Is multiple choice the right way to go on cybersecurity standards?
WASHINGTON — Despite the constant cyber threat, regulators are giving banks flexibility to choose which cybersecurity framework suits them, an approach hailed by the industry.
A recent statement by the federal banking agencies highlighting four "standardized" cybersecurity tools from which to select is being praised for hitting a happy medium: putting security on banks' radar but recognizing that cyber risks vary by institution.
"Community banks are tough to prescribe security regulations [for]," said Paul Benda, a senior vice president of risk and cybersecurity at the American Bankers Association. "They're extremely varied, and because of that, the risk-based approach is going to be best."
But some security specialists argue that regulators risk becoming too flexible.
“It’s a horrible plan to allow banks to set their own security standards,” said Jake Williams, founder and president of Rendition InfoSec and a former cyber vulnerability analyst for the U.S. government. An informal supervisory approach, he said, could incentivize banks to lean too much on loss prevention such as cyberinsurance.
“Too many [organizations] are relying on cyberinsurance rather than trying to minimize loss through real security. This will obviously be unsustainable in the long term as insurance rates increase,” Williams said.
At issue is the statement released last month by the Federal Financial Institutions Examination Council emphasizing the “benefits of ... a standardized approach to assess and improve cybersecurity preparedness.” Yet the FFIEC recommended four different tools, saying the council does not endorse any single one and that "the tools are not examination programs."
"Institutions may choose from a variety of standardized tools aligned with industry standards and best practices to assess their cybersecurity preparedness," the FFIEC statement said.
The move was well received among industry trade groups, including the American Bankers Association, the Bank Policy Institute and the Independent Community Bankers of America. The ABA and the institute applauded inclusion of the Financial Services Sector Cybersecurity Profile, which the two groups helped develop, while the community banker group said the examination council's approach encourages community banks to continue using a "multitude" of tools.
"As ICBA has long said, the regulatory agencies should not mandate the use of one cybersecurity assessment tool over another," ICBA Chief Executive Rebeca Romero Rainey said in a press release.
Some security consultants say the regulators' approach is consistent with the threat environment being heterogeneous across different banks.
"It’s a positive step on the whole,” said Andrew Retrum, a managing director at Protiviti. “It’s consistent with what other regulators have said by acknowledging that there isn’t a one-size-fits-all solution for firms of different sizes, complexities and risk profiles.”
Regulators say having an array of standardized tools helps banks meet existing supervisory requirements, but that banks of different sizes and business models face different sets of demands and available resources.
The industry-driven Cybersecurity Profile, released in 2018, is a questionnaire-style document helping institutions assess both internal and external cyber risk management. It was designed to be less onerous than other assessment tools, promising to streamline the process for smaller banks. The number of questions may vary by a bank's size and risk profile. For example, the ABA estimates that a smaller community bank may need to answer only 142 questions.
By comparison, the FFIEC’s own Cybersecurity Assessment Tool has 533 security- and compliance-related questions.
“Support from national and state banking supervisors should encourage more institutions to adopt the Cybersecurity Profile, which will strengthen banks’ security and protect the customers and communities they serve,” ABA President and CEO Rob Nichols said in a press release last month.
One of the four assessment tools — the Cybersecurity Framework issued in 2014 by the Department of Commerce’s National Institute of Standards and Technology — laid out principles on which some of the other tools are based. The plan, a high-level strategic document, established a set of best security practices for banks and other high-risk industries. It outlined a common language for achieving core cybersecurity goals.
The fourth framework recommended by the FFIEC was the Center for Internet Security's Critical Security Controls. The CIS is a nongovernment entity that works with a network of organizations, including the Department of Homeland Security and University of California, Berkeley, to develop best practices for cybersecurity.
Regulators have recently indicated that the use of such frameworks is not mandatory.
"The [Federal Deposit Insurance Corp.] and the other U.S. federal banking regulators published a Cybersecurity Assessment Tool that financial institutions can use on a voluntary basis to help identify cyber risk and assess their level of cybersecurity preparedness," FDIC Chairman Jelena McWilliams said in a July speech. "This cybersecurity assessment tool, or any of a number of other recognized frameworks, can provide a repeatable and measurable process that financial institutions can use to measure cybersecurity preparedness over time."
The embrace of a risk-focused approach to cybersecurity regulation echoes the concerns expressed by the industry for years. Such an approach can allow banks to adapt and respond to threats quickly whereas more prescriptive rules might not be able to keep up.
“We’re seeing this interest in streamlined standards because the administration burden is already so high among financial service firms,” said Retrum. “They are spending more time working with frameworks and regulations and showing they’re complying, and less time actually protecting the environment and managing risk.
“Especially among smaller firms with limited resources, you need to be able to interpret a framework and decide how it fits into your risk profile. There’s a trade-off with trying to be efficient, but that regulatory burden is still there and still takes up a lot of time.”
Much of the policy discussion around cybersecurity guidelines in the last five years has been focused on the NIST framework. Banks hailed the document when it was published for being confined to existing regulations while offering guidance on where to improve.
According to some observers, there are pockets of the industry that have been slow to embrace the NIST framework, despite predictions when it was first issued that it could eventually become more compulsory.
“Some of NIST’s rules are becoming more flowy,” says Paul Rosenzweig, a senior fellow at the R Street Institute and a law professor at George Washington University. “Smaller banks and other financial institutions that don’t have the resources have been slower on the uptake.”
But Benda disagreed, saying that "the majority" of the ABA's small banks "use NIST as a baseline."
Regulators, meanwhile, stress the importance of updating banks' approaches to cybersecurity over time.
"It is important to assess on an ongoing basis the cybersecurity practices adopted from the framework or tool employed to ensure they are commensurate with the risks facing the institution," said a spokesperson for the Office of the Comptroller of the Currency, one of the five agencies on the FFIEC. "The tools themselves only represent best practices from the point of their release and do not necessarily keep pace with the threat environment."
Rosenzweig said cyber rules can serve as a baseline standard. "Regulation is the tide that lifts all boats, especially the laggards relying on everyone else’s security.”
But he added that merely requiring banks to check boxes with more regulation has its limits. For one thing, he noted, the industry still lacks a definitive way to grade a company's commitment to cybersecurity beyond its IT budget.
“You can point at how much you're spending on security and count how many boxes you fill on a security checklist, but there’s no equivalent of a FICO score for cybersecurity,” he said.