Despite a plethora of loose industry frameworks and a flurry of rule-making, large financial services organizations in the United States essentially operate without any risk standards in place for cyber security. This has led to under-informed boards of directors who don’t have a full understanding of risk in this constantly evolving area and frustrated regulators who are used to consistency of risk operations across other parts of the banking industry.
To finally combat these challenges, the Federal Reserve Board (FRB), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) are proposing new, across-the-enterprise rules related to enhanced cyber risk management standards. These proposed rules apply to certain entities with total consolidated assets of $50 billion or more, including U.S. bank holding companies, U.S. operations of foreign banks and U.S. savings and loan companies. It also applies to third-party service providers of these entities. These proposed regulations are intended to increase the operational resilience of financial entities and reduce the impact of a cyber attack on the financial system by forcing the board of directors of each firm to focus on cyber risk.
This joint proposal, from three of five Federal Financial Institutions Examination Council regulators, goes beyond the existing and varied industry frameworks that are loosely based on requirements they want from a standards perspective around cyber security. These earlier efforts “do not really discuss what cyber risk actually means, nor how it aligns to the broader operational and enterprise risk models adhered to by other parts of the business — including the incorporation of cyber risk and IT risk management under the chief risk officer, an organization that sets standards and policies and applies checks and balances for cyber security like other business risk models,” says Charles Jacco, Principal, Cyber Security Services Financial Services Industry Leader at KPMG.
That is all about to change, and here’s why:
With cyber risk, a lot of banks are “all over the place,” says Jacco, so now regulators are looking to standardize cyber security approaches to risk management. “You should be operating cyber (security) no different than any other IT or business function,” he says. “It needs to have the appropriate checks and balances across the organization, but there isn’t a policy today that dictates that.”
Among the challenges for those looking to implement the proposed rules and requirements is, how do organizations measure risk against cyber security? How do organizations report cyber risk to the board of directors so they understand it and view it as any other enterprise risk to their business? How do you determine who should own pieces of that function and apply the appropriate checks and balances? How do you define the risk appetite for cyber risk consistently across an industry where the “crown jewels” a financial services firm needs to protect are so vastly different?
“Regulators are now looking to dictate what the organization model should look like — each organization can’t do it differently anymore,” says Jacco. For some organizations, the CISO may have been in charge of cyber risk as well as cyber security, but now the new proposed requirements say the CISO cannot own the risk. “The CISO owns the controls and the controls implementation, they have to do everything to protect the bank’s perimeter and its assets,” he explains. “What the CISO shouldn’t do is also own the reporting and measuring of cyber risk against those things.”
To that end, the biggest change in the proposed requirements is the development of a Cyber Risk Organization, either part of Operational or IT Risk reporting to the CRO, will now set the tone and report on cyber risk. “That’s new — the biggest change is in what regulators are looking for,” says Jacco. “Before this, a very technical person was giving direct and methodical readouts to the board of directors once a month or on some recurring basis about what is going on in cyber. Now, there will be a separate risk function to provide this information and focus the reporting on a to be determined industry wide framework that is focused on cyber risk appetite, versus the technical cyber security reports that the board is getting now”
The proposed regulatory requirement outlines five categories that will apply to all institutions on an enterprise-wide basis:
1) Cyber risk governance. Companies will develop and maintain a formal cyber risk management strategy, as well as a supporting framework of policies and procedures to implement the strategy. “You want to create the foundational things like you would do in operational risk,” says Jacco. “It’s not just the CISO that’s accountable for cyber, it’s a business problem — they want you to create governance and report accordingly across the business.”
1) Cyber risk management. Companies must incorporate enterprise-wide cyber risk management into the responsibilities of an independent risk management function reporting to the chief risk officer and board of directors. “Now you have a governance model, but how are you aligning that to IT and business cyber security policies?” says Jacco. “If your CISO is very restrictive and doesn’t allow the business to function to generate revenue, how can you create risk tolerances so the IT organization can protect, not impede, performance?”
2) Internal dependency management. It’s essential for organizations to work with risk management and internal audit to measure against the risk appetites that the new cyber risk function within the CRO is creating. How are they making sure they are doing their job to push the CIO and CISO to get things done and to measure appropriately? How are they understanding how those controls are being tested and providing assurance? “This goes back to the idea of not operating in silos, to make sure the new requirements are run as a holistic governance framework,” says Jacco.
3) External dependency management. A lot of banks these days wholeheartedly leverage third parties to get business done. However, with data being sent in and out of your organization, to other business partners and by leveraging new cloud technologies, it’s critical to ensure information has not generated any undue risk from a cyber perspective. “Data is walking in and out of firewalls every day,” says Jacco. “The organization needs to understand what this dependency is and understand where the data is going. It’s also imperative for organizations to identify their most critical business processes and the third parties needed to operate them, and treat that as a critical cyber risk accordingly.”
4) Create an incident response/cyber resilience governance model. When a breach occurs, a playbook needs to be in place that has the rules of the road for every piece of the organization. “It’s no longer just about the CISO and security operations center shutting down the breach,” says Jacco. “How is business now responding to this incident? How is it reporting to regulators? How are you getting external communications out to customers that there was an incident?”
Going forward, the CIO and those in charge of the risk organization need to get together and understand what the separation of duties are, says Jacco, and to define who owns the policy and who owns the actual controls against those policies. “In a lot of cases the CIO and CISO may need to let go of certain functions they have today,” he says. “It needs to be part of the risk function now and the CIO needs to figure out how this change may affect the organization, from shifting employees from the existing model to a new risk organization.”
A big challenge for enterprises will be to find the right talent to own this cyber risk. “It’s hard enough to find traditional security people that also understand risk management, so this will be a challenging niche to fill,” says Jacco. “This is a big change in culture and understanding as far as hiring for this new role the government is asking for.” There is a serious impact on the risk organization: How the bank integrates cyber risk into overall enterprise operational risk and how it all flows together so there can be a streamlined approach. “It’s a hard thing to do,” he says. “No one has the magic bullet right now.”
To learn more, visit KPMG’s Cyber website for the latest insights and readings.