the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group



Similar documents
FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

White Paper on Financial Institution Vendor Management

INFOCUS. Five Questions to Guide Cybersecurity Risk Management BY EARL CRANE

OCC 98-3 OCC BULLETIN

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Remarks by Thomas J. Curry Comptroller of the Currency Before the New England Council Boston, Massachusetts May 16, 2014

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

Why you should adopt the NIST Cybersecurity Framework

FFIEC Cybersecurity Assessment Tool

How to Protect Sensitive Corporate Data against Security Vulnerabilities of Your Vendors

Vendor Risk Management Financial Organizations

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CYBERSECURITY RISK RESEARCH CENTRE (832)

FINAL May Guideline on Security Systems for Safeguarding Customer Information

VENDOR MANAGEMENT. General Overview

Managing cyber risks with insurance

New supervisory guidance on model Overview, analysis, and next steps

Remarks by. Thomas J. Curry Comptroller of the Currency. At the. Bank Information Technology Training Conference. Atlanta.

The promise and pitfalls of cyber insurance January 2016

Chief Executive Officers of All National Banks, Department and Division Heads, and All Examining Personnel.

Remarks by. Thomas J. Curry. Comptroller of the Currency. Before the. Chicago. November 7, 2014

Who s next after TalkTalk?

Security and Privacy Trends 2014

Operational Risk Management Policy

Remarks by. Thomas J. Curry Comptroller of the Currency. Before a Meeting of CES Government. Washington, DC April 16, 2014

BECAUSE CYBERSECURITY RISKS ARE ENTERPRISE RISKS.

Remarks by. Carolyn G. DuChene Deputy Comptroller Operational Risk. at the

The NIST Cybersecurity Framework

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

Effective Model Risk Management for Financial Institutions: The Six Critical Components

Successfully identifying, assessing and managing risks for stakeholders

Sytorus Information Security Assessment Overview

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Enterprise Security Tactical Plan

Mitigating and managing cyber risk: ten issues to consider

THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED

Chairman Johnson, Ranking Member Carper, and Members of the committee:

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

CYBERSECURITY IN HEALTHCARE: A TIME TO ACT

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES

New York State Department of Financial Services. Report on Cyber Security in the Banking Sector

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS.

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

Effective AML Model Risk Management for Financial Institutions: The Six Critical Components

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

Anthony J. Albanese, Acting Superintendent of Financial Services. Financial and Banking Information Infrastructure Committee (FBIIC) Members:

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

Delaware Cyber Security Workshop September 29, William R. Denny, Esquire Potter Anderson & Corroon LLP

Accenture Risk Management. Industry Report. Life Sciences

Vendor Risk Management (VRM), How Much Is Enough?

Managing IT Security with Penetration Testing

CYBERSECURITY: Is Your Business Ready?

PACB One-Day Cybersecurity Workshop

Enterprise Security Risk Assessments What are we trying to protect and why?

TOP 3. Reasons to Give Insiders a Unified Identity

NASA OFFICE OF INSPECTOR GENERAL

Cybersecurity in the States 2012: Priorities, Issues and Trends

Why you should adopt the NIST Cybersecurity Framework

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

SOCIAL MEDIA MOBILE DEVICES CLOUD SERVICES INTERNET OF THINGS (IOT)

Cyberprivacy and Cybersecurity for Health Data

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

Cyber and Data Risk What Keeps You Up at Night?

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

Cyber security Building confidence in your digital future

Cybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015

PRIORITIZING CYBERSECURITY

NIST Cybersecurity Framework & A Tale of Two Criticalities

White Paper on Financial Industry Regulatory Climate

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

OECD PROJECT ON CYBER RISK INSURANCE

Care Providers Protecting your organisation, supporting its success. Risk Management Insurance Employee Benefits Investment Management

Cybersecurity and the Threat to Your Company

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Is Your Company Ready for a Big Data Breach?

The PNC Financial Services Group, Inc. Business Continuity Program

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

Cybersecurity. Considerations for the audit committee

Information Technology

Vendor Management. Outsourcing Technology Services

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Protecting your brand in the cloud Transparency and trust through enhanced reporting

CYBER READINESS FOR FINANCIAL INSTITUTIONS

ICBA Summary of FFIEC Cybersecurity Assessment Tool

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

Securing Critical Information Assets: A Business Case for Managed Security Services

Internet Safety and Security: Strategies for Building an Internet Safety Wall

2014 Vendor Risk Management Benchmark Study

Cybersecurity Issues for Community Banks

From Information Management to Information Governance: The New Paradigm

Third-Party Cybersecurity and Data Loss Prevention

Transcription:

the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group 54 Banking PersPective Quarter 2, 2014

Responsibility for the oversight of information security and cyber threats is moving from back-office technology professionals to boards of directors and corporate executives as it becomes increasingly clear that managing these risks across an organization demands involvement at the highest levels. Companies in every industry confront mounting cybersecurity risks, but the threat to banking organizations is particularly significant. They are at the heart of an industry deemed critical infrastructure by the Department of Homeland Security, and their holdings of consumer data and dollars make them especially attractive to thieves and hackers. The new governance model for information security and cybersecurity risk doesn t require the board and C-suite to become technology experts, but it does demand a cross-disciplinary approach and the recognition that technology, while posing a significant risk, can also be a significant competitive advantage. Firms must update risk management skills to ensure technology risks and gaps are not only understood but also factored into decisions made by senior management. A well-protected organization is less likely to become a victim and stands to attract the customers of companies that do; it is also better-positioned to deliver services with effective and secure technology. Firms that have not yet adjusted to the new cybersecurity risk paradigm typically have some common vulnerabilities: Boards of directors and executives that hesitate to engage on technology and cybersecurity issues, Risk management frameworks that don t capture the full range of technology risks, including exposure through vendors, Ambiguous lines of authority and a lack of accountability for protection, response, and recovery, Reliance upon security tools to respond to a crisis, rather than reliance upon front-end investments to prevent a crisis, and Inconsistent testing of their incident-response plans. Competition for corporate time and resources is intense, but the financial and reputational damage

inflicted by security failures and data and privacy breaches is an enormous price to pay for taking partial measures. These breakdowns are often as devastating as failures in business, public relations, customer trust, and regulatory compliance. How banking organizations should best address these risks varies by their size, complexity, and lines of business. Compared with community and regional banks, the largest banks have the obvious advantages that come with size: round-the-clock operations that can quickly address emerging threats, more employees dedicated to protecting against cybersecurity risk, advanced information-technology software and systems, and the capacity and scale to insource operations. But these resources must be deployed carefully to generate the greatest benefit. And of course, size comes with its own disadvantages, not the least of which is the greater number of threats large banks can expect to attract. The financial and reputational damage inflicted by security failures and data and privacy breaches is an enormous price to pay for taking partial measures. As the size of the organization decreases, generally so does the budget and staffing for managing cybersecurity risk. But while regional banks do not have the same flexibility that the largest banks have in deciding which activities to keep in-house, they usually have the advantage of being less technically complex. IT solutions and protection are commensurately less complex. The tendency of regional and community banks to outsource the management of cybersecurity risks is a critical distinction from the largest banks. The Office of the Comptroller of the Currency (OCC ) and the Federal Reserve Board (Federal Reserve ) have separately issued guidance making it clear that banking companies retain the risk associated with outsourced activities. Banks must be able to clearly represent their controls and capabilities, regardless of who manages the implementation which places a premium on competent vendor management. Managers must take an active role in evaluating the added risk or benefit of third parties, and continuously monitor the overall risk posture of the bank. The common element for all banking companies and indeed, all organizations in managing cybersecurity risk successfully is a governance framework that suits their risk profile. Banks should identify where risk functions are managed and assess how much control they exert over those functions. That is a key element of the rationale for outsourcing, because whether to maintain a third-party relationship depends on an accurate assessment of the benefit of doing so. These decisions which must be revisited on an ongoing basis can t be made reliably unless banks internal teams and third parties are reporting practical information that is used to make decisions about risk. This is especially pertinent as the OCC and the Federal Reserve each emphasized in its guidance the establishment and monitoring of performance standards for third parties. Balancing Act Many companies and directors don t always know where to focus time, attention, and resources, even though they have identified the pressing need to manage cybersecurity risk. That sense of urgency can lead to an uncalibrated response in which companies rush to prevent sophisticated attacks without first covering the basics. The result is similar to closing second-story windows without locking the front door. Effective security is a balancing act to ensure the basics are covered while keeping an eye on what is around the corner. A good first step in undertaking significant cybersecurity programs is a sound governance model that addresses basic gaps and anticipates more sophisticated ones. 56 Banking Perspective Quarter 2, 2014

The program should also ensure that common vulnerabilities are addressed decisively. Insufficient Board and executive engagement Organizations must maintain a strategic business focus on information security and cyber threats. Protecting the corporation s critical assets, including data and technology, is increasingly regarded as a fiduciary responsibility of the board. Yet technology disciplines are alien to many directors and executives, who were more likely chosen for their knowledge and experience in management, governance, accounting, or finance. The key is to approach technology-focused risk through the same prism as any other risk that is, by insisting on having a clear and rigorous understanding of it and a process for managing it as other risks are managed. This means breaking through jargon and getting crisp responses to questions. Inadequate risk management frameworks A formal risk management framework helps companies make decisions and set priorities about risk, and enables business lines and control and support functions to work together. Business units work to consistent standards, and support functions provide the same services and support regardless of location. In the absence of this type of framework, weak spots will emerge, without a clear line of sight from the corporate center. Boards and management should probe whether their risk management framework gives sufficient weight to technology and cybersecurity risk, as well as vendor relationships, which have been implicated in a number of cyberattacks. The organization should be able to profile its critical technological resources to understand what needs to be protected, recognize the threats to and vulnerabilities in those resources, adopt mitigation strategies, implement and continually test controls, and put in place a vendor risk management process. Ambiguous lines of authority and a lack of accountability In an intrusion or other attack, who will be responsible for leading the team that addresses and resolves the matter? While there is no cookie-cutter answer to the question, neither the CEO nor someone in the IT department is likely to be the right person. The CEO has stature and breadth to lead the effort, but must maintain a higher strategic focus, while IT managers may have depth but typically not the needed breadth across multiple disciplines. While regional banks do not have the same flexibility that the largest banks have in deciding which activities to keep in-house, they usually have the advantage of being less technically complex. Crisis Response Rather Than Front-End Investment Companies that do not invest prudently in technology risk falling behind and exposing themselves to constantly changing cyber threats. It is critical for the board and management to forge a consensus on appropriate investment in cybersecurity risk protection, and follow through by budgeting appropriately. Front-end investments that are properly integrated within the IT framework prove to be far more effective than ad hoc expenditures on security tools purchased in response to a crisis. Inconsisent Testing of Incident- Response Plans A nimble reaction to a crisis requires having an incident-response plan, knowing where it is, and using it. Yet time and again, companies are caught flat-footed by breaches, attacks, and threats, and find themselves Banking Perspective Quarter 2, 2014 57

making up their plans as they go. While the ability to think on one s feet is vital, a crisis should not mark the first time an organization or team exercises its incidentresponse plan. Companies can improve their response to future incidents through thorough planning and testing. The right response doesn t start and end in technology. Engagement with business lines, operations, corporate communications, legal, executive management, vendors, partners, and other stakeholders is critical. What Should Companies Do now? Companies overarching goals should be to assess, understand, and monitor threats; educate employees and clients; strengthen themselves before attacks occur; and improve their real-time response to threats, attacks, and intrusions. the COMMOn element for all banking companies and indeed, all organizations in managing cybersecurity risk successfully is a governance framework that suits their risk profile. What regular reports does the board use to track cybersecurity risks? How are incidents and threats reported, and at what point are they elevated to the board? Does the board include a director knowledgeable about cybersecurity? What is expected of the board in overseeing these risks? Which board committee takes the lead? Is the board informed about the most serious cybersecurity risks facing the industry, and has it worked with executives to develop a cybersecurity risk appetite statement? Does the company have a written cybersecurity risk management strategy and governance framework? How is it measured and how well is it working? When was it last reviewed? When was the last major incident? How was it resolved, what were the results, and what weaknesses, if any, were revealed? Most important, have weaknesses been addressed? What are the most likely types of external threats? What are the internal threats? What insurance policies cover the company against network security breaches and other cybersecurity incidents? Is this coverage up to date and is it adequate? Are all of the company s information-security and risk management activities part of a defined and documented information-security program strategy? raise BOArd AwAreNess Foster understanding of cybersecurity risk through education. The board should know what questions to ask of management to ensure that it is safeguarding the company against cyber threats and attacks. Questions directors should be able to answer include: Who is in charge of information security? Who will lead incident response? Address ACCOuNtABIlIty throughout the OrGANIzAtION The governance framework is the key to addressing accountability, but there are other important steps. Companies should assemble a cybersecurity team that includes representation from IT, the legal department, human resources, and public relations, at a minimum and a designated leader to call the final shots. The CEO, with input from the board, should determine who the 58 Banking PersPective Quarter 2, 2014

Focused forward At Key, our people share a set of core values that are essential to who we are and how we interact with our clients, communities, and each other. A vital part of these values is to take corporate responsibility seriously. We direct our time, expertise, and resources toward community and philanthropic investments, promoting diversity and inclusion, and driving sustainability. These core values enable us to be Focused forward on our journey to create a top-tier organization that exceeds the expectations of our Corporate, Community, and Private Bank clients. Visit key.com for more information. Key.com is a federally registered service mark of KeyCorp. 2014 KeyCorp. KeyBank is Member FDIC. ADL1234

leader should be, taking into account the team s mix of skills and experience. Strengthen Enterprise-Wide risk management frameworks Ensure that cybersecurity risk is monitored and addressed. Companies are already accustomed to mapping risks whether in heat maps, spreadsheets, or other formats to model and communicate risks visually and separate acceptable risks from unacceptable ones. Yet this process seldom extends to cybersecurity risk. Companies that do not invest prudently in technology risk falling behind and exposing themselves to constantly changing cyber threats. Assess controls and compliance with laws and regulations The starting point is to understand the many regulations that address cybersecurity risk. Compliance can t be verified through a once-a-year audit. Regulations, guidance, and the priorities of regulators change. Companies may be subject to multiple jurisdictions with overlapping or contradictory rules. Getting all teams working toward the same goal without interfering or duplicating activities guarantees efficiency while maintaining regulatory compliance and increasing regulators confidence in the organization. Scrutinize vendor relationships Vendors have access to important systems and data. This puts companies at risk of loss, manipulation, or theft of data that can expose external and internal relationships. Companies should be prepared to calculate the risk and necessity of current and potential vendors; adopt formal vendor-management policies and procedures; and train employees. Adopt and test the incident-response plan at multiple levels Every company should have an incident-response plan that can be put into action quickly in the event of a cyber threat or attack. Elements of this plan should include identifying team members to call upon in the event of a breach, detailing their roles, and establishing written protocols for determining how to inform clients, shareholders, regulators, and law enforcement. One of the most critical steps is to test the incident-response plan. Testing is the only way to determine whether the underlying assumptions of the plan will work in reality, and it gives incident-response team members muchneeded practice in working together during a crisis. Conclusion Bolstering a company s ability to withstand cyber threats and attacks requires a comprehensive response, including fostering board engagement, strengthening risk management, assigning managerial accountability, adopting and testing contingency plans, and making steady and appropriate IT investments. Over time, companies should continue to improve their cybersecurity programs through sound risk management, continuing to raise the bar, expanding security tool and process coverage, refining security operations to be more efficient, and responding to new and emerging threats. Compliance with the rules is expected but genuine security requires steady evaluation and alignment of the cybersecurity risk framework with the company s business objectives, governance, risk management, IT, and regulatory considerations. Earl Crane, a senior principal at Promontory, contributed to this article. 60 Banking Perspective Quarter 2, 2014

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information