2025 Public Sector Perspectives

Official cyber capacity and protocols for public-private collaboration including central banks are essential. The U.S. financial services industry accomplishes this through the Financial Services Information Sharing and Analysis Center (FS-ISAC), a highly relevant non-profit organization for many of you. This collaborative is an impartial resource for sharing cyber and physical threat intelligence between the public and private sectors and amongst private-sector firms. FS-ISAC, launched in 1999, is a member owned-and-operated non-profit entity with the mandate to protect the critical infrastructure of the international financial services sector. Cooperatives like FS-ISAC are essential for information sharing. For example, FS-ISAC hosts an information sharing portal where indicators of compromise (IOCs) and other threat data are shared multiple times daily It is a strength in numbers, force multiplier for combined security of the entire financial services industry. Similar coordination models among central banks and their ecosystem are critical. FS-ISAC holds a series of tabletop exercises in partnership with the U.S. Treasury’s Office of Cybersecurity and Critical Infrastructure Protection to help organizations learn to prevent and respond to data exfiltration by a malicious insider and coordinate with public and private sector partners to address it. 4 Another example of industry cooperation is the Analysis and Resilience Center (ARC). A U.S. organization, originally formed out of the FS-ISAC members, that consists of the most sophisticated cybersecurity-capable firms. For its members, the ARC promotes the dissemination of the latest intelligence information via calls and email. Members are invited to report notable observations from their cybersecurity operations centers, but all information is anonymized to prevent reputational damage. In the context of the FS-ISAC and ARC, financial institutions and governments are partners, and the relationship promotes collaboration and creates a robust channel to exchange communication. As simple as these engagement models seem, the readiness to share information, establishing an appropriate channel to do so, and the broader forum in which to speak openly are each a mindset, habit, and institution that enhance cybersecurity. FS-ISAC is also a tested, resilient platform to coordinate responses to a cyber emergency. Citi is a founding member of the FS-ISAC/ARC and has been at the forefront of developing robust cyber defenses. Because Citi has a physical presence in nearly 100 countries, supports businesses in 160 countries, and serves millions of customers worldwide, our cyber defense, resilience, and response capabilities are vital to our reputation as an industry leader in this space. Furthermore, as a founding member of the Cyber Risk Institute (CRI) and the employer of the current Board chair, Citi understands the importance of resilience and highlights this across our programs. We use the CRI profile, designed by financial institutions, which is the National Institute of Standards and Technology (NIST) Cybersecurity Framework plus third party and governance guidance. As a cornerstone of the global payments system, we move roughly $4 trillion of funds daily, and on any given day that number can double in a market surge. Not surprisingly, this makes Citi an attractive target of cybercrime. Our firm is subject to an attempted cyberattack every 2 seconds, every hour of the day, every day of the year. We are in constant dialogue with governments and central banks about platforms like the FS-ISAC or ARC for regional financial services firms, as well as about mechanisms which can improve that dialogue with and within circle of trust central banks, to establish consistent cybersecurity regulation across select countries. 5. Plan for continuity of business If your central bank has a continuity of business (COB) plan designed for a disaster of some kind, natural or otherwise, that is great. However, let me be clear, this is not equivalent to a cyber-COB plan. Cyberattacks are different than traditional disasters. The Cyber COB should reflect the specific challenges that cyberattacks pose to your bank operations and to the financial system. It is a necessity to build cyber resiliency planning into your overall strategic plans. 4 FS-ISAC, Hamilton Series Insider Threat Tabletop Exercise, January 2023 36 Cyber Winter: Are Central Bankers Ready?