Sample Finance Paper


Blocks through the semester that the teacher needs us to apply to the paper to the signed sector which is Banking and finance.

Block 1 -Introduction-The Origins of Homeland Security: A review of the 9/11 Report. What Happened and Why.

Block 2 – Fundamentals of Terrorism and the Threat.

Block 3 – Homeland Security Strategies and Policies

Block 4 – Homeland Defense and Security Players and Organizations

Block 5 – Legal and Jurisdictional Issues – The Law Enforcement Community, Posse Comitatus, and Domestic Operations

You are to apply the lessons you learned from each of the blocks to some event, topic or issue associated with the Infrastructure sector you have been assigned which is “Banking and Finance”. You will have some flexibility with building your paper but should include:
A description of your sector and discuss the terrorist threat posed.
The homeland defense and security issues that are most significant or pressing to that sector.
Review the options available to deal with the issue.
Identify the organizations or agencies responsible for protecting the sector and what types of management issues are confronted?
What are the major legal or jurisdictional issues that are associated with the topic you chose?
Finally, I want you to identify what you consider to be the best resources on the topic.
The writing and organization of your paper will be greatly facilitated if you use headings and subheadings. The papers will be evaluated in terms of how well you addressed the assignment. Did you do a good job in finding and synthesizing the available materials, quality of writing (if you simply cut and paste, expect to get a low grade), and relative effort? A minimum of 11 scholarly or official sources should be included. Appropriate sources include books, peer-reviewed journal articles, statutes or congressional testimony, executive orders or directives, and official Web sites, reports, plans, white papers, policies, standards, strategies or guidelines by government agencies, think-tanks, associations, etc. Articles in trade journals, newsletters or popular media (e.g., magazines, newspapers, etc.) may also be used on a limited basis to supplement or reinforce scholarly sources. Wikipedia and blogs are not acceptable sources.
A cautionary note: DO NOT CUT AND PASTE….Use your own words and cite your sources.


Title: Banking and Finance

Student’s Name:

Name of Course:

Institutional Affiliation:

Date Submitted:


Introduction. 2

Description of the sector. 2

Significant homeland defense and security issues in the sector. 4

The options available to deal with terrorist threats and vulnerabilities. 8

Physical protection measures. 9

Information systems and network protection. 9

Business Continuity Planning. 11

Organizations/agencies responsible for protecting the sector and the management issues confronted   12

National Strategy for Critical Infrastructure Assurance. 12

Financial Services Information Sharing and Analysis Center. 12

Financial and Banking Infrastructure Information Committee (FBIIC). 13

Jurisdictional issues in banking and finance. 14

Conclusion. 15

References. 16


Description of the sector

The banking and finance sector in the US remains a crucial element of national critical infrastructure. It underpins every economic transaction that takes place in the country. Out of all the existing national infrastructures, the banking and finance sector remains the most advanced with regard to the adoption of defensive measures. Sophisticated measures have been put in place by both individual companies and the federal government in order to provide protection to data and infrastructure.


As a whole, the sector has been working in collaboration with the federal government to create systemic security relating to key systems and assets, including payment, settlement, and clearing systems, which are the backbone of the industry.  The work that has been going on includes building redundant systems, identification of crucial assets, disaster recovery plans, devising business continuity, investing in new technologies, and establishing alternative forms of connectivity.

However, despite efforts to improve security in the US banking and finance sector, vulnerability to terrorist threats still exists (Parfomak, 2005). The sector remains vulnerable to large-scale attacks, such as the ones that were experienced on September 11, 2001. It is extremely difficult to defend the sector against environmental or large-scale attacks. The initiative requires industry-wide planning and coordination on an extensive array of issues. There is also a need for security measures to be put in place in order to mitigate the reliance on other infrastructures such as power, transportation, and telecommunications by the sector.

The banking and finance sector is also faced by vulnerabilities relating to physical or cyber-attacks targeting non-redundant assets and choke points in the sector. The main potential targets include major exchanges, large broker-dealers, clearing firms, and crucial transaction systems.

It is a well-known fact that financial services are heavily reliant on public trust (Verton, 1999). This puts the country under an additional risk of malware, hacking, and cybercrimes of different varieties, including extortion, fraud, and identity theft. In other words, any activity that undermines the integrity, confidentiality, and availability of financial transactions and data has a negative effect on the industry. This risk tends to be accentuated by the increase in the extent to which networked technologies, electronic transactions, and remote access of key functions are adopted by many banking and finance companies.

The main potential sources of threats of terrorist attacks to the banking and finance sector range from hostile nation-states to criminals, of whom, the latter strike quite frequently. Other terrorist-intruders may include hackers and malicious insiders. The consequences of such attacks can be insubstantial, considering that this sector is always in control of trillion f dollars, mainly in the form of assets, and it also symbolizes the extent of the prosperity of the American people.

The industry has been acting on many issues since the 9/11 attacks in order to improve the security of data and systems. Individual firms have made improvements to their cyber and physical security measures and carried out overhauls of disaster recovery and business continuity plans. As a whole, the sector has put in place a security strategy that brings on board governance and other private sector players, in efforts to coordinate security efforts and share data relating to terrorist threats.

Meanwhile, because of the continuous nature of the threats in the sector, there is need for many far-reaching decisions to be made in the months and years to come in order to ensure continuity in the high level of security of systems and facilities, while at the same time expanding the sector’s business continuity capabilities.

Significant homeland defense and security issues in the sector

The security concerns that are often raised in the US banking and finance sector touch on the role of homeland defense and security apparatus. This is because the sector is of great significance to the country’s economy, considering that it accounts for more than 8% of the country’s annual gross domestic product. The sector is also the backbone of the global economy.

As indicated by the US Department of Homeland Security (2007), this sector is highly dependent on a highly complex and profoundly expansive supply chain that exists both within and outside the US. This international nature and the highly extensive international linkages of the sector expose it to terrorism risk. This risk would end up bringing about catastrophic consequences in the market, given the high level of interdependence. This, therefore, brings to the fore the need for collective mechanisms not just within the US, but also in financial centers across the world. An attack in one major financial center can cripple exchange rates and bring to a halt all the ongoing investment activities.

The main issues that press on the role of the US Homeland Defense and security apparatus relate to large-scale events, fixed income markets, equity markets, payment systems, infrastructure dependencies, targeted attacks, and trust-based vulnerabilities. With regard to large-scale events, it is worthwhile mentioning that the 9/11 attacks led to a severe disruption of the US financial markets. The financial activity was highly concentrated around the World Trade Center’s towers, within the Manhattan area, and more than half of the attack’s victims were working in the banking and finance sector.


            The attacks affected the country’s trading in bonds, stocks, and several other financial products, to various degrees. It also affected the payment, settlement, as well as clearing systems for both retail and wholesale transactions. The majority of the disruptions were caused, not by the key service providers being destroyed, but by the lost connectivity and access to systems or facilities, or even as a result of damage to key market participants.

The equity markets also faced incapacitating physical damage after the 9/11, whereby major exchanges, such as NASDAQ and NYSE had to halt trading for a number of days. However, following the attacks, the NASDAQ and NYSE systems continued functioning because crucial assets were not tampered with by the terrorist attacks. However, trading in security exchanges had to be put on hold until September 17, 2001, since the communications links between various exchanges were damaged. Additionally, several critical market participants needed to be restored and tested. Moreover, physical access and transportation services to this financial district were in need of restoration (Pederson, 2006).

The massive power outages that rocked the Northeastern United States on the days that followed August 14,, 2003 underscored the high level of interdependence of the country’s critical national infrastructure. Although most communication services that the banking and finance industry relies on heavily survived this blackout and maintained functionality, the power outages caused some significant disruptions. Although there was no physical damage to communications equipment in the course of the blackout, the high volume of cell phone traffic resulted in back-up battery systems running out of power within six hours. This is an indication of the extent to which power systems constitute vulnerability in the banking and finance industry.

The homeland defense and security people in the US acknowledge that as demonstrated by the public statements and direct attacks by various terrorist organizations, the sector is a highly valued, symbolic target (Calomiris, 2009). Moreover, the recent natural disasters, large-scale power outages, and the possibility of pandemics, all constitute a demonstration of the wide range of potential threats that the sector faces. With this knowledge in mind, many significant homeland defense and security issues have been raised.

Congress has for a long time been concerned in the banking and finance sector as well as in several other critical infrastructure sectors. Although Congress is yet to mandate security, it has already looked into whether the entire system is under substantial risk. As part of the bill for the creation of the new Department of Homeland Security, Congress devised the disclosure exemption with regard to the Freedom of Information Act (FIOA) for purposes of voluntarily provided infrastructure data and vulnerability. The Department of Defense, on April 15, 2003, published proposed guidelines regarding how this information would be protected.

According to the Homeland Security Directive that president Bush signed on December 17, 2003, it is a requirement for the Department of the Treasury in its capacity as the Sector-Specific Agency representing the Banking and Finance Sector, to come up with a Sector-Specific Plan (SSP) aimed at critical infrastructure protection. It is also the work of this SSP to provide the Banking and Finance Sector with a strategy for collaborative working with both the public and private sectors in the identification, prioritization, and coordination of the protection of critical infrastructure.

The SSP also contains a summary of the extensive activities that this sector has already taken in reducing vulnerabilities and sharing information. The Banking and Finance SSP remains an integral part of the overall NIPP (National Infrastructure Protection Plan)

The Department of Homeland Security has been enhancing protection for all the country’s critical infrastructure and networks through the promotion of working relationship between the federal government and the private sector. The federal government has recently acknowledged that such relations are vital since most of the country’s critical infrastructure is privately owned. The department has been having a difficult time trying to maintain a working relationship that can facilitate the reinforcement of security in the banking and finance sector. The need for public-private partnerships has also been emphasized by the National Strategy to Secure Cyberspace, which perceives the value of securing all critical infrastructures and enhancing the functionality of the national cybersecurity.

The SSP initiative that the banking and finance have undertaken involved the collaborative efforts of the Banking Information Infrastructure Committee (FBIIC) as well as the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC). The SSP plan, together with the SSPs from some other 16 critical infrastructures that were identified by the HSPD-7 (Homeland Security Presidential Directive 7), is an integral part of the overall National Infrastructure Protection Plan (NIPP).

Many Homeland defense and security issues, therefore, have been a driving force for engagements and partnerships between the federal government and the private sector in efforts to deal with vulnerabilities within the critical infrastructure (Kosmidou, 2009). Through such efforts, the work of coordinating the protection of critical infrastructure has been undertaken fairly smoothly, and extensive activities are being undertaken in the banking and finance sector in order to reduce terrorism vulnerabilities.

The options available to deal with terrorist threats and vulnerabilities

The banking and finance sector appears to have the most advanced defenses in all the sectors. These defenses have been necessitated by the response to past challenges, and the sheer necessity to maintain trustworthiness and reliability in a service that almost every American income earner uses nearly on a daily basis.

Security measures and business continuity plans have been developed widely as well as taken through testing. Some of the procedures that are currently in use have limited usage, and are suitable only for disruptions that threaten a single facility, for instance, fire in one building or a power outage. Such measures cannot be adopted in large-scale events.

In order to ensure that all systems are secure, there are many measures that still need to be taken, in order for risks to be reduced significantly. Whether the risks arise from cyber or physical threats, there are many options available for the Homeland Defense and security personnel to consider. Physical protection is necessary just as protection of network and information systems is critical.

Physical protection measures

There are many ways in which an organization can contribute in the enhancement of physical security as well as access control of facilities. Physical barriers can be used to reduce damage or to prevent any unauthorized access by vehicles to certain critical facilities, thereby reducing the chances of entry by vehicles that could be carrying bombs (Furnell, 1999).In order to maintain security, organizations in the sector can make all their buildings as unobtrusive as possible from the outside by doing away with indications or a sign of what is inside.

Other physical protection measures include use of surveillance cameras and security alarms to detect security breaches. With facilities, it would be necessary to make use of entrance and exit logs, guards, biometric devices, and swipe-card turnstiles in order to verify the authenticity and entitlement of individuals who enter the building. Additional security instruments include metal detection machines, and airport-style X-ray equipment for screening individuals, mail, and package deliveries (White, 1996).

Information systems and network protection

Owing to the dependency of the banking and finance sector on information systems and networks, it would be necessary for measures to be undertaken to decrease the level of vulnerability of these systems to external intrusions. To reduce the disruption risk by electronic attacks and intrusions, exchanges, payment systems processors, and clearing organizations can choose to use proprietary message networks and private networks while transmitting all their core market products.

            Private networks, which facilitate the transmission of information only through members’ systems, are much more secure compared to both the internet and public telephone networks. Proprietary message protocols and formats ensure resilience in various exchange and clearing organizations, such that computer viruses and malicious messages cannot be inserted.

Organizations can also make use of hardware and software control mechanisms that let only authorized users gain system access. They can also put in place monitoring systems for detecting attacks or intrusions, thereby enhancing the system’s resilience. Application access technology and firewalls, such as filtering devices and devices, are essential for ensuring that access is always restricted to only entitled parties and valid requests.

Data encryption is also an excellent measure that facilitates the transmission of data only to the entitled parties, preventing it from interference while it is stored or on transit. In this format, parties without permission to access it cannot decipher its meaning. Some of the technologies that can be helpful to banks in accomplishing these tasks include Secure Encryption Technology protocols, and Secure Socket Layer (SSL).

In order to control vulnerabilities, the staff members or service providers of an organization can undertake regular reviews of various security parameters setting on different devices, including firewalls, routers, and servers in order to ensure that the settings are still secure, especially after software patches and updates have been installed. Security patches can be exposed to testing within a representative environment and then installed in a timely fashion.

It would also be necessary for networks to be tested periodically and to be monitored regularly in order to maintain the security of the entire system. A layered approach to an organization’s security may include the use of access control and security technologies, running programs with the minimum required privileges, disabling unnecessary services, and linking permissions to numerous internal logical procedures.

Finally, banking and finance institutions can put control procedures in place in order to reduce the risks associated with human error, social engineering, or malicious insiders (Eldor, 2004). Duties may need to be segregated and background checks may need to be performed on all employees. The operating procedures also need to follow a standard format, thereby minimizing any possibility of accidental provision of critical information to unauthorized persons or being misused.

Business Continuity Planning

Business continuity planning is about measures that ensure that the financial system is operating smoothly. This option can be adopted by financial institutions either individually or collectively. Either way, the business continuity plans put in place would require regular testing, reviewing, and updating. They should also establish the procedures that would be followed in case there was a significant business interruption or an emergency.

Critical staff members would require to be made aware of the formal written response and recovery plan, whereby a specific course of action is stipulated in case there is a system failure. Ideally, the recovery plans ought to dwell on the promotion of diversity and redundancy of infrastructures in order to ensure that no point of the system can bring about failure in the entire system. Redundancy entails the establishment of extra capacity through ensuring that critical information services are available from many different sources. Diversity, on the other hand, entails the establishment of many communication routes and facilitating the possibility of using a variety of equipment along the routes in case one route is adversely affected by a terrorist attack.

In the case of NASDAQ and NYSE, for instance, operations are carried out through a variety of networks, including public, private, and semi-private telecommunications systems, all of which are geographically decentralized. The facilities at NYSE are also equipped with emergency power generators, on-site water, and an uninterruptible power source.

For all players in the sector, copies of valuable data, such as information regarding customers can be stored both at a secured remote location and on site to facilitate the reconstitution work in the event that the original copy is damaged. Critical market participants cannot afford to ignore these back-up measures as an integral element of their business continuity planning initiatives.

Organizations/agencies responsible for protecting the sector and the management issues confronted

National Strategy for Critical Infrastructure Assurance

The most decisive security initiative by the banking and finance sector for the protection of critical infrastructure was published in May 2002. The initiative contributed to the National Strategy for Critical Infrastructure Assurance, whereby key financial services organizations, institutions, and regulatory bodies made crucial submissions through the publication. In this publication, some of the cyber-terrorist threats that the industry faces were examined. The industry players also explained the planned and ongoing security measures.

Earlier on, the Presidential Decision Directive on critical infrastructure protection had been assigned the Treasury with the task of acting as the lead agency in working in collaboration with the banking and financial sector in order to develop the President’s Commission, which was overseeing the creation of a Critical Infrastructure Protection program. Since then, many other industry associations and government agencies have also started focusing on measures of creating and implementing key security measures. In this case, the main challenge has been the coordination of regulatory guidance with various private sector initiatives, most of which are self-governing (Goetz, 2003).

Financial Services Information Sharing and Analysis Center

The Financial Services Information Sharing and Analysis Center (FS/ISAC), which was formed in 1999, for instance, is purely a private sector initiative of the banking and finance sector. The agency was constituted by 60 members, who own 90% of all the assets that are found in this industry (Chen, 2004). The main aim of FS/ISAC is to ensure that all members have a comprehensive set of resources and capabilities for identifying early cyber vulnerabilities as well as access to expertise and all other relevant information through sharing and analysis of information.

The Business Continuity Planning Committee is another agency for safeguarding the security of the sector from terrorist attacks, which was established by the Securities Industry Association in 2001. This was one of the most significant efforts by the securities industry players to develop plans on the basis of industry-wide focus. The agency was aimed at acting as a link between the securities industry and various government regulators, legislators, service providers, and related industries, notably power utilities and telecommunications.

Financial and Banking Infrastructure Information Committee (FBIIC)

In 2007, the Department of Treasury, in coordination with the Financial and Banking Infrastructure Information Committee (FBIIC), together with the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC) came up with a Sector-Specific Plan (SSP) to cater for critical infrastructure in the banking and finance sector. The SSP, together with all other SSPs from 16 other identified critical infrastructures were identified in the Homeland Security Presidential Directive 7. They are all an integral part of the National Infrastructure Protection plan.

This particular agency emphasizes the need for collaboration between the public and private players in identifying, prioritizing, and coordinating the protection of the country’s critical infrastructure. The agency also stipulates all the activities that are being undertaken in the sector in order to reduce terrorism vulnerabilities and to share information. The plan also describes the complex nature of this sector.

The main problem faced by this agency is the maintenance of a strong resilience plan, because of the fast-changing nature of today’s myriad of intentional, unintentional, natural, and man-made threats, the worst of which are acts of domestic and international terrorism. The other big challenge has been addressing and managing risks that are posed by overreliance on the sectors of information technology, communications, transportation, and energy. The law enforcement community also poses a major threat, whereby there has always been a need to increase the resources that are available for tracking down and apprehending criminals who invade the sector, particularly electronic and cyber attacks.

However, successful programs have already been pursued until completion, including coordination of regional resources for mitigating physical security threats, sector-specific facilities for crisis communication, and coordination between private and regulatory sector organizations that are involved in pandemic planning. The protective programs that are still in progress including the construction of formal networks for sharing information, subscriptions to alert and warning systems, conducting targeted outreach, law enforcement, conducting targeted outreach, and reaching out to all other councils that coordinate the sector.

Jurisdictional issues in banking and finance

            With the deregulation of the domestic financial markets in the US, coupled with technological progress and globalization, many jurisdictional issues in banking and finance continue to emerge (Zhu, K. (2004). These issues influence the way terrorist attack vulnerabilities within the sector are dealt with. The increased frequency of cross-border transactions creates interdependence among many global financial markets, such that when terrorists are carried out in one of them, all the others ‘share’ in the adverse effects in the form of paralysis of business.

            Jurisdictional constraints prevent sector policymakers to extend their regulatory influence at the international level in order to ensure that the American people are fully protected from vulnerabilities relating to terrorist activities that are carried out abroad. The same case applies to the financial establishments owned by the US citizens, which are situated abroad. The level of vulnerability of these assets is even higher than the one that exists at home. In this case, though, the level of threat varies depending on the relationship between the government of a particular nation-state and the current US administration.

            When agreements on cross-border financial transactions are flouted with terrorist intent, jurisdictional shortcomings become more profound than the case would be if the transactions were carried out locally. After all, it is easier to put in place legal, regulatory, and self-regulatory mechanisms locally than at the international level.

As the current business trend continues to drift towards internalization, more and more Americans are going to start being increasingly ill at ease with the existing international regimes for dealing with the prevailing vulnerabilities and threats in the finance and banking sector. If the federal government does not put in place effective measures of dealing with this jurisdictional problem, it will become increasingly difficult to keep the sector free of physical and cyber attacks both at home and abroad.


In summary, the US finance and banking will continue to be a crucial element of the country’s critical infrastructure. Being the most advanced critical infrastructure, the sector faces the risk of being targeted by physical and cyber terrorists, both locally and internationally. Meanwhile, since 9/11, industry players have started perceiving the need for actors in the private sector to collaborating with federal agencies, mainly the Department of Homeland Security, in ridding the sector of terrorism vulnerabilities.

Apart from the Department of Homeland Security, there are many other agencies that continue to contribute to the reinforcement of the infrastructure in the sector. The main options for these agencies and organizations are physical protection measures, reinforcement of the information and network systems, and business continuity planning.


Calomiris, C. (2009) United States bank deregulation in historical perspective, Macmillan: London.

Chen, A. (2004) The effects of terrorism on global capital markets, European Journal of Political Economy, 20(2), 349-366.

Eldor, R. (2004) Financial markets, and terrorism, European Journal of Political Economy, 20(2), 367-386.

Furnell, S. (1999) Computer hacking and cyber terrorism: the real threats in the new millennium? Computers & Security, 18(1), 28-34.

Goetz, E. (2003) Survey And Analysis Of Security Issues In The U.S. Banking And Finance Sector, Hanover: Institute For Security Technology Studies at Dartmouth College.

Kosmidou, K. (2009) Assessing performance factors in the US banking sector: A multicriteria methodology, Central European Journal of Operations Research, 14(1), 25-44.

Parfomak, p. (2005) Vulnerability of Concentrated Critical Infrastructure: Background and Policy Options, CRS Report for Congress.

Pederson, P. (2006) Critical Infrastructure Interdependency Modeling: A Survey of U.S. and International Research, Washington, DC:  Idaho National Laboratory.

US Department of Homeland Security (2007) Banking and Finance: Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan.

Verton, D. (1999) Black ice: the invisible threat of cyber-terrorism, Emeryville: McGraw Hill.

White, W. (1996)International Agreements in the Area of Banking and Finance: Accomplishments and Outstanding Issues, Working paper No. 38, Bank for International Settlements, Monetary and Economic Department Basle.

Zhu, K. (2004) Information Technology Payoff in E-Business Environments: An International Perspective on Value Creation of E-Business in the Financial Services Industry, Journal of Management Information Systems, 2 (1), 17 – 54.

Get a 10% discount on an order above $50