Six actions CISOs should consider for stronger compliance and risk mitigation
Some regulators worry that the financial industry has reached a point of inflection in terms of risk due to the digitisation of financial services institutions (FSIs) and their reliance on digital service providers who frequently employ other digital service providers.
It could be possible that if one provider fails, other providers could also fail, causing widespread harm to financial institutions and severe hardship on society as a result.
Consequently, regulators are creating new compliance and accurate reporting requirements and rules – and with a shorter timeframe for meeting them. This can feel overwhelming, but regulators want FSIs to understand the implications of depending on third-party providers and services.
The call for exit strategies and cybersecurity
Some regulators are requiring FSIs to develop “exit strategies” in order to prevent the domino effect of one service provider collapse leading to more failures and the possible paralysis of a country’s financial industry.
For example, regulators in the European Union are granting them windows of about 30 days. Therefore, FSIs have one month to replace a piece of technology or locate a new cloud provider in the event of a significant incident.
When FSIs are developing exit strategies, cybersecurity must be taken into consideration. Here, we’ll cover some suggestions for financial industry CISOs who are attempting to adhere to the new rules while maintaining their digital transformation process.
Six actionable steps for CISOs
1) Find out where you’re at risk: Prioritising the most important and susceptible business processes requires FSIs to identify their most essential ones and assign them a risk rating. CISOs need to determine the risks and vulnerabilities of the organisation, which requires communication throughout your entire firm.
2) Implement cyber awareness training: To help their firms make up for the global shortage of cybersecurity talent, FSIs must upskill their workforce. Whatever their role, all personnel need cybersecurity awareness training as well as recurring updates on the latest risks and attack techniques.
3) Automation is key: Automation and augmentation are crucial to overcoming the cybersecurity skills gap. AI/ML technologies give teams actionable alerts from a single pane of glass. This enables them to manage and orchestrate the network and security enterprise-wide and will also reduce human error.
In the past, most banks had their own teams of third-party governance workers who used enormous spreadsheets to keep track of all the necessary controls. This manual approach was unwieldy and error-prone. Some financial institutions had to employ vendors and outsource their compliance work, but as more rules are implemented, this strategy is neither manageable nor scalable.
FSIs are facing tighter profit margins and increasing operational costs because of these new regulations. If their data isn’t integrated and their infrastructure isn’t automated, FSIs are unlikely to meet compliance requirements and regulations.
4) Learn from others: FSIs and their CISOs need to know what’s going on outside their four walls. The DORA regulations in Europe allow information sharing among FSIs to help them learn about the latest indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) going on “in the wild”.
To improve your visibility of the external digital attack surface, think about using a DRP (digital risk protection) solution. Future cyberattacks can be predicted using sources like the Darkweb.
5) Use high-level communication: When speaking with business stakeholders, a CIO or CISO needs to use a common language. And the business team won’t understand if the conversation is focused on low-level controls. However, it is much simpler to have a conversation throughout the business if the IT leaders elevate the message and solely discuss the company’s risk and protection, threat detection, response and recovery.
FSIs employ a variety of control frameworks, including NIST 80053, COBIT and ISO 27001, both in the US and the EU. FSIs frequently develop their own frameworks, which incorporate elements from a variety of different frameworks.
6) Understand pertinent regulations and compliance: It all comes down to laying a proper foundation, one that not only incorporates the technology’s vision but also involves feedback loops between those who will be impacted by the policy, the stakeholders and those who will be creating it.
Many organisations lack a comprehensive perspective and are not laying the right foundations, especially as they are experiencing a rapid digital acceleration. From a business perspective, as well as from an IT and security perspective, it is crucial to be aware of the specific requirements that you must adhere to.
Preparing for risk
Banks face increasing regulations and compliance requirements as the cyber landscape grows ever more complex. For many nations, financial services institutions are considered critical infrastructure, and their collapse would be extremely harmful to their economies.
So, the expansion of regulations is here to stay for the foreseeable future. In a scenario where one service provider’s failure can create a cascade of failures that cripple a bank, the requested 30-day provider turnaround is understandable but nevertheless hard. Taking action on the six steps recommended above will help CISOs prepare for all the requirements and risks they are facing.
About the authors:
Michael Brown is field CISO for financial services at Fortinet. He specialises in cybersecurity regulations, ESG impact, SD-WAN, SD-Branch, Zero Trust, low-latency electronic trading security, SASE and multi-cloud solutions.
Ricardo Ferreira is a field CISO at Fortinet covering EMEA. He has technology and public cloud experience focusing on regulated markets and how they can transform digitally using cyber security as an accelerator. He advises CxOs on establishing a solid foundation for their digital transformation.