The recent rise of publicized security breaches and ransomware attacks has many financial organizations worrying themselves with questions like:
- “How long can our organization hold out against hackers and cybercriminals?”
- “How would we respond to a breach?”
- “What can we do to minimize – or even prevent – such an attack?”
Or, at least, that’s what they should be asking themselves. Surprisingly, we hear some executives react to the news of data breaches with a very different set of statements:
- “We have a firewall and anti-virus, so we’re good.”
- “The regulators (OCC, NCUA, SEC etc.) didn’t comment about this in their last report, so we don’t have to worry about it.”
- “We’ve got cyber insurance, so we’re good.”
What are the regulators saying?
The Federal Financial Institutions Examination Council (FFIEC) has issued a joint statement that reiterates the requirement for “Ongoing Risk Assessments and more” to all its members governed by regulatory agencies such as the FRB, FDIC, NCUA, OCC and CFPB. The Securities and Exchange Commission (SEC) via National Exam Program continues to focus its IT exams on the existence of risk based cyber security programs for its members. The above advice strengthens the message of requiring a Risk Management Program for all financial institutions that was initially started by the Gramm-Leach-Bliley Act (GLBA) in 1999.
What Is/Why Have a Risk Management Program?
Information security encompasses all processes concerned with protecting the confidentiality, integrity and availability of an organization’s sensitive data and information resources through the deployment of security controls. But it isn’t as easy as sprinkling firewalls throughout the office or ‘setting-and-forgetting’ anti-virus software. Without risk identification and management processes, how can an organization possibly know what controls need to be deployed and whether they’d even be effective? Worse still, deploying controls arbitrarily can easily provoke a false sense of security among decision makers and executives.
An increasing number of states have enacted data breach notification legislation to supplement federal laws in the wake of recent, major data breaches. This legislation requires that organizations notify individuals affected by a data breach within a specified timeframe following the incident. Failure to comply with any of these requirements can result in significant financial and legal penalties.
“We’ve got cyber insurance, so we’re good.”
The upward trend in breaches has given root to a new method of risk mitigation: cyber insurance. Cyber insurance allows an organization to address specific information security risks by transferring a portion of the pecuniary liability resulting from a breach to a third-party insurer. However, since many cyber insurance contracts require due diligence on behalf of the insured entity, failure to demonstrate risk management practices may result in increased cyber insurance premiums, or declination of coverage altogether. Therefore, cyber insurance can be considered a component of a well-functioning risk management program, but it should not be used as a substitute for one.
Pretending your organization is risk-free or that your firewall and anti-virus sufficiently addresses all threats against your sensitive data is not a valid risk mitigation strategy. Don’t wait for someone else to prove it to you. I95
Continental Technologies, Inc.