Since the cybersecurity events of last year's holiday season, RILA has been in an all-out sprint working with other associations on multiple fronts to develop not only cybersecurity resources for retailers but also to strengthen the security of the payments system.
Since its unveiling in May, the Retail Cyber Intelligence Sharing Center (R-CISC) has been growing in terms of both the number of retailers and merchants participating in sharing threat intelligence and in the level of active sharing that has occurred. As participants have commented: "I value all the information that is being shared and the questions that fellow members are asking;" "the information is invaluable" and "great service being provided to protect all of us in the retail environment."
In addition to information on real-time indicators of compromise, bad email addresses, current criminal campaigns, etc., participants are receiving valuable information from the government sources, such as the FBI and Department of Homeland Services, as well as respected third-party sources.
Ahead of this holiday season, the R-CISC, in conjunction with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the U.S. Secret Service, issued the advisory, "Protecting Merchant Point of Sale Systems during the Holiday Season." Going into the holiday season retailers are very aware of the increased threats and have been working collaboratively in order to share leading practices in order to best protect their customers.
While the threat intelligence sharing continues to grow in both number of participants and submissions, the R-CISC is making tremendous strides on the operational front, and is now interviewing to hire an executive director to run the Center. This is just one more step to continuing the growth of the center and formalizing the staffing structure.
To better secure the payments ecosystem, RILA teamed up with the Financial Services Roundtable at the beginning of the year to establish the Merchant-Financial Service Partnership, which then grew to include eight financial and 11 merchant associations. The Partnership's goal was to work collaboratively across the payments systems to enhance security if order to product customers and their data from cyber criminals. More than 250 senior executives from both sides met nearly 50 times, heard from over 45 experts, participated in numerous outreach events, and sought consensus on critical policy issues. As it concludes this week, the Partnership has released eight next steps for ongoing collaboration by Partnership participants in key areas, including threat information sharing, cyber risk mitigation, advanced card present & card not present security technology and cybersecurity legislation. One of the major steps is a joint effort between the two industries to urge Congress to pass cyber threat information sharing legislation.
Today, the Partnership sent a letter to Congress outlining joint principles for legislation to enhance cybersecurity across both the merchant and financial industries. Both industries recognize better information sharing between and among industry and government is important in preventing cyber attacks. In the letter, the merchant and financial services communities expressed support for a set of principles for federal legislation that would increase the current level of voluntary cybersecurity information sharing, while recognizing key privacy concerns.
It's been a busy year in cybersecurity for the retail industry. Conversations at board and audit committee meetings have been prevalent as cybersecurity awareness has been raised to a business issue of the highest importance. Although the industry – along with many other industries and the government itself – will continue to be attacked, the work of the R-CISC and of relationships formed via the Partnership will provide another tool in retailer's arsenal against cyber attacks.