Two recent items published in the Federal Register suggest the Treasury Department is taking a more active role protecting critical infrastructure in the financial sector from cyberattacks. Treasury’s Office of Cybersecurity and Critical Infrastructure Protection proposed collecting information on identifying cyber and operational risks to the critical infrastructure of U.S. financial institutions and encouraging collaboration between industry and government.
Treasury official Elizabeth Irwin says financial entities have self-reported compliance with NIST standards, but Treasury would like more details, such as which parts of NIST guidance have been implemented and which have been most useful. Eventual responses will be used to support Treasury’s communications with NIST and allow the department to advocate for industry.
Treasury also has finalized its rule for implementing the Foreign Investment Risk Review Modernization Act of 2018, which expanded CFIUS’ remit to include “non-controlling” investments. Effective February 13, the rule requires covered entities to submit a cybersecurity plan to CFIUS, which will assess whether the plan is adequate.