New cybersecurity framework can help financial services firms manage risk

Man with laptop in hard drive room 2As technology revolutionizes the way we communicate and do business, data security is now a top corporate concern. Cybersecurity is a critical component in any IT strategy and it encompasses technologies and processes specifically designed to protect data, computers and networks from anyone trying to unlawfully access or steal data through the Internet.

Cybersecurity strategies and tools have struggled to keep up with ever-evolving threats, and industry has learned that best practices must change frequently to keep cybercriminals at bay. In addition, cybersecurity implementation can be even more difficult for companies with complex or aging systems, creating an additional source of risk.

The financial service industry and cybersecurity

For organizations with highly valuable data, the stakes are even higher and security is even more critical. For financial services companies, data is almost irresistibly attractive to thieves. Risks include threats to personal or corporate banking account information, identity fraud, data alteration, data theft, transaction fraud, wire transfer fraud, credit card information protection, money laundering and much more.

Financial services companies simply cannot afford to wait.  

Banks have been especially aware of threats, meeting most security challenges. An example is Internet banking — consumers were initially slow to adopt it, believing it to be more vulnerable to fraud or identity theft. Banks moved quickly to shore up their technology and security processes and consumers flocked to the new online products. It is now a dominant force for banks. The great news for consumers is that online banking is now considered safer than mailed paper statements. The challenge will be to keep pace — and outpace — potential security threats going forward.

A brief history of U.S. government involvement

The U.S. government has attempted to enact cybersecurity legislation for years, beginning with the Cybersecurity Act of 2010, which encouraged public/private collaboration on cybersecurity issues, especially those private entities that may process data critical to national security interests. The controversial Act also attempted to give the president special powers to intervene in case of a major security threat — up to the point of shutting down the Internet entirely. Although the Act was not passed into law, another version, the Cybersecurity Act of 2013, has been introduced and is in the review stage. Other notable bills included the International Cybercrime Reporting and Cooperation Act of 2010 and the Protecting Cyberspace as a National Asset Act of 2010 — both of which failed to advance to a vote.

Proposed NIST framework

The NIST framework can provide an excellent starting point for senior executives to establish or enhance cybersecurity policies. 

Executive Order 13636 calls for the development of a cybersecurity framework that provides a “prioritized, flexible, repeatable, performance-based and cost-effective approach” for managing cybersecurity risk. Fulfilling that directive, the National Institute of Standards and Technology (NIST) released the Discussion Draft of the Preliminary Cybersecurity Framework on Aug. 28, 2013. An organization can use the framework to establish a new cybersecurity program or improve an existing program.

The cybersecurity framework is composed of three parts: 

  1. Framework core. The framework core compiles cybersecurity standards and best practices across five areas: identify, protect, detect, respond and recover. It is used to provide a high-level, strategic view of an organization’s cybersecurity risk management.
  2. Framework implementation tiers. Four tiers demonstrate the degree to which an organization has put core standards and best practices into effect and indicate how cybersecurity risk is managed. These tiers range from Partial (Tier 0) to Adaptive (Tier 3). 
  3. Framework target profile. The target profile maps how specific risks will be addressed. It is used to measure implementation progress.

 “A framework assists an organization in understanding the maturity of their current control environment to mitigate risks that are relevant. A framework also can be used as a roadmap by identifying the gaps between the current state and target state of the control environment.”
—W. Graham Tasman, Grant Thornton LLP Business Advisory Services Principal

Financial services companies: Using the framework

Financial services companies are an important focus for the proposed cybersecurity regulations, so understanding the expectations and acting quickly are critically important. Some recommendations need to be tailored to each organization’s specific infrastructure, so awareness and early action are key.

The framework is far from final, and many interested parties are expected to weigh in as the final legislation takes shape. Some controversy has erupted around debates on interpretation of the legislation. For example, the framework does not go into specifics on how to best implement cybersecurity protections, plus it currently favors self-regulation rather than mandates. These issues will be ironed out over time.

Why financial services clients should act now

Financial services companies simply cannot afford to wait. Some 90% of senior executives and directors at the nation’s largest banks said cybersecurity risk is their top concern, according to a new survey by Bank Director magazine and Grant Thornton. Breaking cybersecurity down further, respondents cited multiple concerns: online banking fraud was an issue for 76%; 73% said data theft was an issue; 57 % cited denial-of-service attacks; and 52% cited security risks posed by mobile application usage. As customers increasingly turn to mobile banking, the risks are likely to grow.

In addition, the pending SEC Regulation SCI (Systems Compliance and Integrity) proposes new rules that require market participants to have IT system policies and procedures in place. Financial services companies may run the risk of being behind or having to fund costly last-minute compliance efforts if they don’t act quickly.

Grant Thornton recommendations

  • Get leadership buy-in. Senior (or C-suite) executives must be on board with establishing the cybersecurity framework to ensure all organization levels are involved in the process and the “right” business risks are considered. This issue is far greater than just IT strategy — it is everyone’s concern.
  • Assess current state. Objectively assess the current control environment and decide the target state based on the regulatory and business environment. An objective assessment should ideally be performed by an independent party. 
  • Tailor your approach. Do not take a “plug-and-play” approach to your organization’s framework. Select the framework areas that are both efficient and effective for your current environment.
  • Test your framework. The framework, or risk and controls identified, should be tested periodically to confirm effective operation of the controls.
  • Review your framework. Periodically revisit the framework to confirm it is updated as needed. Remember, your framework should be able to adapt to the changing environment and risks for your industry.

Moving forward

Recent incidents in the marketplace have jolted senior executives with oversight over their company’s cybersecurity infrastructure. Because of incidents such as the interruption of normal bank business operations through website hacking and technology glitches that have halted markets, an established control environment is no longer an option. The regulators have taken notice, as evidenced by Regulation SCI and Executive Order 13636. The NIST framework provides an excellent starting point or discussion piece for senior executives to establish or enhance cybersecurity policies.

Get the PDF.