Cyber security needs to extend beyond the arcane language of IT and information security specialists, to include the CEO and board of directors, a top Treasury official recently told a meeting of the Texas Bankers Association.
“Part of the challenge is that cyber security is too often described in language only relevant to technical experts and is too often left in the hands of technology professionals without the watchful oversight of senior executives and boards,” said Sarah Raskin, Deputy Secretary of the Treasury.
To address this, Raskin said she’s sifted through the questions she’s heard from numerous bank CEOs across the country and has formulated a checklist of ten questions that can provide a roadmap of sorts to instill cyber protection throughout a bank’s organization.
“By asking these questions, obtaining the answers, and performing necessary follow-up, you can ensure more rapid detection, diagnosis, response, and recovery should a breach occur at your banks,” she told the audience. [You can read Raskin’s speech, “Cybersecurity for Banks: 10 Questions for Executives and their Boards” here.]
10 questions to ask—and answer
The ten questions are divided into three sections: baseline protection, information sharing, and response and recovery.
• Baseline protection—Policies, procedures, and controls that are in place to prevent penetration and to prevent damage.
Q1: Is cyber risk part of our current risk management framework?
“Ideally, your cyber security risk management is part and parcel of your enterprise risk management framework, key components of which are technology, process, and people,” Raskin said.
Q2: Do we follow the NIST Cybersecurity Framework?
“Banks should use the framework to reduce cyber security threats both within the bank and with outside vendors,” she said. (NIST stands for National Institute of Standards and Technology and is part of the Commerce Department.)
Q3: Do we know the cyber risks that our vendors and third-party service providers expose us to, and do we know the rigor of their cyber security controls?
“It is imperative that you understand the security safeguards that your vendors and other relevant third parties have in place.”
Q4: Do we have cyber risk insurance? If we do, what does it cover and exclude?
“Policy holders can now find coverage to match a broad array of cyber risks, ranging from liability and costs associated with data breaches to business interruption losses and even tangible property damage cause by cyber events.”[Read Scott Simmond’s “Are you covered for cyber fraud?”]
Q5: Do we engage in basic “cyber hygiene”?
This includes: “Knowing all the devices connected to your networks. Knowing what is running—or attempting to run—on your networks. Knowing who has administrative permissions to change, bypass, or override system configurations and then reducing that number to only those who need those privileges. And also patching software on a timely basis, and conducting continuous, automated vulnerability assessments and remediation.”
Information sharing—Effective defenses do not happen in isolation.
Q6: Do we share incident information with industry groups? If so, when and how does this occur?
“Sharing knowledge of vulnerabilities, threats, and incidents allows banks to benefit from the experience of others.”
Response and recovery—Efforts need to increasingly and continually be more effective, efficient, and predictable.
Q7: Do we have a cyber incident playbook? And who is the point person for managing response and recovery?
“The person you choose to lead this effort should have exceptional organizational and communication skills because he or she will quarterback internal and external interactions.”
Q8: What roles do senior leaders and the board play in managing and overseeing the cyber incident response?
“It makes sense for banks to participate in cyber exercises that simulate a cyber intrusion. These exercises allow CEOs, directors, and other key players to figure out how they will navigate the pressures and problems that come from the intrusion.” [Read “Do boards have a role in cyber risk?”]
Q9: When and how do we engage with law enforcement after a breach?
“We recommend that financial institution leaders—at banks of all sizes—cultivate relationships with local U.S. Secret Service and FBI field offices.”
Q10: After a cyber incident, when and how do we inform our customers, investors, and the general public?
“To instill trust and confidence, the messages you communicate should avoid technical jargon and legalese and provide clear and consistent information.”
“Maintaining preparedness and cyber hygiene requires constant vigilance, even after cyber risks and controls become embedded in your bank’s enterprise risk management framework. Cyber threats are constantly evolving, and so too must our vigilance and safeguarding efforts,” Raskin said.