The Government Accountability Office (GAO) is recommending that the Treasury Department take steps – in coordination with the Department of Homeland Security and others – to better track and prioritize cyber risk mitigation efforts across the financial services sector.
It also urged the agency to update with new metrics its plans for measuring the sector’s progress, along with information about how the sector’s efforts at risk mitigation will meet goals and requirements including those set forth in the National Cyber Strategy Implementation Plan.
In a new report, GAO said that Treasury “generally agreed” with the watchdog agency’s recommendations.
Treasury, GAO said, is the Federal’s government’s designated lead agency for the financial sector, and as part of that role plays a key part in many efforts to improve the sector’s cybersecurity and resiliency.
“However, Treasury does not track efforts or prioritize them according to goals established by the sector for enhancing cybersecurity and resiliency,” GAO said. It also said Treasury has not yet fully implemented previous GAO recommendations to establish metrics related to the value and results of the sector’s mitigation efforts.
“Further, the 2016 sector-specific plan, which is intended to direct sector activities, does not identify ways to measure sector progress and is out of date.” GAO said. “Among other things, the sector-specific plan lacks information on sector-related requirements laid” specified in the 2019 National Cyber Strategy Implementation Plan, it said.
“Unless more widespread and detailed tracking and prioritization of efforts occurs according to the goals laid out in the sector-specific plan, the sector could be insufficiently prepared to deal with cyber-related risks, such as those caused by increased access to data by third parties,” GAO warned.