The cybersecurity framework released by the National Institute of Standards and Technology on Feb. 12 marks a significant step in strengthening the security of the national critical infrastructure, and should serve as an important tool for banks in meeting regulators' heightened expectations for managing cyberrisk.
The framework followed a year to the day President Obama's executive order on improving critical infrastructure, which called for a voluntary, risk-based framework to incorporate industry standards and best practices to improve cybersecurity. Under the order, regulators are due to deliver this month an internal report on the sufficiency of their cybersecurity regulations. They have until May to evaluate the framework and, if necessary, propose actions to update regulations aimed at further mitigating cyberrisk.
Though the framework does not establish new regulation, it does create a common foundation that regulators will likely use when conducting examinations and in updating their examination procedures and guidance. The recent high-profile data breaches have put additional focus on cybersecurity, and state and federal legislators continue their efforts to strengthen cybersecurity. Even absent legislation, banks, credit unions, securities firms, financial market utilities, and service providers should expect regulators to devote increased resources to assessing cyberrisk management practices, and even possible enforcement actions for firms that fall short of examiner expectations.
The NIST framework is part of a larger national security strategy to improve cybersecurity and strengthen the resiliency of critical infrastructure. The framework establishes a common language and approach for cyberrisk management, and serves as a guidepost for firm executives and board members to understand shifting regulatory expectations.
New guidance will probably be coordinated through the Federal Financial Institutions Examination Council, which last year established a cybersecurity and critical infrastructure working group to help banks identify vulnerabilities and respond to the increasing risks posed by cyberattacks. U.S. Comptroller of the Currency Thomas Curry said in Feb. 6 testimony before the U.S. Senate that the increasing risk of cyberattacks was a top concern, and that the working group was considering additional steps to ensure that institutions of all sizes have the ability to safeguard their systems.
Four areas that may gain increased regulatory attention include cyberrisk management, privacy safeguards, information sharing, and resiliency.
Cyberrisk management. Regulators will likely focus on operational risks of weak cyberrisk management practices. The framework encourages organizations to focus on outcomes rather than a checklist, and uses tiers to evaluate the sophistication of how an organization manages cyberrisk. Firms that are already performing thorough cyber risk management activities may still find it useful to map their processes to the framework to identify potential issues that invite regulatory scrutiny. Departments conducting these exercises should brief executives and directors, especially the audit and risk committees, on the results.
Privacy safeguards. Organizations should review their privacy safeguards in conjunction with their cybersecurity program. The framework does not provide guidance for developing a privacy protection program, but can help organizations incorporate privacy principles into their cybersecurity program. Organizations should consider appropriate safeguards around privacy information, including a review of the information they collect, who can access it, who they share it with, how they safeguard privacy information against loss, modification or abuse, and the impact of a privacy data breach.
Information sharing. Cyberrisk management practices should integrate information sharing with threat management so that firms can make fast, concrete steps to mitigate a cyberattack. They should also coordinate with other firms through public-private partnerships such as the Financial Sector Information Sharing and Analysis Center, which has developed a strong network to gather and communicate information about threats and vulnerabilities. The framework's tiers account for how an organization can communicate and share cybersecurity information with peers and partners as part of its cyberrisk management program.
Resiliency. Resiliency is an element of operational risk that is gaining greater awareness as a safety and soundness issue for financial regulators. The FFIEC cybersecurity working group is working to ensure the entire financial system is aware of threats that can disrupt services, including denial of service attacks, and are taking appropriate steps. Firms can use the framework to express cyberrisk management requirements to third parties, including providers of critical systems on which they depend.
As financial companies prepare for examinations that look to have an increased focus on cybersecurity, special attention to these priorities can help identify weaknesses likely to be of particular interest to examiners. Regulators will also expect organizations to demonstrate a proactive security posture that continuously evaluates and adjusts their current information technology environment for threats, vulnerabilities, and the effectiveness of controls in place.
Earl Crane is a senior principal at Promontory Financial Group and the former director for federal cybersecurity policy on the White House National Security Staff.