Was Friday’s Ransomware Attack Covered in Your Cyber Plan?

By Scott Laliberte, Managing Director
Technology Consulting




Less than a month ago, my colleague Adam Brand talked about the need to include ransomware in the cybersecurity repertoire of companies, emphasizing a business outcome-driven approach to cybersecurity, rather than a narrow-focused sensitive data perspective. Last Friday’s global ransomware attack brought this message home with a bang.

The wide-spread attack struck hospitals, companies and government offices around the world, with the majority of the attacks targeting Russia, Ukraine and Taiwan. It disrupted computers that support factories, banks and transport systems. The National Health Service in the United Kingdom was attacked, causing some surgical procedures to be cancelled and ambulances to be diverted. In addition, several major global companies reported they were hit by the attack, which currently is believed to have infected more than 200,000 computers globally, with some claiming the number is closer to 300,000.

The event is not unique but it is the biggest of its kind so far, and reinforces a harsh reality: Cyber attacks are not just about data loss or intrusions on privacy, but they can impact organizational operations, patient care (for healthcare providers) and critical infrastructure, and cause possible loss of life. Systems that support critical operations – such as medical devices and industrial control systems – often run on older technology that is more vulnerable to these attacks. You may have ignored these systems up till now because they do not contain critical data – ignore them no more.

In the wake of this latest attack, Protiviti issued a Flash Report today that summarizes the circumstances and reiterates the point we’ve made often before – namely, that cybersecurity needs to be extracted from the silo of IT security operations and considered in the context of the risk it poses to the business. The Flash Report also provides some immediate and longer-term recommendations for companies to shield themselves from future events like this one. Download the report here, and share your thoughts in the comments.

Cyber Risk Management: No More Quiet Backrooms


By Carol Beaumier, Executive Vice President and Managing Director
Regulatory Compliance Practice




Last month, in New York City, Protiviti hosted a gathering of scores of financial service industry representatives to discuss the recently enacted New York Department of Financial Services’ (DFS) Part 500, Cybersecurity Requirements For Financial Services Companies. Similar in design to the previously enacted DFS Part 504, Transaction Monitoring and Filtering Program Requirements and Certifications, Part 500 requires DFS-regulated covered entities (including banking organizations, insurance companies, money services businesses and others) to develop and maintain effective cybersecurity programs and to certify annually to the DFS that they are meeting the requirements of the regulation.

The attendees – chief information security officers, chief compliance officers, chief counsels, internal auditors and other senior executives of banks and insurance companies – engaged in a lively discussion with a panel of cyber experts about the challenges of managing cyber risk and were especially honored to hear directly from DFS Superintendent of Banking Maria Vullo, who shared the reasons her agency felt it necessary to adopt this regulation, as well as her compliance expectations.

Superintendent Vullo said that “as cyber-attacks are increasing across the globe, laws and regulations are not just appropriate, they are necessary. Government must be in the game, looking ahead to help prevent misconduct.” The need for a proactive partnership between government and industry to do more to prevent and learn from cyber attacks was a strong theme throughout the Superintendent’s comments. While she recognized that many covered entities have multiple regulators all of whom may have different expectations regarding cyber risk management, the Superintendent stated her firmly-held belief that to do nothing, in the hopes of achieving a uniform regulatory approach in the U.S., was simply not an option for the DFS, and she encouraged other regulators to adopt the DFS model. From a governance perspective, the Superintendent was very clear that industry responsibility for cyber risk management rests squarely at the feet of boards of directors and senior management.

In designing Part 500, the Superintendent said that DFS’s goal was to develop “a roadmap – minimum safeguards for cybersecurity – which leave room for innovation.”  The agency’s focus will be on the outcome, recognizing that different risk profiles will require different responses. Superintendent Vullo signaled a willingness to work with the industry and share leading practices toward the common goal of strengthening the industry’s cyber resilience and said that “where we see clear cooperation and good faith effort, our response will be tempered even where there is need for improvement.”

While the DFS is still developing its cyber framework and examination program, comments from the Superintendent and from the expert panel suggested that, in addition to support from the top of the organization, several other key takeaways from the session should be noted:

  • Until there is a uniform regulatory standard, organizations – especially large, complex multinational organizations – will still need to address varying expectations and different areas of focus as they develop or enhance their cyber programs.
  • A rigorous, customized risk assessment should be the cornerstone of the cybersecurity program, and it will be important for covered institutions to step back and revisit their risk assessment process and output to ensure that it is providing the appropriate foundation for building the program.
  • While many organizations would immediately turn to IT to build the cyber program, it is very important to involve the business – e.g., materiality should be designed at the business level since IT may see the risk differently. To be effective, cyber professionals must understand the business.
  • Third-party risk management issues, which are a very complex challenge for many organizations, are critically important to the cyber compliance effort.
  • While some of the control requirements (multifactor authentication and encryption or reasonable substitutes for these) are not required immediately, the time to start thinking about them is now since implementation will take time.
  • Communication across the organization will be critical to the success of the program.

One of our expert panelists likely summed up the feeling in the room when he reflected that in the beginning of his career IT people sat in a backroom and no one much cared what they did so long as things kept working, but as technology gradually became a business enabler, the attendant risks to the business could not be ignored. Cyber is one of those risks on which every institution and every regulator is now focused.  No more quiet backrooms for the IT, business and risk professionals charged with protecting their organizations against cyber attacks; they are now front and center in the battle to protect their organizations, their customers, and the market against the growing cyber threats.





New Protiviti Study – Assessing the Top IT Priorities for 2015

Protiviti has released another major research report today – this one details the findings from our annual IT Priorities Survey of CIOs and IT executives and professionals.

Infographic-2015-IT-Priorities-Survey-Protiviti We’ll be exploring some of the key themes that came out of this study, including cybersecurity concerns, in the weeks ahead. For now, I invite you to view our video and infographic here. Please visit our survey landing page for more information and a downloadable copy of our report: www.protiviti.com/ITpriorities.







From Cybersecurity to Collaboration: Assessing the Top Priorities for Internal Audit Functions

Infographic-2015-IA-Capabilities-Needs-Survey-ProtivitiToday Protiviti released another exceptional piece of research: our 9th annual Internal Audit Capabilities and Needs Survey. This year, we took a close look at the role internal audit can and should play in helping their organizations manage cybersecurity and cyberthreats, giving the organization greater confidence in managing this ever-changing threat.

In future blog posts, we’ll be covering key takeaways from this research and offering guidance for CAEs and internal audit professionals. For now, I encourage you to view our video and infographic here, and visit www.protiviti.com/IAsurvey, where you can download a complimentary copy of our research report.






It’s Not the Time for Banks to Abandon Vendors

Ed Page - Protiviti Chicagoby Ed Page
Managing Director – Leader, Protiviti’s National Financial Services IT Consulting Practice


A recent article in American Banker Bank Technology News raises the prospect that stiffer vendor risk management requirements may push banks to bring more IT work in-house. Given the rigor being demanded these days, it’s hard to argue against that position, but banks and regulators alike need to be aware that this could have unintended consequences, particularly at midsize and smaller banks.

Large banks generally have the scale and skills to run IT services in-house, so insourcing to reduce the overhead of vendor management may be a viable approach. However, driving IT services in-house at smaller institutions may create a whole different set of risks. Many midsize and smaller institutions have long depended on outsourced relationships to provide essential IT services, both as a means of acquiring technical competencies and to reduce costs related to IT operations. Consequently, many lack the core competencies, experience and expertise needed to run things in-house.

I liken this a little to the do-it-yourself (DIY) phenomenon in home improvement. Although there are certainly a lot of DIY projects that people can undertake, a project such as upgrading the 1940s era knob and tube electrical wiring currently in your home to current standards is better left to the professionals (unless, of course, you are an electrical wiring expert!).

Insourcing may also pose a secondary risk for the industry as a whole. At a time when banks need to innovate to stay competitive, banks may be discouraged from working with vendors – particularly smaller vendors – who may be creating breakthroughs. This may lead to financial institutions missing opportunities to either drive down costs or introduce new products and services, which in turn creates risk from those institutions and non-bank competitors who are more willing to work with outside providers.

Technology and data are the life blood of banking, so the regulatory intent to ensure accountability and governance over these critical services is undeniably correct, but banks must guard against overreacting in ways that create other equal or even greater risks. The industry needs to retain both insourcing and outsourcing as viable alternatives. Ultimately, organizations should develop an IT strategy based on their business priorities and competencies. That strategy should be supported by a well-defined IT architecture, strong IT and data governance, and – where outsourcing is dictated – sound vendor management.

And for more insights into vendor risk management, I encourage you to read the benchmark report that the Shared Assessments Program and Protiviti recently released on the maturity of vendor risk management in organizations today.

A Look at the Maturity of Vendor Risk Management – A Benchmarking Study from the Shared Assessments Program and Protiviti

I want to share with you a just-released report on the results of a study on vendor risk management practices in which Protiviti partnered with the Shared Assessments Program – a consortium of leading financial institutions, Big Four accounting firms and key service providers dedicated to helping organizations understand and manage vendor risk effectively. Our report reveals some particularly interesting findings regarding how well organizations are managing their vendor risk. Bottom line: There is significant room for improvement in many organizations.

As the volume of outsourced and offshored products and services has surged in recent years, so, too, have the risks associated with vendors and third-party providers. Data breaches at vendors handling a company’s data and information are costly; they can even carry a higher cost than in-house breaches.

Importantly, the number of incidents is rising – in highly regulated industries such as financial services and healthcare; in media and retail, as seen in recent news; as well as in any organization in any industry that is relying on third-party vendors to manage operations and processes. These at-risk vendors include not just data management, IT and security providers, but also facilities management along with any vendor that may have access to your network, data or facilities.

Thus, vendor risk management is a big deal, raising the bar on the importance of a company knowing who its third parties are, how each of them interacts with the company’s customers, what activities each performs on behalf of the company, and what company data they access and process. Unfortunately, for most organizations, understanding vendor risk and how to manage it appropriately has thus far been more art than science. This is changing in part with the development of the first comprehensive Vendor Risk Management Maturity Model by the Shared Assessments Program.

The Shared Assessments Program recently partnered with Protiviti to conduct a third-party risk management benchmarking study based on this maturity model. Our study reveals some interesting trends:

  • Financial services organizations tend to have relatively mature vendor risk management programs compared to other companies and industries.
  • Organizations in the insurance subset are at a lower level of maturity in their vendor risk management compared to the overall financial services set.
  • Notable areas for improvement include program governance, and policies, standards and procedures.

To learn more, please visit www.protiviti.com/vendor-risk. And as always, I invite you to share your comments and feedback here.