United States

Keys to managing your bank’s sustainable cybersecurity strategy


According to a recent ABA Banking Journal article, cybersecurity continues to top the list in 2018 as a key area of risk for financial institutions. Even though banking organizations have policies and security systems in place to counter threats, it seems the work is never done in heading off cyberattackers and their relentless pursuit to obtain customer and employee information.

RSM recently sponsored the NetDiligence® Cyber Claims Study, a critical tool to help organizations not only understand the source of data breaches, but also how to make strategic decisions that address the motivations, targets and damages associated with a breach. The study uncovered some sobering data about cyberthreats, including:

  • Personally identifiable information was the most frequently exposed data (36 percent), followed by intellectual property and trademarks (25 percent), payment card information (PCI) (16 percent) and protected health information (15 percent).
  • Hackers were the most frequent cause of loss (27 percent), followed by malware and viruses (16 percent), and lost or stolen devices (12 percent).
  • Third parties accounted for 13 percent of the claims submitted.
  • Insider involvement occurred in 25 percent of the claims submitted.
  • The average cost for crisis services (forensics, notification and legal guidance) was $249,000.

Addressing risks via adaptable security governance

How can financial institutions stay ahead of these cyberattack threats, and equally as important, how can organizations assure their efforts are comprehensive and sustainable to address ever-evolving security risks?  The answer lies in the successful adoption of a security governance framework that can be used to make security operational and strategic.

An adaptable security governance framework is essential as a guide to a sustainable security program.  This framework can encompass various security structures within a financial institution, including FFIEC, COBIT, PCI, HIPAA, NIST and potentially others, making this strategy critical to a banking organization’s overall risk mitigation. RSM has developed such a framework for banking clients. There are four major domains within this framework, including the following:


Risk oversight refers to the way your financial institution directs, manages and reports its security and risk management activities. Oversight component examples include your board of directors, executive leadership and specialized governance personnel within your risk management and information technology departments.

To achieve successful coverage in oversight, diligent planning is required. Oversight planning encompasses clearly defined roles and responsibilities, decision rights, the risk governance operating model and reporting lines. In addition, this area enables the achievement of business plans, goals and strategic objectives, all while weighing associated risks and threats. To assess your risk maturity in this area, a risk appetite statement should be completed periodically that indicates risk tolerances as well as your limits and associated breach protocols to control risk levels throughout the organization.

Awareness and education

Cybercriminals are becoming increasingly cunning in the techniques they use to breach organizations, leveraging employees and customers as footholds into the organization. To counter this, financial institutions must conduct frequent educational trainings to alert employees, boards of directors and customers of these threats, and instill an ongoing passion for security awareness.

A security-aware culture can influence the decisions of management and employees, even if employees are not consciously weighing risks and benefits. A strong security culture helps to encourage strategic decisions that are in the long-term best interest of the organization, its shareholders and employees. Continuous awareness training and preventive education are a must. If training is not occurring on a regular basis, your financial institution is at risk.

In addition, when working with external third parties, a risk-mature financial institution knows the policies and practices of their vendors that have access to corporate or customer data. Liability doesn’t end once the information has been transferred. You must work together with your vendors as well to protect private and sensitive information.


Financial institutions should regularly assess security processes to identify, evaluate and quantify known and emerging security risks. For example, this could include your organization’s identity access management strategy which would include your bank’s process for confirming passwords.

Measuring and identifying the risks associated with these and other protocols and processes enable organizations to formally consider the extent and the likelihood that potential threat events may occur. Process assessment in your organization should encompass qualitative and quantitative approaches, tools and system checks to categorize, understand and measure potential security risks. In addition, this area also includes assessment of various technologies, including risk management tools, software, databases, solution architecture and systems that support risk management activities.


Not too long ago, there were distinct systems, a core system, a network, including all of its components and the phone system. If one of those systems was attacked, the others were isolated due to lack of integration. One constant for all financial institutions is that technology continues to change, evolve and become more complex and those formerly separate systems are now integrated with one another.

There are many base security practices that are critical to successful security efforts. Examples include system configuration management, security architecture and design, intrusion detection and prevention, security monitoring and endpoint security. Often these practices are considered to be the security care and feeding of technology.

The implementation of an adaptable security framework can hopefully provide much of what is needed for a sustainable cybersecurity program in your financial institution. A successful and sustainable cybersecurity program ensures that not only is the financial institution secure today, but that it should be more secure tomorrow and into the future.

Questions about this topic, contact us. For related information, check out the following: