With cybersecurity now widely regarded as a strategic issue, board involvement is critical. But those charged with presenting cybersecurity information to the board should bear in mind directors’ mission-, risk-, and cost-related priorities. Cybersecurity data should be presented within the context of fulfilling the bank’s mission and strategic goals, managing risk and compliance, and managing both current and future costs.
Boards are looking for solutions – if there’s bad news to present, CISOs should be prepared to discuss possible upsides as well. In many instances, system failures or shortcomings could offer an opportunity to carry out upgrades that were needed anyway.
Step 4: Implement an effective incident response program
Incident response is the central fixture of any cybersecurity risk management program. Four essential components of an effective incident response program are:
1. Preparation. The ability to respond quickly and effectively to a data breach or other attack depends on having in place – in advance – a thorough, organization-specific, and well-tested plan that is clearly communicated to all responsible parties. Many organizations find it advantageous to engage outside specialists using a pre-negotiated incident response retainer to supplement their in-house resources. Price, scope, capability, and industry specialization are critical factors to consider.
2. Detection and analysis. Early detection and prompt response go hand in hand. In addition to having triage tools and playbooks in place, many organizations benefit from engaging in active threat hunting, using either their own resources or outside specialists. Looking for evidence of past stealth attacks also can help identify risks that might otherwise go unrecognized.
3. Remediation and recovery. The process of isolating systems and segments that are under attack and then rebuilding the affected systems and services can be particularly trying. It is not uncommon for this process to take days or even weeks, depending on the organization’s data backup systems. A critical part of this effort is clear and continuous communication with customers, regulators, the legal team, law enforcement, and the public at large. Cybersecurity insurance carriers can be a valuable resource in helping to evaluate the adequacy of the organization’s recovery systems.
4. Post-incident activity. After the initial crisis has passed, it is important to follow up quickly to identify lessons learned, carry out root cause analysis, and update the incident response plan to deal with any defenses that were found to be missing or inadequate. Executive and board involvement are important at this stage as well. Mature risk management operations might consider turning a closed incident into a tabletop exercise that could be used in future planning and training efforts.
Step 5: Proactively manage vendor relationships
Active, risk-based vendor management is an important component of the cybersecurity risk management effort. Attackers commonly target third parties as an avenue into bank systems, which is one reason why third-party risk is the subject of increased regulatory scrutiny.
Banks should look for ways to enhance connectivity without compromising security through regular monitoring and mentoring of vendors and other third parties. A more precise, risk-based approach to vendor management also can support efforts to streamline and automate workflows and processes.
System and Organization Controls (SOC) reports provided by qualified reviewers are probably the most widely recognized components of a third-party risk management program. In the Crowe webinar mentioned earlier, more than half of the participants (56.5%) said they relied on SOC reports as their primary tool for verifying that vendors have adequate security controls in place.
In addition to SOC reports, the risk management team also should consider other independent assessments, including penetration test reports, monitoring from security rating services, and shared assessment exchanges that can provide a platform for collecting, validating, and sharing vendor risk and security assessments.
Step 6: Develop strong support networks
As they work to expand both the scope and depth of their cybersecurity risk management efforts, most banks will find it beneficial to develop strong support networks – both internally and externally.
Internally, the risk management function, internal audit, operations, and the various lines of business all have important contributions to make to the effort. Outside the bank, active engagement in industry conferences, professional organizations, and other peer groups can provide new insights and broader perspectives.
The goal of this engagement effort is to grow the cybersecurity risk management program into a more comprehensive and effective initiative – an initiative that moves beyond mere compliance and begins to address genuine cyberresilience. Compliance focuses on responding to threats and “checking the box,” but true cyberresilience focuses on longer-term need in an effort to both prevent breaches and minimize the damage when a breach occurs.
Banks today are under significant pressure to react quickly to a blur of rapidly changing developments in the field of cybersecurity risk. By taking an organized, structured, step-by-step approach, security and technology teams can begin to take control of the challenge, accelerate their cybersecurity capabilities, and make demonstrable progress toward achieving cyberresilience.