4 steps to effective cybersecurity for financial services firms
Cybersecurity from the top down
INSIGHT ARTICLE |
Based on recent pronouncements and actions by the Securities and Exchange Commission (SEC) and FINRA, it is clear that cybersecurity is a growing point of regulatory emphasis for financial services firms. However, if you are viewing cybersecurity primarily as a compliance concern, you are ignoring the real threat. Without effective cybersecurity practices in place, a breach could cripple, or even destroy your firm.
The fallout from the series of breaches suffered by Target, UPS, Home Depot and numerous other organizations offers a clear example of the damage an attack can cause. Yet that breach only gave the cybercriminals access to a single credit card for most affected customers. Think of the sensitivity and value of the customer data maintained by your firm, then imagine the possible ramifications of a successful cyberattack. It is not going too far to say that the survival of your company could be at stake.
The four pillars of cybersecurity outlined by the SEC offer a solid foundation for evaluating your cybersecurity:
- Cybersecurity risk assessment and governance
- Protecting networks and information
- Detection of and response to unauthorized activity
- Vendor and third-party risk management
Effective cybersecurity governance is critical. It should start with your board and reach down throughout your entire organization. Every financial services organization should have robust, detailed cybersecurity policies and procedures that:
- Define cybersecurity roles and responsibilities at all levels of the organization
- Establish a cybersecurity incident response plan that ensures a timely and effective response to cybersecurity attacks
- Spell out a business continuity plan that mitigates the effects of cybersecurity breach by allowing the secure continuation of key business functions
- Set appropriate records and data retention and disposition policies and procedures
- Establish policies and procedures for assessing and mitigating risks posed by third-parties contractors
- Builds effective controls for monitoring all network and device activity, so that unauthorized activity is detected and contained quickly
Assessing your risks
Effective risk assessment allows you to identify, define and respond to the specific cyberrisks to your company. Picking the right team to lead your risk assessment effort is vital. That starts with realizing that cybersecurity is not an isolated information technology (IT) activity. Cybersecurity risks involve a combination of factors, including your specific business model, products and services; your operating procedures; your systems; and your people. So your risk assessment team should cover all of those areas.
The good news is that you don't have to start from scratch. Models such as the International Organization for Standardization's Information security risk management (ISO 27005) or the National Institute of Standards and Technology's Guide for Applying the Risk Management Framework to Federal Information Systems (NIST sp800-37) can provide a solid framework to guide your risk assessment and other cybersecurity efforts.
But you cannot rely on models alone. You must tailor your risk assessment to suit your operation's unique risk environment. Issues to consider include:
- Industry-wide weaknesses
- Security issues due to your specific business model and operations
- Cyber- and physical threats to the security, confidentiality and integrity of all sensitive data
Once all of those risks are considered, you must then evaluate how effectively your current controls address them. That requires:
- Prioritizing your resources appropriately to address your risk according to their severity
- Documenting your risk assessment and findings to provide direction when implementing solutions
Finally, realize that your risk assessment is never finished. As your business and systems—and the threats confronting them—evolve, you must continually assess the risks that evolve with them.
Implementing your plan
Once you have assessed your risk, you must design and implement a plan to address them. These frameworks help you to validate that the security program you design is complete, while the frameworks from the prior example help you to determine if the controls are correct in regard to your organization's specific risks. Again, you can start with proven models, such as the ISO's Information technology – Security techniques – Code of practice for information security management (ISO 27001) NIST's Security and Privacy Controls for Federal Information Systems and Organizations (NIST sp800-53). Just as with your risk assessment, however, the real work is tailoring those models to fit your specific risk profile. Following is a solid framework for implementation:
First, use your risk assessment to drive your plan design and implementation:
- Delineate and prioritize the identified risks
- Update and implement policies and procedures accordingly
- Modify controls to address the identifies risks
Second, identify those areas requiring the most significant changes and recruit change leaders to drive those efforts. Key areas of focus often include:
- Third-party risk mitigation
- People and processes
- Business conduct
Third, design and implement monitoring and assessment activities.
Finally, conduct ongoing employee training at all levels of the organization covering:
- Risk policies and procedures
- Risk assessments
- Potential breach tactics and responses
Finally, realize that your cybersecurity plan is not a straight line, but rather a loop that continuously monitors and responds to your evolving threat environment.
While cybersecurity should not be the sole province of your IT department, effective system safeguards are obviously vital. So planning for protection of your networks and infrastructure is a key part of your implementation. Focus on:
- Establishing authentication procedures and controls to enroll and verify authorized customers with online account access
- Determining appropriate encryption and data loss prevention tools for customer and other sensitive data
- Continuously monitoring your network intrusion system to detect and prevent unauthorized access and activity
Detecting and responding to attacks
Preventive system safeguards are vital, but they are not enough. "Failing to plan is planning to fail," the saying goes. Effective cybersecurity turns that saying on its head. If you aren't planning to fail, you are failing to plan. You have to be ready to respond and respond quickly when your preventive safeguards fail.
Monitoring is vital. In any cyberattack, the longer it takes for the breach to be detected, the greater the cost to your organization. If you can detect attackers early enough in the breach, you can remove then before any damage is done. But that takes more than just logging activity. It takes an active monitoring effort.
A data breach report issued by Verizon in 2010 found that 87 percent of organizations that were victims of cybersecurity attacks had evidence of the breach in their log files, yet missed it. This proves that logging activity is only the beginning. You need a consolidated and timely security monitoring effort.
Next, know exactly what you are going to do in the event of a serious breach. Have a detailed incident response plan ready to enact. Have regular intradepartmental drills, so that everyone involved knows what to do and when to do it in the event of an incident.
Don't overlook the potential financial and legal ramifications of a breach. Evaluate your insurance coverage to ensure you are adequately covered for cybersecurity events, data breaches and third-party lapses. And while you shouldn't view cybersecurity as primarily a regulatory compliance exercise, you should ensure that your cybersecurity efforts are in full compliance with all applicable laws and regulations.
Similar to the prior sections, you do not need to start designing your response plans from scratch. Guidance and templates include materials from US-CERT, the SANS six-step model, NIST sp800-6 and ISO 27035.
Third-party risk management
Most businesses today are realizing tremendous operational efficiencies through contractor and other third-party relationships. Financial services companies are no exception. But remember this: you can outsource functionality, but you can never outsource responsibility. Due diligence of third-party cybersecurity is vital.
Ask some key questions:
- How much control do you have over third parties?
- What data do they maintain on your behalf?
- What does your contract with them require in terms of data security, and how are those requirements validated?
- What do those contracts require concerning incident response and investigation?
Your cybersecurity policies and procedures should include clear due diligence guidelines for selecting and managing third-party relationships, including:
- Procedures for approving and monitoring third-party access to networks, customer data or other sensitive information
- Requirements that all third parties provide written information about security plans or certificates of compliance with applicable standards
- Language in all third-party contracts concerning appropriate security measures, including incident response notification procedures and cyberinsurance coverage
- Policies to include you cybersecurity team in due diligence for third parties
Guidance on third-party management can be found from a variety of sources, with the most common currently being the BITS-SIG framework.
When it comes to cybersecurity, every company is at risk, and those risks are constantly evolving. This four-step approach can help your company keep up with the shifting cybersecurity threat.