By Julie KnudsonBanks face significant operational risk challenges in the current climate, with a mix of cybersecurity threats vying for attention against increasing compliance mandates around risk assessment and mitigation. “We’re in a very complex regulatory landscape,” says Josh Magri, SVP at BITS, the Bank Policy Institute’s technology division. With each of the nine federal financial-sector regulators, along with other agencies at the state level, appropriately focused on cybersecurity, Magri says, “there hasn’t been a standardization of the way they talk about it, or issue regulations or develop guidance about it.”
Built around and keyed to the Cybersecurity Framework developed by the National Institute for Standards and Technology, the new profile also brings together the current principles around cybersecurity—federal, significant state and some international as well. “We took all these different requirements and we interpreted them and put them into a single common framework,” says Nadya Bartol, associate director at BCG Platinion, a division of the Boston Consulting Group. Over the course of their discussions within the industry, the work group saw that banks and regulators alike were faced with lean staffing and a lot to do. “The purpose of the profile is to increase efficiency and improve security by redirecting people and resources where they matter most,” says Bartol.
DePierro describes the profile as the first portion of a two-part analysis that “results in a common approach to cybersecurity compliance across regulators and across the financial companies, based on a credible cybersecurity framework.” The profile comprises a nine-question assessment that determines the potential impact of a cyber event happening at an individual bank, whether it’s an international, national, regional, or local community institution. “Once the impact level is determined, the bank is directed to those portions of the framework most relevant to the institution’s risk, size and business model,” DePierro says.
Like many banks, the team at First United Bank and Trust in Oakland, Md., relies heavily on third parties. Accurately assessing the cybersecurity position of each is a daunting task and the lack of standardization makes it even more difficult. “How are you absolutely sure your vendors are doing what they’re supposed to do?” asks Joyce A. Flinn, VP of information security and the bank’s disaster recovery officer. The new profile will help to put all that information into one understandable structure. “As a community bank, I can say, ‘What level are you at in this framework and have you met all the requirements of that level?’” Flinn says. She anticipates that being able to apply the same criteria across all of the bank’s vendors will not only provide a better assurance of everyone’s cybersecurity posture, but will also allow her team to deploy its security resources more effectively.