How Risk-Based Cybersecurity Programs Differ Between Community & Global Banks
In today’s complex digital world, cybersecurity threats are high and rising. The Identity Resource Center’s 2017 Annual Data Breach Year-End Review reports publicly-disclosed data breaches were up 45 percent from 2016. And the 2018 Thales Global Data Threat Report notes that 71 percent of U.S. enterprises have suffered at least one data breach “over the past several years,” with 46 percent reporting a breach “in the past year,” up from 24 percent in the prior survey. As cyber threat volume and sophistication increase, financial institutions of all sizes are challenged to maintain and prove cyber safety and soundness.
Cyberattacks cross borders and are agnostic in their consideration of financial institutions. From large money center banks to local community banks and credit unions, hackers can and will attack. Faced with increased regulatory pressures, leadership teams are investing in people, process and technology to address cyber threats and enhance data security.
Top Priority - Cyber and Data Security
EY’s Global Banking Outlook 2018 reports 89 percent of banks rank enhancing cyber and data security as a top priority for the current year. Although threats and risks are equal and agnostic, size does matter when it comes to resources financial organizations use to prepare for, and respond to, cybersecurity issues.
Typically, large money center banks have hundreds of IT personnel focused on cybersecurity and regulatory compliance, while a community bank might have only a few professionals in the entire IT department. For community banks and credit unions that are resource-constrained, and often are in smaller towns or rural areas, a cybersecurity workforce shortage further exacerbates the situation. The ISACA, a non-profit security association, reports that 53 percent of organizations take up to six months to find qualified cybersecurity staff. If current trends continue, by 2019 the global shortage of cybersecurity professionals will reach two million.
Playing Defense – Implementing a Risk-Based Program
Today, security breaches, compromised databases and malicious hacking activity are commonplace. With increasing regulatory pressures being placed on financial institutions, monitoring security compliance is an effective weapon that bolsters the protection offered by tracking cyber threats. In fact, 74 percent of U.S. organizations think adhering to compliance requirements is either “effective” or “very effective” in improving security, according to the 2018 Thales Global Data Report.
Enterprise risk professionals must implement a stringent risk-based management program as part of an overall information security program. The program must be based on a recognized and standard framework such as ISO 27001, COBIT or NIST to ensure all cyber-related components are addressed and a cohesive cybersecurity plan is in place. Industry-specific frameworks, such as the Federal Financial Institution Examination Council’s Cybersecurity Assessment Tool (FFIEC CAT) for banking, draw from these broader frameworks and extend their principles to how the industry operates. These frameworks include written policies with controls to ensure policy enforcement. Management, auditors, and examiners will want to know if there is active compliance in place to minimize risk and provide greater visibility across the organization.
The Path of Least Resistance
Large financial organizations, which have more resources and maturity in cyber-related issues, typically will have implemented programs based on one of these frameworks. Limited by resources, smaller organizations may have developed their own policies, piecemealed over time, leading to gaps, redundancy and exceptions.
As Sun Tzu stated in the “The Art of War,” water flowing downhill will take the path of least resistance. It is logical to expect that hackers and cyber “bad actors” will attack less sophisticated targets. Institutions that lack a risk-based framework for their cybersecurity program elevate their risk of experiencing nefarious activity.
Cybersecurity + Cybercompliance Technology
Despite resource constraints, smaller financial organizations can benefit from innovative technology just as large money centers do. They should consider technology that is cloud-based for affordability and real time capabilities, co-managed to extend the cyber expertise available to them, and that includes automated compliance monitoring to enhance effectiveness. This approach provides smaller financial institutions a cost-effective way to be threat and compliance ready and to deliver real-time cyber safety and soundness comparable to the largest global bank.
Each global financial institution, community-focused bank and credit union is a high-value target for potential cyber events. However, for smaller organizations, regulatory pressures, staffing needs and budget realities make staying safe and compliant particularly challenging.
Regardless of size, financial institutions need a risk-based approach to manage and monitor both cybersecurity and cybercompliance to be able to continuously check on controls and correct exceptions. This active compliance monitoring should roll up the management chain to provide enterprise visibility and minimize digital threats.