Cybersecurity risk: Managing Multiple Security and Compliance Requirements

Even in the midst of the Covid-19 pandemic, cybersecurity risk remains the No. 1 risk management concern for many banks. In fact, pandemic-driven changes – such as remote workforces, increased IT system use and greater reliance on third parties and cloud providers – actually make cybersecurity risk an even higher priority for boards and executive teams.

With banking operations so heavily dependent on secure and reliable data systems, bank directors and executives need to be actively involved in overseeing the management of technology and cybersecurity risks. Unfortunately, the challenge of addressing these risks sometimes is complicated by the myriad compliance requirements associated with today’s complex and expanding array of data privacy and security standards.

An essential early step in any cybersecurity effort is getting a clear picture of the bank’s overall data landscape and the associated compliance requirements. A thorough risk assessment enables management to produce a comprehensive inventory of the various types of data the bank collects, handles and maintains, along with a clear path tracing the data’s origins and recipients.

Directors should verify that, in addition to specific data-related regulatory requirements, the risk management team also assesses customers’ security expectations and third-party contractual requirements related to data security.

Broadly speaking, banks typically encounter four types of compliance requirements:

1. Banking regulations. Most directors are aware of specific cybersecurity-related regulatory requirements, such as the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool and the New York State Department of Financial Services cyber regulations. Periodic visits by regulators should confirm that the bank is managing these risks effectively.
2. Attestation requirements. Beyond specific regulatory requirements, independent certification by objective third parties can give customers and others confidence that the organization is effectively managing IT risk. Examples include system and organizational control audits, federal Cybersecurity Maturity Model Certification and compliance with payment card industry standards.
3. Good hygiene requirements. Banks adopt these optional frameworks to help provide organizational direction to their cybersecurity programs. Examples include National Institute of Standards and Technology frameworks and Critical Security Controls published by the Center for Internet Security.
4. Hybrid requirements. These are regulatory requirements that are not subject to regular attestation or examination but that could present risk, particularly if a security incident occurs. Examples include state privacy laws, International Traffic in Arms Regulations requirements and similar rules that generally become issues only after the fact if regulators determine they have not been managed properly.

Creating a unified control framework
Despite variations in standards, most data security frameworks involve similar control sets. By mapping and aligning these commonalities, banks can reduce their overall compliance burden, creating an integrated system of controls that satisfies the most demanding requirements of each framework.

Governance, risk and compliance (GRC) solutions can help manage and track these requirements while also documenting the bank’s control capabilities, testing and tracking of action plans and open items. Automating the GRC effort can improve compliance by synchronizing information, identifying overlaps and redundancies and enhancing efficiency.

Such GRC solutions should encompass third-party relationships. As banks engage with growing numbers of fintech companies and other external providers, they must be able to demonstrate that their third-party affiliates are complying with applicable cybersecurity standards. A unified control framework can streamline this effort, eliminating the need for separate audits and reviews of common controls.

Managing and maintaining the effort
In addition to triggering the initial design and implementation of a cybersecurity compliance program, bank boards and executive teams also must actively oversee its ongoing management. Cybersecurity compliance is not a “set it and forget it” event.

Directors have ongoing oversight responsibilities regarding the individuals and teams that are charged with tracking changes to cybersecurity requirements and maintaining, documenting, and reporting compliance. Because compliance is a critical business requirement, top-down support at the board level is critical.

Directors should verify there are clear lines of responsibility and reporting, with direct links to relevant board committees. Other nonattest services, such as penetration testing, can provide added confidence. In many instances, such testing is also a compliance requirement that regulators or assessors expect banks to perform.

Although cybersecurity compliance by itself does not guarantee data security, it does establish trust on the part of customers, shareholders, regulators and others who have valid interests in maintaining the security and integrity of critical data. As banking operations become even more reliant on data technology, it is increasingly important that bank directors are actively engaged in overseeing both compliance and security concerns.