Building and Maintaining Momentum in Bank Cybersecurity

By Troy M. La Huis, CAMS; David R. McKnight, CISSP; and Omar S. Refaqat, CISSP
| 12/19/2019
Building and Maintaining Momentum in Bank Cybersecurity

The size, scale, and impact of cybersecurity issues in the financial services industry can seem overwhelming to bank security and technology teams. Cyberattacks are persistent, regulations are changing, and new threats are emerging constantly as customers embrace new ways of interacting with their financial services providers.

In such an environment, those charged with addressing cybersecurity issues often find it difficult to maintain focus and long-term direction. Organizing their approach into six major steps can help banks structure their efforts and accelerate their cybersecurity capabilities.

Step 1: Establish the cybersecurity risk appetite

Establishing an organization’s cybersecurity risk appetite – that is, preparing a general statement of how much risk the organization is willing to take as part of its normal business operations – can frame an organization’s risk management process, optimize performance, and help meet stakeholder expectations. The cybersecurity risk appetite should reflect an appropriate balance between caution and opportunity. It should not, therefore, be zero – no risk means no opportunity for organizational growth or success.

The development of the cybersecurity risk appetite should involve stakeholders including the board of directors and senior executives, as well as the senior leaders of the security and risk management teams. Such broad involvement is necessary because, ultimately, the purpose of the risk appetite is to frame the overall cybersecurity risk management process in a way that helps optimize business performance and meet those stakeholders’ expectations.

The cybersecurity risk appetite is not purely a technical statement and generally does not address specific tools, controls, or metrics. Instead, it should express the organization’s risk tolerance in terms that are clear, forward-looking, and linked directly to the bank’s business model, culture, and strategic goals.

Exhibit 1 offers a generic cybersecurity risk appetite statement. The exhibit is an example only and should not be adopted verbatim.

Exhibit 1 Example risk appetite statement

Each organization must develop its own statement, reflecting its own situation and priorities. In many ways, the process of developing the risk appetite is much more significant than the actual text of the statement.

Step 2: Adopt appropriate frameworks

Rather than attempting to develop a custom cybersecurity risk management framework from the ground up, most banks find it more practical to adopt one of the common frameworks created by recognized standards organizations. Using such a framework saves time and can provide a level of defensibility and authority that is difficult to attain when developing a framework from scratch.

Some of the most commonly used frameworks include:

  • NIST Cybersecurity Framework, developed by the National Institute of Standards and Technology
  • ISO/IEC 27001, published by the International Organization for Standardization and the International Electrotechnical Commission
  • CIS Controls, created by the Center for Internet Security

Each of these frameworks offers its own advantages and disadvantages. The NIST framework, for example, is free of charge and globally recognized, but others might have longer histories or be more widely used by vendors and other providers. The degree of customization that the framework allows is another important consideration, as is the ability to integrate the cybersecurity framework with the bank’s broader security and risk identification programs.

Regardless of the chosen framework, the risk team should take care to document the relevant business goals and drivers that led to the choice. Finally, an overview of the framework should be presented to bank leadership, using an appropriate mix of business and technical language that demonstrates the framework’s adoption.

Step 3: Actively involve the board

Bank boards are focusing on cybersecurity issues with increasing intensity. For example, in a recent Crowe webinar, four out of five bank executives (80.4%) reported their chief information security officers (CISOs) had received cybersecurity-specific questions during recent board presentations. Nearly a quarter of them (22.4%) had received four or more such questions (Exhibit 2).

Exhibit 2 Board engagement

With cybersecurity now widely regarded as a strategic issue, board involvement is critical. But those charged with presenting cybersecurity information to the board should bear in mind directors’ mission-, risk-, and cost-related priorities. Cybersecurity data should be presented within the context of fulfilling the bank’s mission and strategic goals, managing risk and compliance, and managing both current and future costs.

Boards are looking for solutions – if there’s bad news to present, CISOs should be prepared to discuss possible upsides as well. In many instances, system failures or shortcomings could offer an opportunity to carry out upgrades that were needed anyway.

Step 4: Implement an effective incident response program

Incident response is the central fixture of any cybersecurity risk management program. Four essential components of an effective incident response program are:

1. Preparation. The ability to respond quickly and effectively to a data breach or other attack depends on having in place – in advance – a thorough, organization-specific, and well-tested plan that is clearly communicated to all responsible parties. Many organizations find it advantageous to engage outside specialists using a pre-negotiated incident response retainer to supplement their in-house resources. Price, scope, capability, and industry specialization are critical factors to consider.

2. Detection and analysis. Early detection and prompt response go hand in hand. In addition to having triage tools and playbooks in place, many organizations benefit from engaging in active threat hunting, using either their own resources or outside specialists. Looking for evidence of past stealth attacks also can help identify risks that might otherwise go unrecognized.

3. Remediation and recovery. The process of isolating systems and segments that are under attack and then rebuilding the affected systems and services can be particularly trying. It is not uncommon for this process to take days or even weeks, depending on the organization’s data backup systems. A critical part of this effort is clear and continuous communication with customers, regulators, the legal team, law enforcement, and the public at large. Cybersecurity insurance carriers can be a valuable resource in helping to evaluate the adequacy of the organization’s recovery systems.

4. Post-incident activity. After the initial crisis has passed, it is important to follow up quickly to identify lessons learned, carry out root cause analysis, and update the incident response plan to deal with any defenses that were found to be missing or inadequate. Executive and board involvement are important at this stage as well. Mature risk management operations might consider turning a closed incident into a tabletop exercise that could be used in future planning and training efforts.

Step 5: Proactively manage vendor relationships

Active, risk-based vendor management is an important component of the cybersecurity risk management effort. Attackers commonly target third parties as an avenue into bank systems, which is one reason why third-party risk is the subject of increased regulatory scrutiny.

Banks should look for ways to enhance connectivity without compromising security through regular monitoring and mentoring of vendors and other third parties. A more precise, risk-based approach to vendor management also can support efforts to streamline and automate workflows and processes.

System and Organization Controls (SOC) reports provided by qualified reviewers are probably the most widely recognized components of a third-party risk management program. In the Crowe webinar mentioned earlier, more than half of the participants (56.5%) said they relied on SOC reports as their primary tool for verifying that vendors have adequate security controls in place.

In addition to SOC reports, the risk management team also should consider other independent assessments, including penetration test reports, monitoring from security rating services, and shared assessment exchanges that can provide a platform for collecting, validating, and sharing vendor risk and security assessments.

Step 6: Develop strong support networks

As they work to expand both the scope and depth of their cybersecurity risk management efforts, most banks will find it beneficial to develop strong support networks – both internally and externally.

Internally, the risk management function, internal audit, operations, and the various lines of business all have important contributions to make to the effort. Outside the bank, active engagement in industry conferences, professional organizations, and other peer groups can provide new insights and broader perspectives.

The goal of this engagement effort is to grow the cybersecurity risk management program into a more comprehensive and effective initiative – an initiative that moves beyond mere compliance and begins to address genuine cyberresilience. Compliance focuses on responding to threats and “checking the box,” but true cyberresilience focuses on longer-term need in an effort to both prevent breaches and minimize the damage when a breach occurs.

Banks today are under significant pressure to react quickly to a blur of rapidly changing developments in the field of cybersecurity risk. By taking an organized, structured, step-by-step approach, security and technology teams can begin to take control of the challenge, accelerate their cybersecurity capabilities, and make demonstrable progress toward achieving cyberresilience.

Contact us

Troy LaHuis - social
Troy La Huis
Principal, Digital Security Services Leader
Dave McKnight
David R. McKnight
Omar Refaqat
Omar Refaqat