Reduce banking risk with common controls, cybersecurity

Test-once, apply-many approach provides benefits

Managing risk in the banking industry constantly gets more challenging as new compliance requirements emerge from a seemingly unending stream of agencies and the threat of a cybersecurity breach is always just one click away.

But financial institutions are finding that by standardizing their networks of controls with a common control framework and implementing new technology, they are simplifying compliance across different platforms and the requirements of various regulators. And banks are joining an industry-led initiative called Sheltered Harbor to protect the most critical client data and account access from cyberthieves.

Related to compliance controls, on a basic level, Grant Thornton clients who receive multiple System and Organization Controls (SOC) services are encouraged to establish entity-wide controls across their entire portfolios.

“It’s important to take a holistic approach and identify common risks and common controls across the different platforms,” said Grant Thornton Senior Manager, Strategic Assurance & SOC Services Anthony Astorga. “Then you apply a test-once, apply-many approach across the different frameworks. This limits the amount of control testing and evaluation needed on that front.”

Such an approach helps create efficiencies for the service auditors as well as the clients, who are able to reduce the effort required to accumulate information and respond to the auditors’ needs.

On a more comprehensive level, organizations see even more benefit when they establish a consistency in the control language across all their compliance requirements.

Taking advantage of technology

A uniform control language paves the way for an organization to take full advantage of technology and compliance management software that’s available to track compliance efforts and integrate new regulatory requirements into existing controls.

“When an organization is forced to comply with a new compliance requirement, our software can apply the specific criteria to the organization’s common control framework,” said Grant Thornton Strategic Assurance & SOC Services Partner Dennis Bell. “This allows the organization to leverage the controls it currently has in place and only focus on the delta that exists in the new requirement.”

Managing cybersecurity risks

Meanwhile, banks are always near the top of cybercriminals’ target lists because of their availability of capital and their access to volumes of client data.

To combat these risks, financial institutions may wish to participate in an industry-led initiative called Sheltered Harbor, which is designed to preserve their customers’ timely access to balances and funds even if a catastrophic event such as a cyberattack causes critical systems — including backups — to fail.

“It’s an important step for maintaining customer confidence,” said Grant Thornton Strategic Assurance & SOC Services Manager Kevin Leuck. “If a threat causes harm to a bank’s platform or IT systems, the customer’s information and funds are still protected and available when needed.”

Sheltered Harbor participants agree to maintain three core elements to keep their customers’ accounts and information safe:

• Data vaulting. Critical consumer account data is backed up, encrypted and transferred each night to a data vault that is completely separate from the financial institution’s systems. This separation or gap is designed to make this information inaccessible to attackers.
• Resilience plan. Sheltered Harbor participants agree to create and maintain a plan to address all the steps necessary to restore service in the event of a cyberattack that causes all options to restore critical systems to fail.
• Certification. To be certified in the program, a financial institution must have an annual independent audit of its compliance with a robust set of safeguards and controls.

“We believe that it’s not about if you will experience a cyberattack but when you will be attacked,” Concialdi said. “So you need to have a plan in place for the end user to recover the data so that they can continue operating and functioning without any interruption. It’s critical to the marketplace, the industry and the end consumer.”

A transformative time

Fast-moving regulatory developments and technological advances are bringing substantial change to risks and controls, and this can mean an increased compliance burden that can lead to higher costs.

But a control framework that’s standardized across the organization can simplify compliance and enable new tools to unleash cost-saving capabilities. In the SOC environment and in the organization overall, this can make a big difference in effectiveness and efficiency.