Cybersecurity is the hot topic du jour. According to IBM’s 2014 Cyber Security Intelligence Index, there were 1.5 million monitored cyber attacks in the United States, and WIRED.com cites nation-state attacks, extortion, data destruction, and third party breaches among the biggest security threats for 2015.
Regulators are taking notice, with recommendations and guidelines to help financial institutions and other organizations wage war on these ever-growing threats. Shared Assessments remains at the forefront of educating third party risk professionals on the latest risks, and best practices to meet these threats and adhere to regulations. Our collective community of industry thought leaders keeps us relevant and up-to-date, working collaboratively to develop tested strategies, approaches, best practices, and our newly updated and released Shared Assessments Program Tools.
Last February, NIST released its Cybersecurity Framework, a set of voluntary cybersecurity standards that has gained widespread acceptance cross industry. The Shared Assessments Program Steering Committee recognized the framework as a solid foundation for creating and implementing a cybersecurity program. Each of our Development Committees, which are tasked with ensuring the Tools meet industry regulations, guidelines and standards, performed a gap analysis of our Program Tools against the NIST Cybersecurity Framework to confirm alignment. The Shared Assessments Program Tools—specifically the Vendor Risk Management Maturity Model (VRMMM)—help risk professionals implement the standards mentioned in the framework. The gap analysis validated that the Shared Assessments Program is in alignment with the Framework.
Cybersecurity in Banking
On the financial front, the Federal Financial Institutions Examination Council (FFIEC) examined the cyber risks of 500 banks. In a recent American Banker’s webinar, Bank Cybersecurity and Regulatory Imperatives, Amy McHugh, senior associate, IT Consulting, Clifton Larson Allen, LLP, shared the FFIEC’s findings and recommendations to banks to address cyber threats in 2015:
- Better identify and mitigate cyber attacks
- Better identify and understand vulnerabilities
- Understand and become more knowledgeable of inherent risks
- Incorporate more efficient cybersecurity controls, namely patching and intrusion prevention and detection systems
- Establish formal audit programs
- Improve cyber incident management and resilience with a formal incident response program and board reporting
The FFIEC recommendations are also in alignment with Shared Assessments 2015 initiatives and Tools. The Shared Assessments Program Tools include the latest Incident Management and Business Continuity sections as well as the up-to-date international, federal, and industry standards including ISO-27001/27002, PCI DSS, HIPAA/HITECH, Office of the Comptroller of the Currency (OCC), COBIT, NIST, and FFIEC guidance.
The Importance of Peer Groups and Third Party Relationship Management
The FFIEC also encourages banks to join peer groups in order to share cybersecurity strategies and best practices. Cybersecurity is not the only concern for banks, however; 46 percent of the banks attending the webinar said that third party relationships are their greatest concern. Peer groups also provide a forum for banking and other professionals to share best practices for managing third party relationships. Shared Assessments, for instance, offers peer group collaboration and participation, educational opportunities, and the Program Tools to assist financial organizations in developing a well-structured third party risk assurance program.
From Risk Management to Risk Assurance
The Shared Assessments Program uses the NIST Cybersecurity Framework, FFIEC recommendations, and other industry/regulatory guidance to ensure its Program Tools and resources remain relevant to its members and meets their risk management needs. In addition, the Shared Assessments Program will continue to offer members opportunities to network with their peers, and collaborate on best practices for managing cyber, third party, and other types of risk. The Program Tools and peer collaboration empower organizations to move from risk management to risk assurance, even in the face of cyber attacks, third party vulnerabilities, and other threats.
Angela Dogan is Senior Project Manager for the Shared Assessments Program, focusing on enhancements to the Program’s Tools by the Development Committee and Special Interest Groups, and the development of briefing papers on vendor risk management best practices.