bankingciooutlook

Ensuring Risk Management and Compliance in the Banking Sector

By Steven Grossman, VP of Strategy and Enablement, Bay Dynamics.

Steven Grossman, VP of Strategy and Enablement, Bay Dynamics.

Your take on ensuring Risk Management and Compliance in the Banking Sector:

This past year, we have seen an increasing amount of new mandatory compliance requirements specifically targeting financial organizations. For example, beginning in January 2017, new regulation in New York State takes effect, targeting banks, insurance companies, and other financial services institutions regulated by the NY State Department of Financial Services. It requires those institutions to comply with a set of requirements designed to strengthen the security posture of those organizations and their customers’ information. On the national stage, the Federal Deposit Insurance Corp., Federal Reserve Board and the Office of the Comptroller of the Currency published a proposal for enhanced cyber security risk management and resilience standards. The agencies are accepting comments on the proposal until January 17, 2017. On the global stage, the Group of Seven (G7) industrial powers put forth cyber security guidelines geared towards protecting the global financial sector from cyber attacks. The guidelines encourage financial organizations to approach cyber security from a risk management perspective.

How do banks keep up and make sure they maintain compliance with the many requirements and guidelines:

The solution centers around approaching cyber security from a risk based point of view. That means identifying where their most important systems and applications live, their business value, who accesses them, how they access them, vulnerabilities that elevate the risk of those assets getting compromised and threats to those assets. Companies must build their cyber security programs around protecting their most valued assets. They must marry external and insider threat information with associated vulnerabilities and asset value to determine which threats must be investigated immediately and which vulnerabilities must be patched. If they continuously identify and mitigate threats and vulnerabilities that put their most valued assets at risk of a compromise, they will inherently take a huge step towards protecting themselves and complying with the many regulatory requirements. Alternatively, the legacy mode of operation focused exclusively on the isolated severity of individual incidents, will keep those institutions behind the eight ball when it comes to protection and compliance. If you try to protect all assets equally, you are in effect protecting nothing.

"Board members want to know the value at risk if there were a compromise and what they must do to reduce that risk"

Automation is also critical to collecting reporting cyber risk data for compliance. Compliance reporting in many organizations today is often a last-minute scramble filled with stress and headaches, often overtaking the focus on making sure that the cyber security controls are actually effective in protecting the environment. Many companies operate in an outdated mode, plugging compliance data into manually compiled spreadsheets which are stitched together for compliance reporting. They then work to patch systems and close gaps, followed by more compiled spreadsheets and emails to update the report. The data collection process is so distracting that it forces security teams to take their eye off the ball of protection. By automating the data collection and reporting process, compliance data can be updated and presented with a simple click of a mouse. Automating this process also supports a continuous compliance model that allows stakeholders to know where they stand every day of the week, minimizing compliance fire drills.

Finally, organizations need to make sure their boards of directors and IT and security professionals are speaking the same language, and that’s the language of risk. In 2016, Bay Dynamics launched a series of board reports, one of which revealed that more than half of board members felt they were at a disadvantage as security reporting is too technical. Only one in six board members claimed substantial expertise in understanding the nuances and implications of cyber security issues and that knowledge deficiency is driving a 60 percent belief that one or more board members should be a CISO or some other type of cyber security expert. Boards, IT and security practitioners must speak the same language so that boards can make the best-informed decisions to reduce cyber risk. Having a CISO on the board would help tremendously in this effort, but in the meantime, IT and security practitioners must change how they approach their cyber security programs. They should adopt a risk based approach vs. a technical approach because the board understands risk. Board members want to know the value at risk if there were a compromise and what they must do to reduce that risk. 

Read Also

Digital Now!

Digital Now!

Eddie Ho, CIO, Los Alamos National Bank
Industry Collaboration Key to Enhancing Payment Security

Industry Collaboration Key to Enhancing Payment Security

Todd Aadland, SVP, Federal Reserve Bank of Chicago
The Convergence of Contact and Contactless Cards adding Value with Multipurpose

The Convergence of Contact and Contactless Cards adding Value with Multipurpose

Brintha Koether, Sr. Director & GM Payments, NXP Semiconductors
Big Data Revolution: Transforming Banking Operations

Big Data Revolution: Transforming Banking Operations

Rob Thomas, VP Product Development, Big Data and Analytics, IBM [NYSE: IBM]