Achieving lasting success in the banking industry is tough. You have to compete against new players such as PayPal and Apple Pay while keeping regulators happy. Lingering public anger from the financial crisis means that voters, elected officials, and others eye your operations with an unfriendly eye. In this environment, you’re just one problem away from taking a loss and falling behind. Increasingly, those losses take the form of cybersecurity incidents.
How Bank Regulators Are Raising the Bar for Cybersecurity
Major hacking and security incidents are in the news every month, and regulators are responding to it. The government response to bank security problems takes several different forms. Take note of the following developments:
Public pressure: In Feb 2018, a senior official from the Federal Reserve delivered a speech on cybersecurity and regulation. These public remarks, delivered at an industry event, signal that the Fed will take action especially when companies fail to act on the basics of cybersecurity. Take note of these speeches and presentations, as they serve as a preview of the government’s areas of interest.
New regulations: In 2017, New York State implemented a new cybersecurity regulation. This development is important for two reasons. First, New York is a leading financial center, so other jurisdictions may follow its lead. Second, New York’s rules are in the process of being implemented. Among other requirements, regulated entities must notify the government within 72 hours of a breach.
Cybersecurity inspections and audits: It’s not enough to claim that you have strong cybersecurity; you’ll have to prove it to auditors. SWIFT, an organization that supports interbank payments, has started external audits of cybersecurity controls in 2018.
Regulatory enforcement: Some bank regulators prefer to operate quietly behind the headlines. However, that quiet approach doesn’t mean banks get off easy. Instead, confidential orders and letters from regulators sometimes require expensive consulting and systems improvements to address fully.
When will this regulatory pressure end? That’s probably the wrong question to ask. Instead, put yourself in the shoes of hackers. What tools do they have to carry out attacks? Do they have resources and support from individual governments to carry out these attacks? Simply put, there are strong incentives for a hacker to continue attacks on financial companies.
The Painful Truth About Cybersecurity: Perfect Security Is a Myth
As much as customers and regulators want a perfect solution to cybersecurity, they won’t be satisfied. Why? Banks are in the business of taking risks to turn a profit. To stay competitive, banks must provide online access for their customers. Eliminating cybersecurity risk is not feasible. Instead, you need to look for ways to reduce the likelihood and impact of bank hacking attacks.
How do you deliver that improvement without spending endless sums of money on your security systems? It all comes back to access governance. By restricting the access that each user has, you reduce the potential impact of a single compromised user ID at your bank.
Access Governance: Start with the Basics
To keep customers safe and minimize unwanted attention from bank regulators, you need to start with access governance fundamentals. For our purposes, we define fundamentals as the minimal expectations set by your regulators and industry bodies such as SWIFT. Assess your access governance program against these fundamental principles:
Policy: Do you have an access governance policy? A simple one-page document is often enough to start with. It’s also acceptable to cover this topic in a broader cybersecurity document.
Training: What resources and support do you provide to managers and employees to access governance? Our suggestion is to consider creating two versions of the training: one aimed at business users and one aimed at a technical audience. In the business-oriented training, emphasize the risk management benefits of access governance.
Testing: Without testing activities, how will management and other stakeholders know if the access governance program is working? Set a schedule to review and test compliance to access governance annually.
Review employees who’ve changed jobs: When an employee changes jobs at a bank, you need to change his or her access. This review is especially important when the employee moves from the front office (e.g., retail banking or investment banking) to support functions (e.g., finance and accounting, compliance and risk). It’s up to managers to complete this review process.
Follow up on access governance audits: When internal audit reviews your security program, you may have audit findings or observations. Set a timeframe to address these findings that’s acceptable to audit and senior management. Aside from system changes, managers can address most audit findings in a few months. If you haven’t gone through an access governance audit yet, read our article on how to get ready for an access governance audit.
Optimizing Access Governance
Once you’ve mastered the fundamentals, you can look for optimization opportunities. These methods increase productivity and reduce your risk exposure further.
Implement an access governance solution: Asking managers and employees to carry out access governance manually does work. However, the manual approach tends to result in inconsistencies, as some managers may not pay attention to access. The alternative? Use Compliance Auditor, which provides access certifications systematically.
Reduce privileged user access: Do managers, executives, and IT staff have “super” user access to all systems? While convenient, that approach increases risk. To optimize access governance, we recommend reducing the number of privileged users.
Review third-party access governance: Many banks rely upon third-party cloud applications and services to do their work. From an access standpoint, review these user IDs for compliance to your access governance policy. For example, have you reviewed Salesforce.com, Act, or the customer relationship management (CRM) platform your organization uses? These systems typically contain sensitive customer information. Yet, auditors sometimes forget to review them during access reviews.
What’s Next After Access Governance?
Improving access governance controls is an important aspect of reducing cybersecurity risk. However, it’s only one dimension to a successful security program. We also recommend that financial institutions deliver password management training to employees. As you refine your programs, regularly review announcements and enforcement actions taken by bank regulators. That regular review activity will ensure you keep pace with regulatory expectations.