial regulatory agencies for information on the assets within their purview.

Banking and Finance Sector-Specific Plan 6.1.1 Developing Sector-Specific Metrics

As the SSA for the Banking and Finance Sector, the Treasury Department will work within the public-private partnership of the FBIIC and the FSSCC to create suitable sector metrics. Measurements of the resilience efforts in a large and diverse sector such as the Banking and Finance Sector are difficult to quantify using standard business measurements. Therefore, a one-size-fits-all approach would be inapplicable to all aspects of the sector and also would weaken creativity and vitality in the sector, which would harm the Nation’s overall economy.

As evidenced by previous sections of this document, the Treasury Department has already done significant work in develop- ing and collecting descriptive and process metrics. The Treasury Department will continue to develop and collect meaningful outcome and baseline metrics and measurements that are relevant for the sub-sectors within the Banking and Finance Sector. The Treasury Department, working with the FBIIC and the FSSCC, has created the following process to develop metrics for the Baking and Finance Sector to address the security goals outlined in section 2.

Goal 1: To maintain its current strong position of resilience, risk management, and redundant systems in the face of a myriad of intentional, unintentional, manmade, and natural threats, the Treasury Department, as the SSA, will work with the appropriate members of the FBIIC and the FSSCC to determine:

• The appropriate number of joint meetings for the FBIIC and the FSSCC;

• The need and appropriate number of outreach meetings to financial services representatives across the country;

• The number of private sector firms that qualify under the National Security and Emergency Preparedness guidelines for GETS, WPS, and TSP;

• The level of support for regional financial partnerships;

• The level of support for RPC FIRST, the council of the regional partnerships;

• The percentage of assets that receive physical and cyber security alerts, either directly or indirectly through the FS-ISAC; • The success of the testing schedule for the FS-ISAC’s CINS;

• The appropriate coordination of the HSIN into the information-sharing structure for the sector;

• The level of participation in national and regional exercises to test and enhance the resilience of the financial services sector and level of support or outreach for such exercises;

• The portions of the sector that conduct protective-response planning exercises for critical financial infrastructures; • The success of tests conducted to strengthen the response protocols for the FBIIC and the FSSCC;

• The portion of financial services sector participants that develop and test business continuity plans;

• The appropriate review and update processes by the Treasury Department and the FBIIC agencies for asset data on the sector; • The appropriate level of security clearances for members of the FSSCC to participate in briefings on threats to the sector; and • The success of the annual industry-wide business continuity planning test conducted by FSSCC members SIFMA, the Futures

Industry Association, and the Financial Information Forum. These annual tests are part of an ongoing industry initiative to test the ability of primary securities market participants to operate through a significant emergency. The test, which includes both buy-side and sell-side participation, demonstrates and verifies the capacity of firms, markets, and utilities to continue functioning and communicating during an emergency by using backup sites, recovery facilities, and backup communications across the industry.

Goal 2: To address and manage the risks posed by the dependence of the sector on the Communications, Information Technology, Energy, and Transportation sectors, the Treasury Department, as the SSA, will work with the appropriate members of the FBIIC and the FSSCC to determine:

• The level of collaboration with GCCs and Sector Coordinating Councils (SCC) of the Communications, Information

Technology, Energy, and Transportation sectors as well as specific industry participants to identify concerns and foster infor- mation sharing regarding cross-sector vulnerabilities and protective measures;

• The level of collaboration with the NCS and other telecommunications partners to identify gaps;

• The necessary level of redundancy and assurance from the Communications, Information Technology, Energy, and Transportation sectors to meet the vision statement of the Banking and Finance Sector;

• The level of participation in and support for pandemic exercises to pinpoint areas of concern where the financial services sector depends upon the infrastructure of other sectors; and

• The level of coordination between regional coalitions and State and local emergency managers and other sector partners. Goal 3: To advance the work of the law enforcement community, the private sector, and our international counter- parts to increase the amount of available resources dedicated to tracking and catching criminals responsible for cyber attacks and other electronic crimes, the Treasury Department, as the SSA, will work with the appropriate members of the FBIIC and the FSSCC to determine:

• The level of participation and frequency of briefings between law enforcement and the financial services regulators and the private sector when specified instances of cyber and other electronic crimes arise; and

• Ways to identify and increase awareness of emerging technologies that may assist with combating cyber and electronic crime or that may be used by criminal elements to conduct cyber and electronic crime.

6.1.2 Information Collection and Verification

As previously stated, the Federal and State financial regulators gather a wide range of information on their regulated institutions for a variety of purposes; therefore, the Treasury Department will coordinate with the members of the FBIIC to gather appro- priate core metrics information on the Banking and Finance Sector. For example, the Treasury Department will confer with the OCC for appropriate information on national banks; the NCUA for appropriate information on Federally insured credit unions; the SEC for appropriate information on investment advisors, broker/dealers, and securities markets; and the CFTC for appropri- ate information on futures commission merchants, commodity pool operators, and futures markets. The financial regulators regularly obtain data from their regulated entities and have appropriate protection measures in place to safeguard such infor- mation. The Treasury Department also will validate the information with the appropriate private sector participants.

Once these core metrics are identified, the Treasury Department and the FBIIC will work to create a system that can be used to assess how these metrics will be measured for the sector. This assessment will be based on regulators’ extensive knowledge of the organizations within the sector, the technology employed by the sector, and the laws and regulations that apply to the sector. Furthermore, the Treasury Department and the FBIIC agencies will work directly with each entity involved with each specific metric to validate, assess, and update the metric as necessary. On an annual basis, the Treasury and the FBIIC agencies will review the assessment methodology and each metric outcome to determine whether the metric is the appropriate metric for the future.

6.1.3 Reporting

As the SSA for the Banking and Finance Sector, the Treasury Department will continue to work within the reporting structure identified by HSPD-7 to provide an annual sector report to DHS. The Treasury also will coordinate with DHS to provide narrative

updates on the sector metrics in support of DHS status reports. The Treasury Department also will use the established public- private partnership to share the sector metrics directly with the members of the FBIIC and the FSSCC.