NIST Seeks Comments on Cybersecurity Framework Draft

andrew-retrumrandy-armknechtBy Andrew Retrum, Managing Director, Technology Consulting, Cybersecurity

and Randy Armknecht, Director, Technology Consulting, Cybersecurity

 

Last month, the National Institute of Standards and Technology (NIST) published a discussion draft of revisions to the NIST Cybersecurity Framework (CSF Version 1.1). The draft, though still subject to change, provides new details on NIST’s recommendations for cyber supply chain risk management (SCRM), clarifies key terms, and introduces cybersecurity measurement metrics. Although this is a voluntary framework, the Financial Industry Regulatory Authority (FINRA) and others require organizations under their jurisdiction to adopt and declare a framework, and the NIST CSF is one of the most commonly used.

Here are some of the highlights from the NIST draft:

  • The NIST CSF, which currently has 22 control categories, will add another one, SCRM, in the identity domain, and eight subcategories — five for SCRM, and three in the “Protect” category. In addition, five existing controls have been clarified.
  • SCRM is now a critical consideration in the NIST CSF, in recognition of the fact that many organizations are outsourcing key business processes to, or sharing sensitive data with, third parties. The federal Office of the Comptroller of the Currency and other agencies have drafted regulations, titled Enhanced Cyber Risk Management Standards, addressing this “external dependency management.”
  • A new section, Section 4, has been added. Called “Measuring and Demonstrating Cybersecurity,” the new section contains suggestions on how to measure and demonstrate the efficacy of cybersecurity. The framework recommends a close relationship between cybersecurity and business objectives. Metrics are separated into four categories: practices, process, management and technical. Measurements should align with business objectives and should demonstrate a cause-and-effect relationship. NIST recommends that organizations should tailor the measures and metrics to their own level of maturity. The new Section 4 does not, however, offer concrete examples of what specific cybersecurity metrics should be included in a control dashboard.

We think these revisions will help the NIST CSF align more closely with regulatory and industry priorities, such as identity and access management, SCRM vendor risk management, metrics and cybersecurity threat intelligence. Considering these are the same areas that often come up as areas of concern for Protiviti during field engagements, we think the changes are necessary and appropriate.

Click here for our flash report on this topic.

2017 Perceived as Riskier by Top Executives, Survey Results Say

Executive Perspectives on Top Risks 2017 InfographicPolitical and economic instability, cyberattacks and disruptive change have global executives and board members on high alert for the year ahead, according to research from Protiviti and North Carolina State University’s ERM Initiative. The report, Executive Perspectives on Top Risks for 2017, and an executive summary are available for download on the Protiviti website.

Concerns about the global economy topped the list for the first time in the five years we’ve been doing the study, surpassing regulatory concerns, which fell to number two. Tech risks followed, with cyber-risk, identity and privacy remaining in the top five.

I had the opportunity to discuss the results — along with Mark Beasley, the Deloitte Professor of Enterprise Risk Management at North Carolina State, and my colleague Pat Scott, executive vice president, global industry and client programs at Protiviti — in a December 15 webinar, and wanted to share some of the highlights.

We surveyed 735 executives and directors at companies around the world, representing a cross-section of industries, and asked them to prioritize 30 risks on a scale of 1 to 10, with 10 being the highest level of concern. Risks were grouped into three categories: macroeconomic, strategic and operational.

The overall risk scores were higher than last year in every category, a sign that executives perceive 2017 as more risky than 2016. Despite that, few organizations plan to invest additional time or resources to risk identification and management — which could reflect either resource constraints, or satisfaction with current resource commitments and prior year investments in risk management capabilities.

From a regional perspective, respondents from companies in the Asia-Pacific region were the most concerned, followed by European companies. Although U.S. executives registered no change from the prior year (i.e., their perception of 2016 risk levels), volatility in global markets and currencies may create significant challenges here as well as abroad.

The next twelve months will be interesting on the regulatory front as a populist wave sweeps across major world economies affecting everything from healthcare, immigration, and trade in many sectors, with implications for many companies, not just the highly regulated ones.

Concern for cyber-threats has been rising over the years, and continues to increase, particularly in the areas of privacy and identity management, as new technology offerings expand faster than the security protections companies have in place.

For other top risks, I refer you to the report.

One parting thought: Just as concerns varied by region, industry and company size, they also varied by the respondent’s role within an organization. This is significant in that I think there is a tendency for companies to assume, internally, that everyone is on the same page when it comes to risk priorities and perception. That’s simply not the case. Therefore, the risk assessment process needs to be inclusive to encourage participation of multiple stakeholders and perspectives.

I think the bottom line is that 2017 is going to be a fun ride that’s not for the timid. So fasten your seat belts!

Jim DeLoach

Money 20/20, Day 3: Get the View From the Inside With Today’s Podcasts

Blockchain, globalization, digitization, cybersecurity, fintech, new customer demands, and more. Money 20/20, the largest global financial industry event focused on payments and financial services innovation for connected commerce at the intersection of mobile, retail, marketing services, data and technology, takes place Oct. 23-26. Once again, Protiviti is proud to be an exhibitor sponsor and speaker at the event.
We will be posting daily dispatches from the event’s sessions, starting Sunday, here and on Twitter. Subscribe and follow us for current commentary, insights and reactions from industry experts as the event unfolds.

 

Ed Page, Managing Director, Technology Consulting for Financial Services, on IT Trends (6:08 minutes)

Share on Twitter

Nirav Shah, Director, Risk and Compliance, on Regulating Fintech (3:03 minutes)

Share on Twitter

Nirav Shah, Director, Risk and Compliance, on Good vs. Bad Innovation (4:46 mnutes)

Share on Twitter

Robert Ferguson, Senior Manager, Business Performance Improvement, on Customer Stickiness (3:21 minutes)

Share on Twitter

Regtech: The Fintech Innovation at the Heart of Compliance Transformation

Blockchain, globalization, digitization, cybersecurity, fintech, new customer demands, and more. Money 20/20, the largest global financial industry event focused on payments and financial services innovation for connected commerce at the intersection of mobile, retail, marketing services, data and technology, takes place Oct. 23-26. Once again, Protiviti is proud to be an exhibitor sponsor and speaker at the event.
We will be posting daily dispatches from the event’s sessions, starting Sunday, here and on Twitter. Subscribe and follow us for current commentary, insights and reactions from industry experts as the event unfolds.

 

By Vishal Ranjane, Managing Director
Risk and Compliance

 

 

Recently, my colleague Jason Goldberg wrote about balancing the competitive need for technology-enabled customer experiences in payments, banking and wealth management with security and privacy controls. Customer-facing technology, as the most publicly visible example of financial technology (fintech), has received a lot of media attention. Nevertheless, it’s only half of the fintech picture.

Behind the scenes, financial institutions are beginning to adopt a subset of fintech, known as regulatory technology, or “regtech.” (Protiviti’s recently-introduced automated Risk Index tool is an example of such regtech solution applied to management information and reporting.)

Like fintech, regtech applies the same nimble, scalable, mobile-friendly solutions and rapid, low-cost cloud deployment to improve risk management, transaction monitoring, regulatory compliance, reporting, data storage and analytics. Unlike fintech however, regtech does not compete with traditional banking for the same customers; rather, it offers new ways of solving old problems by offering, speed, security, and agility in complying with regulatory requirements. As such, financial institutions have good reasons to look forward to implementing the technology.

Regtech has the potential to replace many of the traditional manual and paper-based solutions. Traditional solutions tend to be inflexible, disconnected and hard to update. Traditional solutions also tend to be resource-intensive, tying up both capital and IT capacity.

Regtech enables controls such as employee surveillance and transaction monitoring, on-demand reporting and full population data analytics. It makes conducting risk assessments faster, and provides a better audit trail.

Applied to anti-money laundering (AML) and counter-terrorist financing (CTF) compliance, a regtech real-time transaction monitoring solution can bridge communication gaps by consolidating and analyzing data from disparate systems. Applied to know-your-customer (KYC) processes, regtech can be used to create a secure central data repository with reference data utilities to protect personally identifiable information. The technology also can monitor financial services regulations in every country and region within an institution’s footprint, and report back to internal audit.

[Listen to Vishal discuss faster KYC onboarding revealed at Money 20/20]

In short, the opportunities for regtech in compliance automation, AML and management reporting are many and exciting. Financial institutions historically have struggled to comply with new regulations, in part because the compliance processes were rigid and not easily changed. As regtech matures, risk and compliance functions are likely to see increased operational excellence. Underlying data will become more reliable, enabling better decisions; adoption of new controls and compliance procedures will get faster and easier; and senior management will be able to manage risk more effectively.

One important caveat: Regtech relies heavily on third-party providers of cloud-based technology solutions but this does not mean that these parties assume the risk of the institution. While the IT burden of implementation and maintenance of the new technology may be reduced, there is a new and growing responsibility for institutions to vet and monitor vendors to ensure that the providers’ polices, values and procedures align with those of the organization — especially when it comes to privacy and cybersecurity.

Also, while automation can improve processes, it is critical for financial institutions to review all risk and compliance procedures during project planning to avoid accelerating bad or obsolete processes, and to verify data integrity to ensure that reports are accurate and reliable.

Regtech is a good example of what the U.S. Office of the Comptroller of the Currency meant when it talked about the need for “responsible innovation.” As the financial services industry undergoes a fundamental and disruptive digital transformation, financial institutions are going to need technology-enabled risk management and compliance tools to ensure that they can manage at the speed of risk.

This is an exciting trend and we’ll keep you posted as things develop.

Money 20/20: Protiviti Experts Share Their Views on Hot Topics in Day 2

Blockchain, globalization, digitization, cybersecurity, fintech, new customer demands, and more. Money 20/20, the largest global financial industry event focused on payments and financial services innovation for connected commerce at the intersection of mobile, retail, marketing services, data and technology, takes place Oct. 23-26. Once again, Protiviti is proud to be an exhibitor sponsor and speaker at the event.
We will be posting daily dispatches from the event’s sessions, starting Sunday, here and on Twitter. Subscribe and follow us for current commentary, insights and reactions from industry experts as the event unfolds.

 

In Day 2 of Money 20/20, Kevin Donahue talks with two Protiviti experts who share their views on some of the hot topics discussed at the conference today. Tyrone Canaday, Managing Director in Protiviti’s IT Consulting practice, discusses open API – the open platform technology used by fintech firms to speed up innovation, increase speed to market and facilitate the shift from branch to digital.

In the second segment, Atul Garg, Managing Director in Protiviti’s Business Performance Improvement practice, outlines the dichotomy between traditional and fintech banking firms, and the conversations needed to achieve the convergence desired by both of these groups.

Listen to their thoughts and share these conversations by accessing them on Twitter, here and here.

 

Money 20/20: Impact of the U.S. Presidential Election on the Financial Services Regulatory Landscape

Blockchain, globalization, digitization, cybersecurity, fintech, new customer demands, and more. Money 20/20, the largest global financial industry event focused on payments and financial services innovation for connected commerce at the intersection of mobile, retail, marketing services, data and technology, gets underway this weekend (Oct. 23-26). Once again, Protiviti is proud to be an exhibitor sponsor and speaker at the event.
We will be posting daily dispatches from the event’s sessions, starting Sunday, here and on Twitter. Subscribe and follow us for current commentary, insights and reactions from industry experts as the event unfolds.

 

In a session Sunday titled “Impact of U.S. Presidential Election on the Financial Services Regulatory Landscape,” Tim Pawlenty, former governor of Minnesota, and Neal Wolin, former deputy secretary with the U.S. Department of the Treasury, shared their thoughts on what may happen after the election with regard to regulation in the financial services industry.

Both panelists noted that the financial services industry remains a bit in flux with regard to the regulatory landscape. Memories of the global financial crisis from a decade ago still linger with consumers and lawmakers alike. Pawlenty noted that the overall financial services industry, and so-called “big banks and Wall Street,” in particular, remain very unpopular. In the eyes of many, he said, events leading up to the global financial crisis nearly derailed the economy, so the reaction and sentiment is understandable. Any efforts to curtail regulation significantly likely will be met with protests as part of a growing populist movement in the country. Lawmakers are unlikely to introduce any drastic changes in this environment.

That said, change is possible, especially over the long-term. Whoever wins the presidency on November 8 will be making numerous appointments that will dictate the pace and cadence of regulatory changes. In addition, one or more Supreme Court appointments have the opportunity to introduce shifts in the regulatory landscape. However, those changes almost certainly will be slow to come. Pawlenty and Wolin explained that regardless of which parties control the House and Senate after Election Day, both chambers of Congress will remain relatively balanced – enough so that one party will be unable to enact major regulatory changes without the other party curtailing them.

Another item of note: With regard to fintech, Wolin observed that the views of both candidates for president are murky. It is unclear how either might proceed with regulatory oversight of the burgeoning fintech industry.

Bottom line: Despite an acrimonious presidential election and numerous promises and pledges from the presidential candidates as well as those running for House and Senate seats, the panelists believe the regulatory landscape for the financial services industry is unlikely to shift dramatically. Instead, new regulations will continue to come from the executive branch as well as from individual regulators in response to specific events or developments in the industry.

Fintech Faultline: Customer Experience Versus Security and Fraud

Blockchain, globalization, digitization, cybersecurity, fintech, new customer demands, and more. Money 20/20, the largest global financial industry event focused on payments and financial services innovation for connected commerce at the intersection of mobile, retail, marketing services, data and technology, gets underway this weekend (Oct. 23-26). Once again, Protiviti is proud to be an exhibitor sponsor and speaker at the event.
We will be posting daily dispatches from the event’s sessions, starting Sunday, here and on Twitter. Subscribe and follow us for current commentary, insights and reactions from industry experts as the event unfolds.

 

jason-goldbergBy Jason Goldberg, Director
Financial Services Business Performance Improvement

 

 

Financial technology, or fintech, firms are disrupting the financial services industry with their nimble structure and innovative payment, banking and wealth management services. Unburdened by legacy core systems, regulatory scrutiny and complex processes, emerging fintech companies innovate from day one, creating optimal customer experiences that are difficult for traditional financial institutions to match.

New entrants are significantly improving the customer experience in the person-to-person (P2P) payment sector, for example, by allowing transfer of funds with just a couple of taps on a smartphone. Despite the popularity of these payment apps, however, there is growing concern from consumers and regulators that some emerging fintech firms, in their haste to get ahead of their more-established competition, may not have focused enough on security and privacy controls.

We examine this dichotomy in a new Protiviti paper, Balancing Customer Experience with Security and Fraud Controls. But I wanted to whet your appetite with a small example.

A governing dynamic long known to established financial institutions is that success (or failure) brings regulatory scrutiny. The Consumer Financial Protection Bureau (CFPB) sent a strong signal earlier this year when it levied a $100,000 fine against a fintech company for failing to employ reasonable and appropriate measures to protect consumer data from unauthorized access, and for not encrypting some sensitive personal information. While the monetary value of the fine was not significant, it was an overture for other fintech firms to be more mindful of their practices.

This example should serve as a lesson for traditional financial institutions as they seek to partner with emerging fintech companies or emulate some of the more successful practices of these tech-savvy upstarts. The lesson is that innovation needs to be balanced with security, fraud, risk and compliance requirements from the earliest design phases of any technology transformation project.

Control functions such as risk, compliance and security are perceived to have an adversarial relationship with innovators, who sometimes sidestep compliance in favor of speed to market. And yet, it is critical to embed these checks and balances from the earliest planning stages of product design. The key is finding a balance between the two.

Despite their inexperience, emerging fintech companies may have an easier time of this, because of a cultural bias against silos and for collaboration. Traditional financial institutions may need to work harder to break down established mindsets and find security and compliance people who think more like innovators.

That’s really the crux of the matter. As traditional financial institutions seek to transform to answer customer demands around nimble and innovative experiences, it is important for them to remember that the transformation also requires changes to organizational mindset, processes and, of course, technology. A holistic focus on customer experience, with a balanced and integrated (not layered) security and fraud approach, will drive powerful customer relationships. Customers and the security of their transactions are at the heart of the financial services industry and, in that regard at least, established players still have the advantage.