By Keith Millett | Nov 26, 2018 | Blog
Financial institutions are lucrative targets for hackers. Banks, credit unions, savings and loan associations, and other similar organizations are not only responsible for safeguarding our finances, they’re also responsible for protecting all of our financial data. Even if an attacker fails to steal money through unauthorized transfers, simply gathering our personal data (e.g., account numbers, social security numbers, contact information, and credit data) and offering it for sale on a dark web marketplace could result in a payday that makes the breach worthwhile.
The Rise of Cyber Crime
Reports published by threat intelligence and research organizations support the observable increase in focus hackers and cyber criminals have on financial institutions. In July 2018, IntSights reported that they’d seen, “…a 135% year-over-year increase in financial data being sold on dark web black markets.” Attacks can occur from anywhere and target anyone; attackers simply look to exploit any vulnerability in the organization’s infrastructure or workforce that will grant unauthorized access to sensitive financial data.
In an effort to create consistency and help drive information security practices in the financial sector, compliance requirements have been published by a number of governing bodies. Arguably the most well-known information security guidance for financial institutions comes from select sections of the Federal Financial Institutions Examination Council’s (FFIEC) IT Examination Handbook. The FFIEC is comprised of five banking regulators, all of whom have a vested interest in protecting consumer data from cyberattack.
Other published cybersecurity guidance for financial institutions may include the Federal Deposit Insurance Corporation’s (FDIC, a member of the FFIEC) cybersecurity resources, the SEC’s cybersecurity resources, and requirements set out the in Gramm-Leach-Bliley Act (GLBA). Maintaining compliance with multiple, stringent regulatory requirements is a daunting task for any organization. This is where an organizational information security program shines.
Implementing a Comprehensive Information Security Program
The pursuit of regulatory compliance is a challenging journey for many organizations. Guidelines are intentionally written to apply to a variety of unique institutions. With such high-level and sometimes ambiguous requirements, can an organization feel confident that regulatory compliance has been achieved? Further, when regulatory compliance has been achieved, does that achievement inherently confirm that the organization has deployed data protections to the best of its ability? In situations where regulatory compliance is only a milestone and not an end goal, a structured information security program can help an organization meet its defined security objectives and satisfy regulatory requirements along the way.
A variety of frameworks are available that can be used to lay the foundation of an information security program. One general approach involves breaking controls down into the following categories:
- Administrative. Includes controls such as documented security policies and procedures, security awareness training, risk assessments activities, phishing exercises, and vendor management.
- Technical. Includes security infrastructure and devices such as firewalls, intrusion prevention/detection systems, endpoint protection software, multi-factor authentication (MFA), and data backup equipment.
- Physical. Includes controls such as physical access controls (e.g., door and window locks), environmental monitoring equipment, and power disruption management.
Make no mistake, creating an effective information security program is certainly more involved than deploying a few controls from each of these categories and calling it a day. So, what’s the best way to get started?
Determining the Necessary IT Solutions
One of the strongest first steps that can be taken by any organization seeking to implement an information security program and achieve regulatory compliance is to conduct a formal risk assessment. Risk assessment processes help to:
- Understand and categorize the assets present in the organization’s environment.
- Identify and understand potential events and bad actors that pose threats to assets.
- Estimate the likelihood that threat events will affect organizational assets and the degree to which the asset would be impacted if the threat event were to take place
- Identify and understand the security controls currently deployed to protect organizational assets and their effectiveness in reducing risk.
- Calculate the residual risk remaining after the risk reduction provided by deployed controls has been considered.
Armed with a completed risk assessment and an understand of the organization’s risk tolerance, executive management can begin to structure an information security program and make informed decisions about how to meet defined security objectives and regulatory requirements.
Final Thoughts
CTI has been performing risk assessments for decades. We’ve crafted our risk assessment procedures specifically to assist customers who are subject to certain regulatory standards, such as financial institutions. In doing so, we’re able to quickly and efficiently help these customers understand their risk profile and set goals to achieve regulatory compliance. Whether banks, credit unions, savings and loan associations, or investment management firms, the continued success of our financial partners in regulatory compliance speaks to the success of our combined risk assessment efforts.
Contact us today for more information about compliant IT solutions for your financial institution.