As the role technology plays in today’s financial services environment has grown, this has also introduced a range of new risks and vulnerabilities that must be recognized and acknowledged, placing cybersecurity high on the agenda for financial services executives and IT staff. The new 2016 FFIEC Information Security Handbook states:
With financial institutions becoming more reliant on third-party service providers to help support important bank functions such as: loan servicing, collections, item processing, payments, and IT network management, to name just a few, regulators have expressed increased concern that these third-parties could present a weak link that cyber attackers can exploit. And the more third-parties the institution uses, the greater the risk. All institutions, but especially Community banks, ultimately bear this responsibility, and must be aware of – and successfully manage — their service providers’ cyber risks.
Cybersecurity vs. Cyber Resilience
Regulations define cybersecurity as:
Cyber resilience then, is:
While cybersecurity (or protecting from an attack) is vitally important, it is not the only thing that matters. In order to minimize the risks and vulnerabilities in the evolving digital landscape, cyber resilience (or bouncing back from an attack) must be taken into consideration as well. Cyber resilience is an evolving perspective that essentially brings the areas of information security, business continuity and organizational resilience together. Ultimately it refers to the preparations that an organization makes in regard to threats and vulnerabilities, the defenses that have been developed and deployed, the resources available for mitigating a security failure once it occurs, and their post-attack recovery capabilities.
Driving Compliance Through Technology
One of the primary differences between the two is that although both cybersecurity and cyber resilience require effective third-party management, resilience requires an even greater focus on outsourced technology providers. This is particularly challenging because you must be prepared to recover from an event you couldn’t foresee, could not prevent, and cannot control. The initial stages of a cyber incident require a rapid assessment of the impact of the incident as soon as possible after detection. When the incident occurs at a third-party, you are relying on the vendor to notify you, which means your reaction time (and recovery capability) is entirely dependent on when (or if) you are notified. A recent report by the FDIC Office of the Inspector General found that most institutions have not fully considered and assessed the potential impact that third-parties may have on the bank’s ability to manage its own business continuity planning and incident response.
Regulators expect financial institutions to be not just cyber-secure, but cyber resilient, and that requires close cooperation with all their critical third-parties. Assessing and managing risks, and developing capabilities for response and recovery in the event of disruptions regardless of where they may occur, requires financial institutions to have proven plans in place to meet regulatory expectations. The FFIEC has issued specific guidance on how it expects organizations to manage this process. The FFIEC IT Examination Handbook’s “Outsourcing Technology Services Booklet“, as well as the Information Security and the Business Continuity Booklets address expectations for managing due diligence, incident response, business continuity and the ongoing monitoring of outsourced third-party relationships.
Community banks should remain vigilant in the monitoring of emerging cyber threats or scenarios and consider their potential impact to operational resilience. The good news is that financial institutions can and should simulate and test their response to a cyber event just as they do for natural disasters. They should also make a point to include any significant third-parties in their testing. The financial industry is investing significant amounts of time and resources to defend against cyber-attacks and strengthen resiliency, and there are many resources available today that can help streamline and automate the entire process of cybersecurity and resilience planning, testing and execution.