What’s Changing on the Cybersecurity Compliance Landscape?
Regulators are placing more emphasis on cybersecurity compliance, expecting institutions to maintain a secure IT infrastructure, actively mitigate risks and meet the complex regulatory requirements of the financial industry.
At its core, cybersecurity compliance fulfills necessary regulatory requirements by implementing proven security controls to protect your organization. Let’s explore four critical topics to consider as you navigate the evolving cybersecurity landscape, from new regulatory guidance to cyber insurance.
1. Enhancing Cybersecurity Compliance with the Ransomware Self-Assessment Tool
Though institutions have implemented a variety of cybersecurity controls to protect against threats, cybercriminals continue developing new attacks and exploiting vulnerabilities. Institutions must continually evaluate and update security controls to protect their networks and data from malicious activity. The Ransomware Self-Assessment Tool (R-SAT) was developed to help institutions accomplish this goal.
In 2020, the Bankers Electronic Crimes Taskforce (BECTF), State Bank Regulators and the United States Secret Service launched the R-SAT to help community financial institutions reduce the risks of falling victim to ransomware. This 16-question assessment measures an institution’s readiness for ransomware attacks by identifying potential security gaps and providing a framework of controls to mitigate those threats.
Many states across the country—including Texas and California—require or recommend that financial institutions complete this assessment. As adoption of the R-SAT continues to grow, your institution should proactively embrace this tool to evaluate your current security controls and eliminate gaps or vulnerabilities.
The R-SAT serves as a preparedness or resiliency checklist for your institution, as well as a roadmap for identifying beneficial controls that you may not have previously considered. With questions ranging from cyber insurance coverage to data security, the assessment provides your institution’s executive management, board of directors and examiners an overview of preparedness for identifying, protecting, responding and recovering from an attack.
The R-SAT is designed to measure an institution’s readiness for ransomware attacks and mitigate those threats.
By thinking through various scenarios and potential issues you should be prepared to address, you can ensure your institution has the necessary policies and procedures in place to combat ransomware threats. This tool will also assist regulators or examiners during formal reviews of your security controls.
2. Updates to FFIEC Guidance
The Federal Financial Institutions Examination Council (FFIEC) recently issued the Architecture, Infrastructure and Operations (AIO) booklet, which replaces the Operations booklet issued in 2004. The updated title demonstrates the importance of an institution’s architecture, infrastructure and operations, as well as the expansion of IT’s role within an institution. According to the FFIEC, this booklet provides a foundation for understanding AIO principles and best practices.
This guidance emphasizes that IT should be integrated throughout your business, not just individual departments. In the past, boards of directors commonly relied solely on an IT manager within the institution and didn’t necessarily need an expansive knowledge of IT. With the issuance of this new guidance, it is expected that the board and senior management understand technology and provide credible challenges to the decisions made by internal IT.
Under the new FFIEC guidance, boards and senior management are expected to better understand technology.
In other words, boards and senior management are expected to think critically and ask the right questions of their IT department when warranted. The recent updates also place a greater emphasis on technology-related roles and outline new positions, including Chief Information Security Officer, Chief Architect and Database Administrator.
3. Cyber Insurance and Multi-Factor Authentication
Due to the financial, reputational and operational risks posed by cyber incidents, cyber insurance has experienced tremendous growth. While preventing cyber incidents with an effective system of controls is critical, having insurance in the event of an attack can benefit your institution by covering liability costs or costs to replace lost data, depending on the policy.
Before receiving coverage, many insurance providers now expect institutions to implement multi-factor authentication (MFA). MFA requires multiple authentication methods, making it more difficult for an attacker to gain account access. Many hackers will seek a less secure target when confronted with this extra obstacle.
MFA provides an additional layer of defense to user accounts.
According to Microsoft, MFA can block more than 99.9% of account compromise attacks since knowing or cracking a password isn’t enough to gain access. Cyber insurance carriers recognize the significant benefits delivered by MFA and are now requiring this control, especially for accounts with virtual private network access.
When considering cyber insurance, make sure you read the entirety of your policy and perform proper due diligence. Some carriers have stipulations that invalidate your policy if unmet, so understand the full scope of coverage, terms and exclusions.
4. Why Your Institution Should Implement a Cybersecurity Framework
While assessments, cyber insurance and adherence to FFIEC guidance will strengthen your cybersecurity posture, there is no substitute for a robust cybersecurity framework. A well-managed cybersecurity compliance program with a strong framework streamlines exams and prevents your organization from falling victim to a breach.
By determining where risks exist and identifying opportunities to strengthen your control structure, an effective framework should act as a strategic guide for your institution. Cybersecurity frameworks also help you determine where to focus valuable resources by looking holistically at the security of your entire organization.
Many examiners expect institutions to have a framework implemented, but your institution should avoid viewing a framework as only a tool to satisfy exam requirements. An effective framework will improve overall cybersecurity by helping your institution prevent, detect and mitigate security events.
While there is no shortage of existing frameworks to consider, the CIS Controls—an FFIEC-recommended framework—have a proven track record for holistic security. The CIS Controls consist of a prioritized list of actions as well as a map for handling compliance initiatives and planning for IT spending.
Navigating Evolving Cybersecurity Compliance Regulations
Managing impending threats and regulatory requirements can be overwhelming for IT leaders. As cybersecurity compliance regulations continue evolving, having a framework in place to help you navigate security incidents can make all the difference in mitigating your risk. Learn more about strategies to strengthen your cybersecurity posture by downloading our white paper.
GET MY COPY
Tyler Leet serves as director of Risk and Compliance Services for CSI’s Regulatory Compliance Group. With nearly 20 years of experience in the information security, risk and compliance industries, Tyler oversees and participates in the development and maintenance of the risk and compliance-related services conducted for a wide variety of financial institutions and organizations.