Early summer 2015 is proving to be a busy one for those interested in cyber security maturity models, first with the June 30th publication of the FFIEC’s Cyber Security Assessment Tool (which incorporates a cybersecurity maturity model) and now with the release of the second annual Shared Assessments Vendor Risk Management Benchmark Study. Questions about the relationship between the two models are inevitable. While the FFIEC cyber security model aims to assess financial institutions’ cyber security readiness at high level, the Shared Assessments Vendor Risk Management Maturity Model – with its sharp focus on third party risk – does a deep dive into a single important component of cyber security, and is designed for use across all types of industries.
The 2015 Study:
This year’s study incorporates responses from more than 450 firms, and self-assessments were completed by C-suite executives (more than 25% of respondents), as well as IT, internal audit and IT audit vice presidents (about 15%) and directors (just over 50%). Several themes emerged from this year’s analysis:
Vendor risk management programs require more substantive advances, especially outside of the financial services industry – Overall category maturity ratings of 2.3 on a 5-point scale for “Skills and Expertise” and 2.4 for “Tools, Measurement and Analysis” (both unchanged from 2014) serve as a warning sign that step function improvements are required to meet the challenges of today’s increasingly difficult security environment. This mandate is evident in recent regulatory pronouncements. Regulatory agencies in the financial services industry, most notably the U.S. Office of the Comptroller of the Currency, have asserted that “average” risk management no longer suffices; instead, financial institutions must enact the mind shifts, organizational culture work and behavioral changes needed to satisfy the “Getting to Strong” regulatory mantra. ((www.protiviti.com/en-US/Documents/White-Papers/Industries/Getting-to-Strong-What-Banking-Organizations-Need-to-Know-Protiviti.pdf))
Vendor risk management programs within financial services organizations continue to be more mature compared to companies in insurance, healthcare and other industries – The financial services industry, which in 1999 was the first to establish a Coordinating Council for Critical Infrastructure Protection and Homeland Security in response to Presidential Decision Directive 63, remains ahead of other industries with regard to their vendor risk management programs. The insurance and healthcare industries – each of which operate under their own regulatory microscopes – continue to lag behind financial services organizations in fortifying their vendor risk management capabilities.
Cybersecurity threats continue to be a daunting challenge – Cybersecurity threats are clearly on the minds of risk managers, IT functions and regulators. High-profile data breaches, often involving millions of customer records and personally identifiable information, are being reported with greater frequency. These attacks are moving beyond the financial services industry where payments related breaches have been a recurring headline. The first half of 2015, for example, has seen several major health insurance breaches with records for more than 91 million subscribers compromised.
For the first time this year’s analysis examined maturity ratings sorted by the seniority level of the survey respondent for both 2014 and 2015 data. For both survey years the study showed that the higher the level of the respondent the lower the score that individual gave on the firm’s self-assessment. Across all industries C-level respondents rated their firms’ overall maturity level as 2.3 in 2014 and 2.4 in 2015. Manager level employees rated maturity at just under 2.8 in 2014, and a little over 2.8 in 2015. In both years, Vice President level respondents were in between. These results foot with our expectation that the most senior levels of management will have both the best perspective on the effectiveness of their own enterprise risk remediation capabilities and the most up to date and wide ranging perspective on the external risk environment. That’s good news, because it shows quite clearly that executive management understands the scope of the vendor risk management work that needs to be done.
For more than 35 years, Santa Fe Group Senior Advisor, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.