According to the 11th Annual Global information Security Survey conducted by PWC and CSO, 84% of CEOs, 82% of CIOs and 78% of CISOs are confident in their organization’s formal cybersecurity program. However, the number of organizations reporting losses of more than $10 million per incident is up 75% since 2012. Why do these C-level members believe their cybersecurity programs are doing more than an adequate job? Perhaps it’s because their organizations are most likely spending more of their annual budget on cybersecurity defenses and applying more internal resources to manage cybersecurity controls.
Unfortunately, in today’s complex Internet based environment, the number of cyberattacks are increasing. Cyber criminals are smart, capable, and conniving - always developing new ways to compromise systems and data. Business leaders should consider the impact of a cyberattack and prepare and plan for how to minimize reputational, financial, and operational impact. This includes looking beyond traditional, “must have” block-and-tackle types of cybersecurity controls (firewalls, intrusion prevention, and anomaly detection), and increase focus on resilience – a strategy that starts with senior leaders of the organization and includes tactics like developing a risk appetite statement, practicing reacting and responding to common cyberattack scenarios and ensuring that cybersecurity control strategies are Commercially Reasonable.
Develop a Cyber Risk Appetite Statement
The C-level members are ultimately responsible for the success of their financial institution’s (FI) information security program. Strategic business decisions to deploy new customer-facing electronic banking services require an assessment of risk to ensure consistency with the overall risk appetite for the organization. For example, if an FI deploys P2P, consumer mobile RDC, or Cloud-based services without first conducting a risk assessment, they leave the FI open to legal, financial, and reputation risk if NPI or financial transactions are compromised. Treating all assets and all risks as equal is never cost effective. Business leaders need to consider weighting IT budgets to protect their most important assets with the greatest amount of rigor.
Practice Strategies for Effective Response and Recover
When queried at a recent banking conference, every FI represented confirmed they had a formal written Incident Response Plan in place. This has been a federal requirement since the early 2000s (per GLBA). However, when this audience was probed for more detail, most admitted that their Incident Response Plans did not incorporate scenarios for DDoS attacks and Commercial Account Takeover, or assign severity levels to common cyber events. Also, many stated the IT Officer as the only member of the Incident Response Team. Additionally, these plans were also not tested or “practiced.” If they were, these obvious gaps would be identified.
Business process testing that incorporates the possibility of simultaneous attacks on both the vendor and the FI should also be considered for these plans. In the FFIEC’s Cybersecurity Assessment Tool (June 2015), an entire domain was dedicated to incident response and business resiliency. A priority should include involving senior leaders in your next cyberattack incident response table top test. This is a practical way to create awareness and understanding of how specific business processes may be compromised during cybersecurity incidents. The creation of innovative response measures identifying gaps in the cyber incident response plan will reduce the impact of financial loss and reputation risk for your organization.
Ensure Commercially Reasonable Security Controls
Another advantage to the FFIEC’s Cybersecurity Assessment Tool methodology is that the results demonstrate the alignment of inherent risk with prudent and reasonable business methods (commercially reasonable security controls). Implementing appropriate security controls based on inherent risk can be benchmarked and documented for consistency in comparing similar size, complexity, nature, and scope of similar FIs. This could prove in court that despite the negative impact of a cyber attack, FI management did everything “commercially reasonable” to identify, prevent, detect, respond, and recover from a cyber event.
In this complex, risk-ridden internet-based environment, considering these focus areas for resiliency may ensure that cyber attack losses/impacts are minimized, and your reputation remains intact.
Jackie Marshall is Director of IT Regulatory Compliance for Gladiator Technology, a ProfitStars solution. She is responsible for developing and maintaining IT regulatory/compliance-oriented products and services for financial institutions throughout the nation. With more than 24 years of business experience in the financial services industry, Jackie has extensive knowledge of IT regulatory compliance. As a recognized expert, she skillfully guides clients through state and federal compliance regulations, industry standards, and audit recommendations for IT and security issues.