Cyber resilience has become the latest concern for regulators around the world, as massively disruptive attacks such as NotPetya and WannaCry brought into the forefront the vulnerability of interconnected systems. Cyber resilience was also a key theme of the Financial Services Information-Sharing and Analysis Center Fall Summit in Chicago last November.
In addition, regulators have released several reports that focus on cyber resilience in the context of the financial services industry:
- A recent report by the Financial Conduct Authority (FCA) in the UK found that of a representative 300 financial service firms surveyed, most lacked the positive security culture required for true resilience.
- An advanced notice of proposed rulemaking, published last year in the Federal Register by the FRB, OCC and FDIC, calls out the importance of enhanced cyber resilience as one of five cybersecurity categories that must apply to third-party service providers.
- The FDIC has adopted cyber resilience as an imperative in its own Information Security and Privacy Strategic Plan for 2018-2021.
- The Basel Committee on Banking Supervision recently published a report that found, among other things, that cyber resilience is not always clearly articulated across the technical, business and strategic lines, which hampers effectiveness.
So what does that mean, practically speaking, for financial institutions?
Regulators are looking for more than the traditional cyber response plan, in which an institution might attest that it has a plan and that the plan has been tested via simulated intrusion. Institutions should be prepared to demonstrate that they are taking a more holistic approach, prioritizing critical business processes and systems (including those managed by third parties), monitoring, establishing redundancy, and regularly testing response readiness to ensure high availability in the event of an attack. This requires a more integrated approach between cybersecurity and business continuity programs to ensure that any type of an outage (caused by a cyber event or otherwise) has appropriate preventive and responsive controls in place to minimize its extent and significance.
Specific areas of regulatory scrutiny include:
- Risk analysis. Institutions need to be able to show that they are conducting ongoing risk analyses from both a cybersecurity and business continuity perspective. A business impact analysis (BIA) is necessary to identify critical business processes and to quantify the maximum allowable outage time for each. Questions to ask: Have recovery time objectives (RTOs) been defined for each business process and supporting technologies? What is the likely impact on customers and operations of a system outage, including third-party systems?
- Design of controls. Any single points of failure identified in the risk analysis need to be addressed with an appropriate redundancy or control. Institutions need to be prepared to demonstrate for regulators how these controls reduce the risk of an outage, how often they are tested, and how rigorously.
- Monitoring. The sheer volume of information flowing through an institution’s systems these days can be overwhelming. Regulators are looking for evidence of alerts, dashboards and communication protocols to ensure the timely detection of intrusions.
- Response plan. Resilience requires a holistic approach incorporating all of the elements discussed here. Institutions need to be able to demonstrate that their plans are current and tested regularly to ensure business continuity and data security.
- Training. Like almost everything involving people, cyber resilience is, at its core, a people challenge. In the FCA study, 90 percent of respondents reported that they operate a cyber awareness program, but most reported difficulty identifying and managing high-risk staff. A positive security culture is required to build a truly resilient business. That is consistent with the results of a recent Protiviti report on Cybersecurity in the Financial Services Industry, in which 81 percent of respondents cited a lack of general staff training as their biggest internal security risk.
- Testing. Regulators have grown increasingly concerned with the testing of recovery plans and are demanding increased maturity, especially in rigor and frequency.
Financial service firms in Protiviti’s survey showed greater maturity in their overall cybersecurity strategy, as measured by the NIST Cybersecurity Framework, than other respondents – an outcome we attribute to the robust regulatory oversight the industry has had for many years. Still, there is a long way to go in terms of resilience – the ability to withstand, as opposed to prevent, cyber incidents. The robust integration of organizations’ cyber incident response plans and comprehensive business continuity programs is going to be of increasing importance in achieving this goal.
For our latest thinking on cyber security, we encourage you to visit our website.