What Financial Services Companies Can Do Before Reaching a Point of No Return Regarding Risks and Regulations
Financial regulators in governments around the world are concerned about the risks that are growing as financial services institutions (FSIs) increase their acceptance and integration of digital technology into their businesses. FSIs are considered critical infrastructure in many countries and their failure would be very detrimental to their economies, therefore, authorities are creating new and specific regulations for their banks and other financial organizations.
The core issue is that with FSIs digitizing and relying on digital service providers that often use another digital service from another digital service vendor, some regulators fear the industry is reaching a point of no return, where there are no “exit strategies” in place. The fear is a catastrophic “domino effect” if one provider fails, leading to other failures and, ultimately, extensive damage to financial systems and extreme hardship on societies.
Because of these serious concerns, regulators are rolling out additional rules and compliance demands. Also, the timeframes for meeting these new demands are growing shorter. Add the requirements for accurate reporting and many FSIs are being overwhelmed trying to comply. Still, the regulators’ goal is to make FSIs fully understand how they are consuming digital technology and the importance of being fully prepared for the drawbacks that come with relying upon third-party providers and services.
How to Avoid the Domino Effect
To avoid the domino effect of one service provider failure leading to other failures and the crippling of a nation’s financial industry, regulators are compelling FSIs to create “exit strategies.” In the European Union, regulators are giving them timeframes of roughly thirty days. Therefore, if there’s a serious incident, FSIs have only a month to replace a piece of technology or find a new cloud provider. European FSIs for example are trying to work with the regulators to make them aware of their challenges and lobby them for more expansive exit strategies so that they can prepare and create plans.
Cybersecurity Needs to be in the Mix
Cybersecurity is critical to enabling resilient financial services operations and it must be part of the mix when FSIs are creating exit strategies. With that in mind, the following are recommendations for financial services CISOs trying to prepare for new regulations while continuing with their organizations’ digital acceleration efforts.
6 Steps CISOs Should Consider Doing in the Next 6 Months
1) Identify Business Critical Processes and Vulnerabilities
FSIs need to identify their critical business processes and apply a risk rating in order to prioritize the most critical and vulnerable ones. CISOs should also identify their organization’s vulnerabilities and risks. A comprehensive view is optimal, so this requires having conversations across your entire business.
2) Build Cyber Skills Set as Part of Your Foundation
FSIs need to upskill their employees so that their organizations can help compensate for the lack of cybersecurity talent worldwide. All employees, regardless of position, need cybersecurity awareness training, with periodic refreshers around new threats and attack methods. A good place to start is with existing training programs and services which cover awareness as well as corporate training, such as the Fortinet Training Institute.
3) Automate Everything with Cybersecurity Mesh Platform
Due to the lack of security talent, organizations don’t have enough of the “right people to fill the seats.” Automation and augmentation are the only ways around this shortage issue. Empowering your employees with AI/ML technologies will provide your teams with actionable, alerts and provides a single pane of glass, to manage, automate, and orchestrate your network and security across the entire organization. If done properly, automation will not only fill the skills gap but reduce the issues with human error as well.
In the recent past, U.S. banks had their own army of third-party governance employees who utilized giant spreadsheets to inventory all the controls. This manual process was both unmanageable and prone to human error, but it was getting done. Some financial institutions needed to outsource the compliance tasks and use vendors, but as regulations continue to be rolled out, this approach is not scalable nor manageable.
This is really the catalyst for change now because there are fewer employees at the banks. The banks’ budgets are a lot lower. FSIs are facing tighter profit margins and have increased operational costs that are being piled on them due to these new regulations.
If an FSI’s infrastructure isn't automated and its data Isn't integrated, it won’t be able to meet the compliance and regulations. Clearly, if a company’s cybersecurity and network foundation aren’t ready, it's going to be difficult for it going forward because it won't be able to keep up with the requirements being forced on it.
4) Share Knowledge
FSIs and CISOs need to think outside their walls. CISOs need to proactively find out what is happening to the brand out “in the wild.” In Europe, the DORA regulations have a provision for information sharing among FSIs to assist with indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs).
Information sharing knowledge among organizations is key. If an IT security team is only looking at its own data, they’re going to be ill-prepared for the cyber criminals that are attacking other FSIs, and, of course, vice versa.
It is also important to consider employing a DRP (digital risk protection) service, to enhance a view of the external digital attack surface. Places like the dark web can offer insight into future cyber-attacks to come.
5) Uplevel Your Risk Conversation Using Frameworks and Business Level Language
Aligning with a well-known framework like NIST, so that these conversations across the business can be had about that service, and it’s also important in order to build a foundation as well. OSCAL (Open Security Controls Assessment Language) has been at the forefront of how FSIs can actually create an information mechanism that actually tries to understand and makes data machine readable—so that FSIs can uplevel their regulatory landscape and make audits automated. A number of banks are trying to do a proof of concept, and some of them are piloting some of the OSCAL.
If a CIO or a CISO is talking with the business stakeholders, they need to communicate in a common language. And if this discussion is about the low-level controls, it’s going to be incomprehensible to the business team. But if the IT leaders elevate the message to a high-level language and only talk about the company's risk and protection, threat detection, response, and recovery, it makes it much easier to have a conversation across the business.
FSIs in both the U.S. and E.U. use various control frameworks such as ISO 27001, COBIT, and NIST 80053. Each is good in its own way but sits in a specific space and context. It is common to see FSIs use their own frameworks which include parts of many frameworks.
NIST CSF is not a controls framework, but a set of objectives to help cybersecurity risk management. It provides a common language that allows multiple standards to be used together. NIST CSF helps to translate between frameworks into a common language that is flexible and repeatable. It allows organizations to see from a risk perspective what is needed in order to mitigate.
6) Know Your Regulation and Compliance Landscape
It's all about building the right foundation that brings the vision from the technology but also has feedback loops between the people that will be affected by that policy, the stakeholders, and those who are actually going to build that policy. A lot of organizations, especially when they are in rapid digital acceleration, don't have a holistic view and they are not building the foundations with the proper weight. Knowing what specific regulations you need to address and comply with is key from a business level but also from an IT and security level.
In Conclusion
