Reduce banking risk with common controls, cybersecurity


Test-once, apply-many approach provides benefits


Managing risk in the banking industry constantly gets more challenging as new compliance requirements emerge from a seemingly unending stream of agencies and the threat of a cybersecurity breach is always just one click away.


But financial institutions are finding that by standardizing their networks of controls with a common control framework and implementing new technology, they are simplifying compliance across different platforms and the requirements of various regulators. And banks are joining an industry-led initiative called Sheltered Harbor to protect the most critical client data and account access from cyberthieves.


Related to compliance controls, on a basic level, Grant Thornton clients who receive multiple System and Organization Controls (SOC) services are encouraged to establish entity-wide controls across their entire portfolios.


“It’s important to take a holistic approach and identify common risks and common controls across the different platforms,” said Grant Thornton Senior Manager, Strategic Assurance & SOC Services Anthony Astorga. “Then you apply a test-once, apply-many approach across the different frameworks. This limits the amount of control testing and evaluation needed on that front.”


Such an approach helps create efficiencies for the service auditors as well as the clients, who are able to reduce the effort required to accumulate information and respond to the auditors’ needs.


On a more comprehensive level, organizations see even more benefit when they establish a consistency in the control language across all their compliance requirements.

Vincent Concialdi

“Streamlining controls across the SOC portfolio is one step, and you can take it a step further and expand that same control language across all control requirements.”

Vincent Concialdi

Grant Thornton Partner, Strategic Assurance & SOC Services


“When companies have multiple sets of controls across the organization based on different compliance requirements, it creates confusion and inefficiencies within the organization,” said Grant Thornton Partner for Strategic Assurance & SOC Services Vincent Concialdi. “Streamlining controls across the SOC portfolio is one step, and you can take it a step further and expand that same control language across all compliance requirements.”


A common control framework also enables organizations to establish and maintain more effective collaboration with the audit firm that performs their SOC services. 


With a common control framework, it’s usually easier to verify whether the organization has the correct controls in place to enable the engagement to proceed effectively. This can save the organization time and reduce costs.




Taking advantage of technology


A uniform control language paves the way for an organization to take full advantage of technology and compliance management software that’s available to track compliance efforts and integrate new regulatory requirements into existing controls.


“When an organization is forced to comply with a new compliance requirement, our software can apply the specific criteria to the organization’s common control framework,” said Grant Thornton Strategic Assurance & SOC Services Partner Dennis Bell. “This allows the organization to leverage the controls it currently has in place and only focus on the delta that exists in the new requirement.”

Charles Curran

“Having all the different requirements and standards in one system or tool makes tracking and monitoring compliance activities more efficient.”

Charles Curran

Grant Thornton Principal, Strategic Assurance & SOC Services


The software helps an organization build and execute on all its compliance efforts as it standardizes workflows. It streamlines preparation for SOC services and other compliance requirements by collecting the documentation that will be needed for assurance services.


“These compliance management software products and tools have become more widely accepted by organizations because of the benefits they can offer,” said Grant Thornton Principal, Strategic Assurance & SOC Services Charles Curran. “Having all the different requirements and standards in one system or tool makes tracking and monitoring compliance activities more efficient and allows you to automate processes such as data collection to reduce the burden on individuals.”


The technology also can be used to pull samples of populations for the audit teams to test. When testing parameters are objective rather than subjective, the technology may even be able to perform testing itself on an entire data sample.




Managing cybersecurity risks


Meanwhile, banks are always near the top of cybercriminals’ target lists because of their availability of capital and their access to volumes of client data.


To combat these risks, financial institutions may wish to participate in an industry-led initiative called Sheltered Harbor, which is designed to preserve their customers’ timely access to balances and funds even if a catastrophic event such as a cyberattack causes critical systems — including backups — to fail.


“It’s an important step for maintaining customer confidence,” said Grant Thornton Strategic Assurance & SOC Services Manager Kevin Leuck. “If a threat causes harm to a bank’s platform or IT systems, the customer’s information and funds are still protected and available when needed.”


Sheltered Harbor participants agree to maintain three core elements to keep their customers’ accounts and information safe:

  • Data vaulting. Critical consumer account data is backed up, encrypted and transferred each night to a data vault that is completely separate from the financial institution’s systems. This separation or gap is designed to make this information inaccessible to attackers.
  • Resilience plan. Sheltered Harbor participants agree to create and maintain a plan to address all the steps necessary to restore service in the event of a cyberattack that causes all options to restore critical systems to fail.
  • Certification. To be certified in the program, a financial institution must have an annual independent audit of its compliance with a robust set of safeguards and controls.

“We believe that it’s not about if you will experience a cyberattack but when you will be attacked,” Concialdi said. “So you need to have a plan in place for the end user to recover the data so that they can continue operating and functioning without any interruption. It’s critical to the marketplace, the industry and the end consumer.”




A transformative time


Fast-moving regulatory developments and technological advances are bringing substantial change to risks and controls, and this can mean an increased compliance burden that can lead to higher costs.


But a control framework that’s standardized across the organization can simplify compliance and enable new tools to unleash cost-saving capabilities. In the SOC environment and in the organization overall, this can make a big difference in effectiveness and efficiency.




Our banking featured industry insights