Cybersecurity: Part 2 – Cyber-Related Risk Assessment and Controls*
by Qing Liu, Technology Architect, Federal Reserve Bank of Chicago, and Sebastiaan Gybels, Risk Management Team Leader, Federal Reserve Bank of Chicago
Each year, as new product vulnerabilities surface, millions of new malicious software (malware) programs, cyberthreats, and cyberattacks are developed to exploit these vulnerabilities for nefarious purposes.1 The first article in this two-part series on cybersecurity highlighted the seven most common cyberthreats and cyber-related risks that community banks have identified and experienced.2 This article illustrates a four-pillared general cybersecurity framework that can help community banks assess and mitigate cyberthreats and risks.
Some community banks may suffer from “security paralysis,” a condition in which banks fail to prioritize areas for remediation because of limited resources. Others simply attempt to apply a set of best practices, hoping that what worked for another bank will work for them. Neither of these approaches is a feasible strategy to protect banks and maximize their return on investment in cybersecurity. Considering that cyber-related incidents will continue to increase in both frequency and sophistication, all community banks should consider developing a cybersecurity framework — a coherent methodology and mechanism — to address cybersecurity threats and risks.3
A cybersecurity framework enables banks — regardless of size, degree of cybersecurity risk, or sophistication — to support four concurrent and continuous functions (described as Core Functions in the National Institute of Standards and Technology Cybersecurity Framework):
- Identification — identify the internal and external cybersecurity risks to systems, assets, data, and capabilities
- Protection — protect business operations from damages or losses
- Detection — detect and identify the occurrence of a cybersecurity event
- Response and Recovery — respond to a detected cybersecurity event and recover and restore any capabilities or services that were impaired during the event
Furthermore, a cybersecurity framework should integrate with a bank’s risk management processes, enabling the bank to make informed and prioritized decisions. It should support recurring risk assessments, which allow a bank to dynamically select and direct improvements in cybersecurity risk management. Lastly, a cybersecurity framework should be flexible, allowing for a broad array of cybersecurity risk management processes.
A model cybersecurity framework is a risk-based structure that achieves stated objectives through four pillars:
- Risk Identification (Identification)
- Policies, Procedures, and Controls (Protection)
- Governance and Monitoring (Detection)
- Resilience and Incident Response (Response and Recovery)
While processes, threats, vulnerabilities, risk tolerances, and needs may differ by institution, the cybersecurity framework can be leveraged to strengthen an existing cybersecurity program. The framework allows an institution to prioritize and manage cybersecurity threats and risks based on its risk assessment.
Pillar 1 — Risk Identification
While the board of directors is ultimately responsible for the oversight of risk management, bank management is accountable for the daily operation of risk management processes. Risk identification is the starting point. Through risk identification activities, management identifies cybersecurity threats and risks as well as their potential impacts on the bank. Management then develops the organizational view of cybersecurity risks by characterizing and quantifying the risks to systems, assets, data, and capabilities.
The risk identification process consists of the following steps:
- Create a complete inventory of systems and data.
- Determine the criticality of the systems and data.
- Identify all vulnerabilities and threats to the systems and data.
- Collect and classify controls.
- Determine the residual risk based on the identified risks and mitigating controls in place.
- Generate reports and submit the results to senior leadership.
A bank can evaluate the effectiveness of its risk identification processes by answering the following questions.
Does the bank have an effective risk assessment process to identify and react to new and emerging cybersecurity threats/risks? Bank management should assess the bank’s existing risk assessment processes. These processes should provide for an ongoing evaluation of the impact that cybersecurity risk could have on business operations and bank objectives. In addition, it is important for management to incorporate lessons learned from previous cybersecurity events and incident responses into the process.
Does the bank have an effective process to assess the impact of cyberevents on vendor relationships? Bank management should understand how vendors access the bank’s assets or data on-site and how vendors use and store the bank’s data off-site. Management can use this information to assess the risk exposure at both the bank’s and vendors’ sites.
Bank management should require its vendors to adequately protect its data. Additionally, the vendors should test their security controls and report the test/audit results back to the bank via vendor management channels, such as the enterprise vendor management program, contract review procedures, audit reports covering the vendors’ operations, service-level agreements, and other reports.4
Does the bank have an effective risk assessment process to identify unauthorized access to critical data? Bank management should inventory bank assets and categorize critical data in motion and at rest. Management then needs to evaluate the access controls in place to prevent unauthorized access by employees, third parties, and vendors. These controls, along with access monitoring, will help to safeguard business confidentiality and customer privacy. If a data breach occurs, bank management must report the incident to regulators as defined in the incident response plan, discussed later.5
Pillar 2 — Policies, Procedures, and Controls
Bank management should implement appropriate policies, procedures, and controls that properly address identified cybersecurity threats and risks and protect business operations and critical services. Good communication is essential if bank personnel are to properly integrate policies and procedures with technology to produce effective controls. Many security policies fail because they do not consider the importance of training bank personnel on the established policies, procedures, and controls. Focusing only on information technology and technology controls without considering stakeholder needs is not enough; procedures should consider all stakeholders — including bank customers, bank employees, third parties, and external vendors — who interact with the bank’s systems.
With careful consideration of the following questions, bank management can assess whether the implemented processes, policies, and an appropriate mix of controls can effectively detect and prevent cybersecurity threats from both internal and external sources.
Has management developed, implemented, and provided an ongoing review and revision of policies and procedures to effectively address the continuously evolving cybersecurity threats and risks? Bank management needs to establish an effective process to develop, implement, and maintain policies and procedures. Management should consider the following steps:
- Develop procedures to be consistent with legislation, regulation, corporate policies, and business operations.
- Take into account the results of risk assessments.
- Structure and optimize policies and procedures.
- Gain approval from senior management or, for policies, from the board of directors.
- Train employees and convey an awareness of the seriousness of cybersecurity to all stakeholders.
- Improve and update policies and/or procedures.
Has management developed, implemented, and provided ongoing maintenance of controls to effectively address cybersecurity threats and risks? Controls can encompass identity and access management, including user access management and segregation of duties; authentication and authorization; third-party or vendor access monitoring; version controls on configuration management and patch management; and event monitoring and incident response. It is critical to update controls in a timely manner. Furthermore, bank management should continually review its risk assessment, map controls, and fill in the control gaps. The governance process will assist with the continual monitoring of controls and will provide input for updating the controls accordingly based on the risk profile.
Are the controls for cybersecurity threats and risks sufficient for the complexity of the environment? Cybersecurity controls need to be commensurate with a bank’s risk tolerance, the complexity of the bank’s business models, and the supporting information technology (IT) organizational structures. For example, some banks may not implement all preventive controls because of the high cost and, as a result, may instead rely heavily on detective controls. Other banks increasingly rely on cyberinsurance policies as a risk transfer strategy. It is important to note that cyberinsurance should not be seen as a control to mitigate the entire potential impact of cyberthreats and risks. Its purpose is to limit financial losses from a variety of cyberincidents, including data breaches, business interruption, and network damage. However, cyberinsurance will not cover indirect losses, such as reputational damage, the leakage of intellectual property or confidential information, and the decrease of shareholder value.
Do management and internal audit effectively identify control weaknesses, find gaps between control structure and policy, and verify the execution of appropriate and effective remediation actions to close the identified gaps and weaknesses? To achieve these goals, bank management may choose to acquire skillful and experienced internal audit staff or outsource these functions to a third party. 6 In either case, bank management should verify the qualification and professional certification of audit staff, and additional training may be necessary to enhance the skills of internal audit staff. With cyberthreats and risks changing over time, training should be seen as an ongoing effort.
Pillar 3 — Governance and Monitoring
A key to cyber-related risk prevention is developing and maintaining strong governance over cybersecurity. Effective governance establishes policies and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation and operational level. Bank management should also develop metrics and implement monitoring and reporting mechanisms to swiftly and effectively detect cyberevents and to allow for continual control improvements.
A bank can evaluate the effectiveness of governance and monitoring controls to ensure compliance with security policies and practices by answering the following questions.
Does the bank have adequate governance committees and structures in place to ensure appropriate oversight and monitoring of key information security risks? The governance structure needs to ensure that:
- The committee reporting structure escalates cyberevents to an appropriate level.
- The members of the committee structure have the appropriate authority.
An established process should monitor the effectiveness of controls and ensure that control breakdowns are reported in a timely manner. It is critical to have skilled staff involved during the control monitoring. The process should not just be IT-centric, as critical business lines should be involved in cybersecurity oversight as well. Successful cybersecurity procedures and control implementation should be transparent to business operations.
Governance also needs to address resource and training requirements. It is essential to integrate training and awareness education into a framework in order to influence the behavior of all stakeholders, including bank customers, bank employees, third parties, and vendors. To achieve this goal, appropriate resources should be made available.
Does the bank adequately monitor the control environment and sufficiency of key controls relative to information security? Control effectiveness has two components: design effectiveness and operational effectiveness. Design effectiveness refers to whether controls are properly designed to achieve control objectives if they operate as defined. Operational effectiveness refers to whether controls consistently operate as designed. Controls should be tested and documented on a regular basis by personnel with appropriate expertise and independence. For example, the penetration tests should be part of a routine control assessment, which is referenced by the Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook7 and Payment Card Industry (PCI) Data Security Standard Security Scanning Procedures.8 The penetration test results could be submitted to the board of directors as part of the periodic compliance and risk management reports.
Does the bank have adequate management information systems (MIS), and does it review security events on an ongoing basis? Bank management needs to develop a set of scenarios or key risk indicators that notify managers of security events in a timely manner. Appropriately skilled staff should be involved in identifying security events and in escalating and reporting critical issues to all key stakeholders. Timely and actionable MIS reporting will continue to improve the control environment for both current and emerging cybersecurity risks.
Pillar 4 — Resilience and Incident Response
Bank management needs to develop resiliency plans in order to respond to and recover from attacks — physical and cyber — against critical business operations. A well-tested process and plan should enable bank management to prioritize and respond appropriately to the most likely and potentially impactful incidents, including those that may escalate and threaten the actual survival of the bank itself.
By asking the following questions, a bank can assess the effectiveness of its business continuity/resiliency and incident response plans.
Does the bank’s business impact analysis consider cybersecurity threat scenarios in its business continuity/resilience planning? In risk identification, bank management will use business impact analyses to identify cybersecurity threats and potential impacts on business operations and critical services. These potential impacts include loss of revenue; additional expenses from services, equipment, and overtime; regulatory, legal, and other expenses arising from fines, contractual obligations, and financial liabilities; reduction of service level; and impact on public image and market share.
Does the business continuity/resilience program take into account potential cybersecurity threats? When bank management develops a business continuity/resilience program, it should consider all key stakeholders who may be impacted by cybersecurity threats, including bank customers, bank business operators, information security staff, business partners, third parties, and vendors. The program should clearly document action steps from each of the key stakeholders and describe the expected results from each action.
Does the bank include identified cybersecurity events in its business resumption testing program? Cybersecurity events should be defined as valid test scenarios in a bank’s business resumption program. Bank management should conduct tests around these scenarios at least once a year, with additional iterations whenever major changes to the environment or business processes occur.
Banks constantly face the challenges and changes that arise from new cybersecurity threats, data breach events, evolving technologies, business dynamics, and regulatory requirements. As a result, bank management should continually revisit its cybersecurity frameworks to update and enhance cybersecurity risk management practices.
An effective cybersecurity framework will help bank management to coordinate the response and recovery activities among all involved parties before, during, and after a cybersecurity event. Well-organized and tested business plans for continuity, incident response, and business resumption are vital to safeguard a bank’s assets.
When a bank builds a strong and adaptive cybersecurity framework, the bank can have a better alignment between its business requirements, risk tolerance, and resources. An effective cybersecurity framework also enables bank management to continually refine its risk management priorities and to establish a road map that not only reduces cybersecurity risks but also aligns with organizational goals, legal and regulatory requirements, and industry sound practices.
Back to top
- *This article is the second of a two-part series that discusses cyberthreats and cyber-related risks and how to implement an effective risk management framework. The first article, titled “Cybersecurity: Part 1 — Demystifying Cyberthreats,” appeared in the First Quarter 2014 issue of Community Banking Connections and is available at www.cbcfrs.org/articles/2014/Q1/cybersecurity.
- 1 Kaspersky Lab, Kaspersky Lab Report: Financial Cyber Threats in 2013, April 2014, available at http://ow.ly/yYrl6.
- 2 Specifically, these seven cyberthreats are (1) malware, (2) distributed denial of service attacks, (3) automated clearinghouse/payment account takeover, (4) data leakage, (5) third-party/cloud vendor risks, (6) mobile and web application vulnerabilities, and (7) weaknesses in project management or change management.
- 3 The cybersecurity framework described in this article is consistent with the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity, published on February 12, 2014, available at www.nist.gov/cyberframework/index.cfm.
- 4 For further guidance, refer to Supervision and Regulation (SR) letter 13-19/Consumer Affairs (CA) letter 13-21, “Guidance on Managing Outsourcing Risk,” available at www.federalreserve.gov/bankinforeg/srletters/sr1319.htm.
- 5 For further guidance, refer to SR letter 05-23/CA letter 05-10, “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice,” available at www.federalreserve.gov/boarddocs/srletters/2005/SR0523.htm.
- 6 A recently published edition of this newsletter discusses outsourcing internal audit. See “Considerations When Outsourcing Internal Audit at Community Banks,” Community Banking Connections, First Quarter 2014, available at www.cbcfrs.org/articles/2014/Q1/considerations-when-outsourcing-internal-audit-at-community-banks .
- 7 See the discussion of independent tests in the “Information Security Booklet” of the FFIEC IT Examination Handbook, available at http://ow.ly/yYv4Z.
- 8 PCI Security Standards Council, Information Supplement: Requirement 11.3 Penetration Testing, April 2008, available at http://ow.ly/yYvjL.