Guest Opinion: Understanding IT Risk in the Financial Industry
You see it on the news almost every single day. Another security breach has occurred, customer data has been compromised, and the company’s reputation has now been tarnished. Not only is a cybersecurity breach a PR nightmare, but it can cost your institution a huge amount of money in liability and churn. Of the top 10 financial services industry breaches that have occurred, over 526 million customers were affected. To put this into perspective, the current US population is just over 327 million. Let that number sink in, because it’s a poignant one.
As a member of a board or executive team, I’m certain that your concern with your financial institution’s security program has been a growing one over the past few years. Speaking with a bank’s CEO recently, he noted to me “This cybersecurity is going to be a ‘thing’ for us now, just like compliance and audits are.” While the growing concern and regulatory focus is clear, quantifying and measuring an organization’s inherent IT risk isn’t easily done. This isn’t to say that it can’t be done, only that it’s not as black-and-white as most would like it to be. There isn’t a simple test or standard that can be uniformly used across the entire financial industry to assess risk, which means that the answers don’t come easy. But that certainly doesn’t mean it shouldn’t be seriously and carefully addressed.
Find Your Starting Point
If you want to begin rating your institution’s security program, you need to first come to terms with the realization that it fits into a larger context of risk assessment processes. It isn’t going to be easy, but it can be done. Start by utilizing the existing standards relevant to the financial services industry. I like to start with the FFIEC, as they have a measurement framework called the Cybersecurity Assessment Tool, which offers very well-documented standards that financial institutions are required to follow. Starting with those standards, you can then look in detail at the specific controls that are used to protect against cybersecurity risks, and rate each one of those according to an implementation scale.
Don’t Become a Victim of Oversight
I see this problem often: Taking a compliance-based approach, a bank might say that they’re following the standards, but have no proof that they actually are. When I first got into the banking industry, I came from an information security background. I was shocked going into meetings with many smaller banks at how many of their security officers had zero background in IT risk. They were promoted into a position that they didn’t have the background for.
Unfortunately, many institutions’ security officers are promoted to their positions because of tenure, not because of experience. This means that they’re lacking the training and expertise to effectively measure and report on their business’ IT risk, inherently leaving their institution vulnerable to a breach.
To circumvent the issue of not having employees who can effectively measure their risk, many banks will rely on a 3rd party IT firm to tell them if they’re following industry standards. Regrettably, this in itself can be problematic. They’ll probably get an IT/security audit every year, and those audits, by nature, are partial. If those audits don’t include a deep evaluation of the organization’s security program as a whole (which they don’t), then they’re not getting a complete picture of their security program. Regulators will also come in to do a regulatory exam, and it’s the same issue of poor or incomplete information.
What’s most frustrating to me about this oversight is knowing that if these institutions had the right information, they could not only reduce their risk and susceptibility to a breach, but they could also potentially focus their spending in ways that would benefit their organization. Weaknesses also exist in the framework itself (FFIEC), in that while it’s a great starting point, it just doesn’t offer enough detail about the rating of each control. Meaning, the ratings are simply too subjective. Are you just barely meeting the standards? Are you way above? Way below? If examiners don’t evaluate that, it can become a real problem.
If You’re Serious About Breaches, You Need to be Serious About Risk Assessment
It really requires a much deeper look at the processes around what you’re trying to protect. The best thing you can do? Hire a knowledgeable independent firm to review and assess the nitty- gritty details. A reputable and experienced firm will perform a threat-informed risk assessment or take a scenario-based approach, which will in turn give you the likelihood and costs of a breach to your institution, as well as how you can most effectively improve the areas that will make the most difference. They will look at what’s happening in the industry today, and use the most current threats to help tailor a deeper look into the controls that will help protect against those attacks.
Banks - especially those with under $5 billion in assets - don’t typically have many high quality, super knowledgeable IT and data professionals around. They’re expensive, and they’re difficult to come by. They need a trusted 3rd party to come in and do an independent review, and it’s best that this happens annually in order for their security program to remain current against prevailing attacks.
Gregory Smith is a Senior Risk Advisor with Alagen cybersecurity solutions. He is an accomplished consultant with over 30 years in financial services, cybersecurity and information technology consulting.