October 25, 2016
What’s in a Domain Name? For .BANK and .INSURANCE it’s Security and Trust
October marks the 13th Annual National Cyber Security Awareness Month, a collaborative effort between industry and government partners to help both Americans and global citizens stay safer and more secure online.
In the last thirteen years, much has changed in the global cyber community, including:
- 2003: More data was created in one year than in all of human history combined
- 2007: Apple launched the iPhone, putting the power of a computer in the people’s pocket
- 2008: ICANN, the Domain Name Systems’ primary governance body, formalized a process to introduce more new generic Top-Level Domains (gTLDs) to the internet
- 2013: The era of massive data breaches became headline news with multiple, large retailer attacks
- 2014: The internet of Things (IoT) accelerated and transformed, with seemingly non-cyber “things” like automobiles becoming the target of today’s hackers
fTLD Registry Services (fTLD), the operator for the .BANK and .INSURANCE web extensions, was established in 2011 so that the global financial services community could participate in the internet domains expansion program formulated by ICANN in 2008. fTLD is owned and operated by banks, insurance companies and their respective trade associations. The domains expansion program represented a once-in-a-lifetime opportunity for these stakeholders to create and operate domains exclusively for the financial services sector. fTLD’s mission is to operate trusted, verified, more secure and easily identifiable places online for the global financial services community and the customers and stakeholders it serves.
To accomplish its mission, fTLD committed to developing, continuously improving, and enforcing robust security technology and practice mandates to govern all domains names within .BANK and .INSURANCE.
The first version of the Security Standards, which would later be changed to Security Requirements (the “Requirements”) was published as part of fTLD’s applications for .BANK and .INSURANCE in 2012. This seminal document included key controls such as registrant eligibility qualifications and identity proofing, multi-factor authentication for fTLD, its registrars and registrants for access to registry systems, Domain Name System Security Extensions (DNSSEC), email authentication and ubiquitous strong encryption (i.e., Transport Layer Security (TLS)). Taken as a whole, these Requirements dramatically improve the security posture of domain holders, protect and cultivate company brands and increase consumer confidence and trust in their online financial services experience.
Subsequent versions of the Requirements were published in 2014 and in May 2016 after extensive review by financial services members of the cyber security and domain name system communities. The current version of the Requirements extends some features (e.g., DNSSEC, TLS) into supporting legacy domains such as .COM and .NET, including monitoring and compliance. By advancing these Requirements to areas such as core banking services, content delivery networks and email providers, the existence of .BANK and .INSURANCE is raising security and enhancing trust in the online financial system. Consumers reap the benefits accordingly, enjoying a more secure experience in accessing their online accounts.
Keeping our mission in mind, however, fTLD and its thousands of financial service company registrants are not sitting idle and waiting around for the next cyber security problem to pop up. We are committed to meeting current and future cybersecurity challenges. We invite cyber security professionals and other stakeholders to participate in future efforts to continually improve our Security Requirements to keep pace with the ever changing cyber threat landscape. We have big plans for the future and whether you are part of a bank or insurance company, or just an interested party, we invite you to join our community and help us carve out a safe and trusted place on the internet for the financial services community and its customers. For more information please visit https://www.ftld.com or contact fTLD@fTLD.com.
By Andrew Kennedy, Financial Services Roundtable/BITS Cybersecurity Advisor to fTLD