The Five Critical Attributes of Effective Cybersecurity Risk Management


risk-manangement-3-15-16.pngThe size, complexity and ever-evolving nature of cyberattacks mean there’s no one-size-fits-all way to respond. Whatever your organization’s plan to mitigate the risk of data breaches, to be effective, it must encompass the five attributes discussed here.

Attribute One: An Effective Framework
An effective, appropriate framework is an essential place to start. The centerpiece of any cybersecurity risk management program, a cybersecurity framework is a standard designed to assist with managing the confidentiality, integrity and availability of data and critical infrastructure.

Many frameworks are now in use in various industries (some common ones include the National Institute of Standards and Technology Cybersecurity Framework, International Organization for Standardization, and ISACA’s COBIT). Regardless of which framework an organization chooses for managing its cybersecurity program, the framework will need to be adapted and fine-tuned to reflect the organization’s size and the nature of the data being protected. The point here is not to advocate for one framework over another; rather, the point is that choosing and implementing a framework is an essential first step in guarding against cybersecurity threats and launching a cybersecurity risk management program.

Attribute Two: End-to-End Scope
The second critical attribute of a cybersecurity program is its scope. An effective program must be comprehensive, or end to end, in scope—that is, the program must address all the critical elements that need to be protected in the institution.

To understand your full scope, you must “follow the data” and identify everywhere sensitive data is created, stored or transmitted. Beyond the immediate system, there might be many unknown data stores, including cloud services and third-party vendors.

Attribute Three: Thorough Risk Assessment and Threat Modeling
Because no institution has unlimited resources to devote to cybersecurity, the multiplying array of threats means risk assessment and prioritization are essential. By monitoring emerging threats and assessing both their likelihood and the damage they could cause, the cybersecurity team can develop a decision heat map that plots the potential risk against the cost and effort that would be required to protect against it.

Attribute Four: Proactive Incident Response Planning
For much of its history, the cybersecurity industry focused on preventing attacks. But today, although prevention remains crucial, the focus is shifting away from prevention alone and is turning instead to being prepared for the worst. Although breach prevention remains paramount, preparing for the worst case is becoming equally important. Preparing an incident response plan—and updating it regularly—is a minimum first step.

Once an incident has occurred, a bank can follow the typical incident response plan, which encompasses certain fundamental steps, including the following:

  • Inventory and understand the data to be protected.
  • Inventory and classify incidents.
  • Understand known threats and monitor new ones.
  • Identify the stakeholders and incident response team—corporate communications, legal, compliance, lines of business, IT and external forensics partners.
  • Set up a command center.
  • Develop and implement a containment and investigation strategy.
  • Develop and implement an evidence preservation strategy.
  • Develop and implement a communication plan for customers, media, regulators and other stakeholders.
  • Conduct a post-mortem and apply lessons learned.

Attribute Five: Dedicated Cybersecurity Resources
The final critical attribute of a cybersecurity initiative is having sufficient resources dedicated to the effort—in particular, a designated cybersecurity team. Many organizations have not yet given adequate attention to this requirement, often neglecting to assign appropriate roles and responsibilities or failing to establish the necessary governance structures called for in the framework being used.

In most companies, the IT team’s day-to-day attention is focused primarily on keeping the system up and running—an understandable priority. After all, service interruptions are noticed immediately and the effects are apparent to almost everyone. On the other hand, security lapses or breaches are less visible than service interruptions—at least at first—and the benefits of prevention and incident planning are not nearly as obvious.

The cybersecurity effort should be led by an experienced team leader for whom IT security is his or her primary duty rather than a secondary function squeezed in among other priorities. If the company is too small to afford a cybersecurity staff member, consider retaining a professional cybersecurity firm to implement the IT security function in order to develop appropriate prevention and response plans.

Understanding the Board’s Role in Cybersecurity


cybersecurity-3-7-16.pngUnfortunately, despite the recent prevalence of cyberattacks and data breaches, many businesses neglect cybersecurity or, if they do pay attention, view cybersecurity as a technical issue for senior management. However commonplace lax oversight of cybersecurity may be in other sectors of the economy, bank directors cannot afford to neglect or delegate responsibility for cybersecurity—bank boards must be actively involved.

Regardless of size, no bank is completely safe from a cyberattack. Every bank should assume that a cyberattack will occur and, when it does, at least one defense will fail. Hackers constantly test cybersecurity defenses, transform their attack methodology, and exploit weaknesses, which, all too often, are the access points used by third-party vendors providing critical services.

Banks are expected to take steps to prevent intrusions, prepare for the possibility of cyberattack, and have processes in place to resume business continuity. Bank examiners look to see if a bank has an integrated system of technology, processes and practices employed to protect networks, computers and data from attack. Bank examiners also look to see whether the board, as the driver of governance controls, is actively involved with senior management in development of a robust approach to cyber risk. Poor cybersecurity measures and lax board oversight can result in a bad IT exam, which, in turn, can negatively affect a bank’s management component rating (even though cybersecurity falls under the IT component). Worse still, a poor cybersecurity review may also negatively affect a bank’s safety and soundness rating.

As with many complex issues facing banks, the board must take steps to ensure that it is well advised regarding technological issues and has a thorough understanding of the bank’s inherent risk environment. A good first step is to make the Federal Financial Institution Examination Council’s (FFIEC) Cybersecurity Assessment Tool a part of the bank’s governance framework. The assessment tool is a two-part repeatable process review that helps banks identify their risks and evaluate cybersecurity maturity. The first part gauges the bank’s inherent risk profile, which identifies risks and threats (both internal and external), corresponding to the activities, services and products offered by the bank. The second part – the cybersecurity Maturity review – tests the maturity of the bank’s cybersecurity program, including board involvement and oversight of that program.

The board is ultimately responsible for cybersecurity, but it is not necessary that each director have a detailed technical understanding of the underpinnings of cybersecurity safeguards. Many boards appoint a board-level IT committee to take the lead on cybersecurity. Regulators expect the IT committee to own primary responsibility for the bank’s IT strategic plan, including making the board comfortable that the IT strategic plan aligns with the bank’s business strategy. As part of that process, the IT committee can incorporate the FFIEC assessment tool into its review and approval of bank IT policies, management of information security systems, training of other board members and bank management, and approval of IT budgets. Most importantly, because the IT committee is responsible for running periodic independent testing to monitor compliance, the assessment tool can be used to aid the IT committee in holding management accountable for identifying, measuring, monitoring and mitigating IT risks. Boards lacking an IT committee must work closely with senior management to tackle all of the tasks normally delegated to the IT committee and may want to consider hiring an outside consultant to advise the board on cybersecurity technologies and best practices.

The regulators have indicated that cybersecurity is going to be a key topic for exams during 2016. Federal regulators have also directed examination staff to incorporate the assessment tool into their review of bank cybersecurity and risk management. While there have been no reported civil money penalties to date related to a bank’s failure to adequately ensure cybersecurity, it is only a matter of time before examiners resort to supervisory and enforcement powers to ensure that banks adequately address cybersecurity risk. Moreover, as the scope of liability for cybersecurity risk grows, banks can be sure that insurance companies, plaintiffs’ attorneys and activist shareholders will scrutinize bank boards’ oversight of cybersecurity.

Proactive integration of the assessment tool into a bank’s governance and risk oversight framework will put the board in a better position to demonstrate satisfactory compliance on these points during an exam, help avoid any downgrade to the institution’s exam rating, and mitigate exposure to the bank and its customers from inevitable cyberattacks.

Making the Right Investment in Cybersecurity


In a January interview with Bloomberg, Brian Moynihan revealed that Bank of America Corp. has an unlimited budget for cybersecurity. “I go to bed every night feeling comfortable that group has all the money, because they never have to ask,” said the Bank of America chairman and chief executive officer. “You’ve got to be willing to do what it takes at this point.”

The vast majority of banks can’t grant carte blanche to their organization’s information security team. Bank Director’s 2015 Risk Practices Survey found that most banks, at 60 percent, dedicated less than 1 percent of revenues to cybersecurity in 2014. Thirty-eight percent allocated from 1 percent to 5 percent of revenues on cybersecurity. Two percent dedicated 5 percent of revenues to cybersecurity.

Regulators don’t mandate a minimum cybersecurity spend; how much is the right amount is up to the bank. However, banks that are prepared to battle cybercrime typically aren’t hit as hard when the inevitable data breach or hack occurs. So bank boards face some difficult decisions when it comes to protecting their bank from cybercrime. How much should the bank invest? And on what? 

Tony Buffomante, principal in information protection and cybersecurity at KPMG, says bank boards want to know what the risks are, and whether their current programs are ready to mitigate cyberthreats. Identifying the areas of the business that the bank wants to protect from a potential cyberattack—where customer account data is housed, and what processes are involved—is key to determining how much to invest in cybersecurity, and where. “If they don’t really understand what the risks are, it’s difficult to figure out, ‘Am I investing enough?’” he says.

2014 Cybersecurity Budget, By Bank Size
  All Banks >$10 Billion $5Bn to $10Bn $1Bn to $5Bn <$1Bn
Less than 1% of revenues 60% 38% 50% 59% 72%
From 1% – 5% of revenues 38% 62% 50% 38% 28%
More than 5% of revenues 2% 3%

Source: 2015 Risk Practices Survey

Cybersecurity Budget Increase for 2015, By Bank Size
  All Banks >$10 Billion $5Bn to $10Bn $1Bn to $5Bn <$1Bn
Less than 10% 52% 57% 50% 56% 42%
From 10%-25% 23% 43% 30% 23% 15%
No Increase 21% 20% 18% 35%
From 25%-50% 4% 3% 8%

Source: 2015 Risk Practices Survey

As a rule of thumb, Michael Bruemmer, vice president of the data breach resolution group at Experian, recommends that companies commit 5 percent of their revenues to cybersecurity. Two of the more technical areas that the bank’s cybersecurity budget should prioritize are intrusion detection, to detect hacks and breaches, and encryption of data to make it more secure. Bruemmer calls encryption a cybersecurity “Get Out of Jail Free Card.” Depending on state laws, companies that can prove that their data was encrypted may not have to report the breach to customers. Security breach notification laws in states such as Arizona, California and Illinois specifically reference unencrypted data.

According to a 2014 study by the Ponemon Institute, the typical data breach for the financial services industry cost $236 per record lost, but companies that followed certain practices had lower than average costs. For example, the appointment of a chief information security officer (CISO) reduces the cost of a breach by $10 per record. Sixty-four percent of respondents to Bank Director’s Risk Practices Survey say they employ a full-time CISO, a practice less common for banks with less than $1 billion in assets (44 percent).

Preventing, detecting and responding to cyberthreats is at the core of information security. Banks need expertise in understanding what the risks are, someone who can implement controls to protect customer information, as well as watch for a breach and then react to it, says Buffomante. The role may be held by multiple people within the organization, or, instead of hiring a CISO, the role can be outsourced for banks that lack that expertise on staff. 

An outsourced CISO can be just as effective, says Bruemmer. “It’s not as important who you have on staff…but that you cover all the bases, whether it is outsourced or internally.” 

The median salary for an information security officer is $75,662, according to Crowe Horwath LLP’s 2014 Financial Institutions Compensation Survey.

Bank boards should recognize that the CISO isn’t the sole guardian of the bank’s digital assets. “Executives, meaning boards and senior executives of companies, need to participate and be involved in improving their incident response,” says Bruemmer. 

Beyond technology investments, Bruemmer believes the biggest area of focus for banks should be on its employees. Training can make or break an organization’s cybersecurity efforts and investment, and Bruemmer says the root cause of most breaches is simple human error. Commonly, an employee makes a mistake and clicks a link in a phishing email, or doesn’t respond appropriately to an alert. “All of the budget expenditure in the world would not have stopped” these types of errors, he says. Employees should know not only how to prevent a breach, but how to respond to one as well. Banks need to have a plan.  

According to Ponemon, an incident response plan for cybersecurity can result in a reduction of $17 per record. These plans should be tested regularly, so the bank is prepared when a real cyberattack occurs. Seventy-six percent of respondents to the 2015 Risk Practices Survey report that their bank has a cyber incident management and response plan in place. Of these, three-quarters regularly test it.

Does your bank have a written cyber incident management and response plan?

CyberResponse_chart.png

Another investment boards should consider is cyber insurance, which can reduce the impact of a data breach by protecting the institution from customer lawsuits and covering costs like credit monitoring, customer notification and crisis management.

The Federal Financial Institutions Examination Council encourages banks to join the Financial Services Information Sharing and Analysis Center (FS-ISAC), a non-profit source for intelligence on cyberthreats, which gives banks access to information on the latest threats. The agency also plans to release a cybersecurity self-assessment tool, which will help institutions evaluate their ability to mitigate these risks. 

Bruemmer argues that the success and failure of a bank’s cybersecurity preparedness doesn’t come down to how much money is thrown at the problem. Instead, it’s more about the bank’s dedication to protecting the bank, and focusing resources on the issue. The board should play a strong role, though fewer than 20 percent regularly address cybersecurity within meetings, according to the 2015 Risk Practices Survey. Just 8 percent of respondents from banks with less than $1 billion in assets say their board addresses the issue at each board meeting. Although the board’s job isn’t to manage the bank’s security, it should provide effective oversight in terms of knowing about the bank’s security plans, staffing and resources, and making sure those are adequate.

Cybersecurity “needs to be part of the board-level strategy discussion, says Bruemmer. It “is so impactful to the organization’s ongoing reputation and viability, [and] it needs to be connected to the board level,” says Bruemmer.