When it comes to cybersecurity oversight and management, many functions outside of IT and information security (IS) need to play a role – this includes internal audit and risk and compliance functions. These parties need to adopt an approach to managing cyber risk that involves all three lines of defence. While it may be a cliché to say they must treat cybersecurity as a business risk and not just a technology risk, these functions do not often see cybersecurity as something within their remit. But they have to begin to adapt as regulatory change is starting to move at a faster pace in an effort to keep up with the constantly evolving cyber threat landscape.
For their part, the IT and IS departments have to understand the need for this comprehensive involvement and be willing to partner with compliance and other departments on these new requirements. All parties need to be able to articulate to senior management, the board, regulators and other key stakeholders the organization’s overall approach to cybersecurity, as well as the nature of the threats facing it. They will also have to work closely with the business to ensure employees in the first line of defence are doing everything they ought to be to prevent or quickly detect and effectively respond to an attack when it occurs. Cyber risk is now something that everyone manages.
Global regulators – including the UK’s Financial Conduct Authority – are also going to be looking for an “all lines of defence” approach when they assess an organization’s cybersecurity program. Questions regulators are likely to ask of firms include:
- How is the organization assessing the effectiveness of its cybersecurity program – including identification, protection, detection and recovery processes, as well as governance and leadership?
- How is the organization prioritizing its cybersecurity program based on its genuine business (and not just technology-centric) risks? How does it know what and where its “crown jewels” are?
- Are firms making a proportionate use of frameworks such as the CBEST Vulnerability Testing Framework, the NIST Cybersecurity Framework, the FFIEC framework, and the Guidance on Cyber Resilience for Financial Market Infrastructures produced by CPMI-IOSCO?
- Are key critical controls in place, such as: information risk management, user access management, malware protection, network security, education and awareness, monitoring, incident management, system hardening, threat intelligence, and more?
- How effective is vulnerability management? What is the elapsed time for patching identified system vulnerabilities, particularly for public-facing systems with sensitive information?
The UK FCA has made cybersecurity one of its priorities in its 2017/2018 Annual Business Plan, and in the U.S., the banking regulators are also developing their own enhanced framework. Other jurisdictions are following suit. Compliance executives must make sure they have an understanding of the regulatory frameworks in the jurisdictions in which they operate and keep on top of the regulatory changes. Both U.S. and UK frameworks are expected to evolve significantly over the next 24 months.
Meeting the challenge of delivering on these regulatory expectations requires compliance teams to claim their seat at the table when it comes to cybersecurity – an area where many of them seem reluctant to engage.
Compliance teams must have the confidence to ask questions and to challenge their peers – to make sure that what other stakeholders, such as the business and IT, say stacks up with reality. They also have to be able to understand the regulator’s approach to cybersecurity, and how their organization’s framework measures up against it.
There are other ways in which cybersecurity compliance must evolve, too – for example, regulators are already expecting increased nimbleness because of how quickly cyber risk is evolving. As a result, some supervisors are now expecting firms to perform assessments much more frequently than the annual risk assessments that compliance teams may be used to for other areas.
Dealing with cybersecurity effectively is one of the biggest challenges for compliance teams today, and the required changes will be significant – it is very possible that in the not-too-distant future, some compliance executives may specialize in the topic. But for now, an oversight and understanding of cybersecurity is the first thing that compliance teams need to come to grips with, and they must reach out to collaborate with their colleagues across the organization to successfully ride the coming evolutionary wave.