Cybersecurity has gotten a lot of attention from regulators lately, and with assessments already underway it promises to be a regulatory focus for the foreseeable future. But exactly what are they expecting from you, and how does that differ from what you may be doing already? More importantly, how should you demonstrate that you are cybersecurity compliant?
First of all it’s important to understand that, at least initially, regulators will be data gathering only. They may offer verbal feedback, but don’t expect any written examination findings or recommendation at this time. What they will be doing is assessing the overall posture of cybersecurity. It would appear that the regulators are following the NIST cybersecurity framework that came out earlier this year in response to the Presidential Executive Order that came out in February of 2013. The NIST framework provides a common mechanism for organizations to:
- Describe their current cybersecurity posture;
- Describe their target state for cybersecurity;
- Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
- Assess progress toward the target state; and
- Communicate among internal and external stakeholders about cybersecurity risk.
It would appear that financial regulators are currently on step 1; gathering information in order to describe the current state of cybersecurity across the financial industry. Of course once the current state has been established, I expect that the “target state” for cybersecurity (step #2) will involve additional regulatory expectations.
So what do you need to do now? Well, if you’ve kept your information security, business continuity, and vendor management policies and procedures up-to-date, probably not much. Cybersecurity is simply a subset of each of those existing policies. In most cases, ‘cyber’ refers to either the source or nature of the attack or the vulnerability. Your InfoSec policies (including incident response) should already address this, and so should your business continuity plan. In other words, you should already have procedures in place to secure customer and confidential data and recovery critical business processes regardless of the source or nature of the threat. Your policies should all be impact-based, not threat-based.
Your risk assessments, however, may need to be adjusted if they don’t specifically account for cyber threats. For example, critical vendors should be assessed for their exposure to, and protection from, cyber threats…with your controls adjusted accordingly (i.e. audit reports, PEN tests, etc.). Your BCP risk assessment should account for the impact and probability of cyber, as well as traditional, fraud, theft and blackmail. All that said, regulators will likely be looking for specific references to ‘cyber’, so it won’t hurt to make sure your policies include the term as well.
For me, the biggest takeaway from the flurry of cybersecurity activity (the 2013 Presidential Directive, the 2013 FFIEC working group, the 2014 NIST Cybersecurity Framework, the recent FFIEC statements on ATM Hacking and Heartbleed and DDoS attacks, as well as the recent FDIC’s C-level cybersecurity webinar) is this; for the vast majority of outsourced financial institutions, cybersecurity readiness means A). managing your vendors, and B). having a proven plan in place to detect and recover if a cyber-attack occurs.
According to the FDIC, here are the required elements of a cybersecurity risk management program …notice the last two:
- Governance – risk management and oversight
- Threat intelligence and collaboration – Internal & External Resources
- Third -party service provider and vendor risk management
- Incident response and resilience