While banking is an inherently risky business, most executives have a good understanding of the business risks facing their institutions. But mention information security, and many executives will tell you it’s an IT problem. Nothing could be further from the truth — information security is a business risk.
As news articles continue to expose cyber breaches across a wide range of industries, responsibility is starting to head upwards in the leadership chain to the audit committee and board of directors. Hard questions are being asked. Did leaders do their due diligence? Did they understand the risk? Did they appropriately align resources? If the answer is “no” to any of these questions, then liability may ultimately find its way to the C suite. For banking executives, information security is now part of the job.
Understanding information security risk at the business level helps you and your technology managers uncover and understand risk you may not have thought about. Below are seven questions to ask as you evaluate the security culture within your organization.
- Is ownership of the information security risk assessment process at the bank’s executive level?
Those who own the risk assessment process are in the best position to understand and effectively execute the risk program that comes from it. Since IT professionals aren’t typically responsible for (or aware of) all the organization’s business risks, they probably shouldn’t own the process. IT is a major player — and potentially even a leader — but ownership must reside where the responsibility lies: at the executive level. If your executive team lacks experience or feels some additional risk assessment guidance is important, facilitation (but not outsourced responsibility) with a third party is a good option.
Since IT professionals don’t typically understand business risk, they probably shouldn’t own the risk assessment process.
Do you have adequate cybersecurity resources?
In many banks, the IT personnel are not security professionals. In others, a shortage of available talent may limit in-house staffing options. In either case, finding a trusted advisor to implement a risk program is paramount, and you’ll need to budget for it.
- Does your program meet or exceed regulatory standards and requirements?
Financial institutions operate in a mature regulatory environment and audits have been a part of doing business for years. But when it comes to information security, compliance is more than a necessary evil. It must go beyond “checking the box” to understanding the reasons for compliance, learning the value of a strong information security framework, and building on that value and developing a strong information security posture.
Beyond the audit report itself, it’s important that you understand the baselines and deviations from your institution’s security monitoring. Most importantly, you must be able to relate how the results affect risk within your organization so you can align resources appropriately to address those risks. Having a strong partnership with your IT auditors can add perspective and guidance.
- Are your systems and networks secure?
Systems and networks should be designed and configured properly and work in accordance with your risk assessment plan’s control objectives. Your plan should include testing the design and effectiveness of controls and include penetration testing and vulnerability assessments. It should also include a documented risk treatment plan with clearly articulated and assigned corrective actions, including a formalized and well-tested incident reporting and breach escalation process.
- Are user access privileges granted only to authorized users on a must-have basis?
Small banking institutions often assign the responsibility of granting user access privileges to IT. While IT might understand who works at the bank, they don’t necessarily understand who should have what levels of access. IT should provide lists of users and business unit managers – such as branch managers and loan department leaders – should look at each user’s access and make sure access privileges are granted on a must-have basis. In addition, access rights of users should be reviewed whenever a user’s roles and responsibilities change or they leave the organization.
- Is your institution exercising effective control and monitoring over outsourced IT services or cloud-based service providers?
Outsourcing IT services allows your institution to focus on its core banking competencies while saving money on tools and technical expertise. However, while IT services can be outsourced, governance of those services can’t be. Your bank has the responsibility to understand what your vendors are doing and to manage them from a security perspective.
Compliance is more than a necessary evil. It must go beyond “checking the box” to understanding the reasons for compliance.
You should have a well-documented process to verify if your vendors and their services are secure. For example, you should know who’s accessing which systems and how your organization will be notified of issues. A comprehensive service level agreement should address these issues and clearly set out performance metrics around information security reporting.
- How often do you receive executive communication and updates on how well your cybersecurity program is holding up?
It’s critical to know whether your institution’s governance, risk management, and oversight programs are working properly. This means knowing what the baselines are for different types of security controls and activities within your organization and monitoring what typically happens on a month-to-month basis around information security and various weaknesses and vulnerabilities.
If your monitoring shows spikes in activity that are beyond the baseline, there’s a responsibility by executives and oversight committees to understand what happened and what your institution did to ensure that customer, employee, and bank-sensitive information is secure.
Detailed responses to these questions can provide deep insights to the state of cybersecurity within your organization, as well as your current internal and external compliance posture.
For more information or questions regarding cybersecurity best practices and compliance risk management, give us a call.