The FFIEC recently released its Cyber Security Assessment observations, after conducting a pilot on cyber security readiness with more than 500 community institutions. A key theme emerging from the observations was the need for enhanced sharing of threat and vulnerability information across the public and private sectors. The rapid pace of change in emerging risks requires faster response and strong collaboration between financial institutions and critical technology service providers.
Understanding Inherent Risk
A starting point in looking at a cyber security assessment is the fundamental inherent risk. Financial services as an industry has higher risk, due to the nature of the sensitive financial information they maintain, but also the high profile of banking and its impact to the U.S. economy. However, risk levels can vary significantly between different financial institutions.
Risk levels can differ by size, scale of operations, and even the types of products and services the institution offers. A challenge for risk professionals is to balance the risk mitigation story with management to understand the risk baseline, before consideration of the risk-mitigating controls the organization may have in place.
A Connected Landscape
Banking today relies on connections: Connections between users, connections between systems, and connections between devices. In a connected landscape, assessing your risk begins with conducting an inventory of the types of connections your organization maintains.
Once that inventory is complete, review your approach for how you evaluate the risk that connection brings to your organization. Risk factors can include the security controls in place; the type of data passing through that connection; or what systems and databases could be accessible. This assessment should consider both internal and external threats; including interfaces to third parties that are critical to day to day technology operations.
Don’t Hide From the Hacker – Think Like the Hacker
As you evaluate your products and services – consider the type of feature functionality, the level of financial risk to the transactions, and what harms could come to your account holder if the product or service was compromised. Organizations need to increase their cyber security awareness of the different types of threats and attacks that hackers use for different types of products and services. Put yourself in the hacker’s mindset and ask yourself where the threat could be hiding within your organization. It is easy to focus on only the technology, but at times people can be the bigger threat.
As most organizations review and analyze the FFIEC observations and recommendations; here are the highlights I thought most interesting in their release from a do’s and don’ts perspective:
- Risk Management & Oversight: Do increase the frequency and depth of coverage of cybersecurity with executive management and the Board of Directors. Don’t let security training and awareness content get stale, or an annual check the box exercise.
- Threat Intelligence & Collaboration: Do define the roles and responsibilities for monitoring risks & threats. Don’t wait for an incident to establish the protocols for information sharing on vulnerabilities or processes to coordinate with law enforcement.
- Cyber security Controls: Do assess and review your information classification and controls standards. Don’t treat the frequency of scans of systems the same – some systems require more frequent risk review to find vulnerabilities.
- External Dependency Management: Do address third party risk based on the nature of the risk that relationship brings to the organization. Don’t treat every third party vendor the same, as your resources need to focus on the higher risk processes and connections.
- Cyber Incident Management & Resilience: Do assess how incident notification processes work within your organization and between critical third parties. Don’t underestimate how a cyber-security event could trigger a broader business continuity scenario, and consider how to find connections between incident handling and crisis communication processes.
We can’t hide from cyber security risk, but we can seek to assess that risk, share information with others and collaborate on the key governance models for cyber-security preparedness.
Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.
Reposted with permission from Deluxe Blogs