If you are a board member of a bank or credit union, how do you know that the cybersecurity program of the organization is being managed effectively? I often try to put myself into the shoes of a board member, asking myself what elements would be most important to me in the current environment. The list has changed over time as the landscape has changed. As I was reviewing the board report of another CISO recently, it occurred to me it was time to revisit my list. So here is my current list of the top 5 items for board members to consider when assessing cybersecurity in their institution:
- Is the program based on risk? If your cybersecurity program is simply a comparison of your internal controls to the NIST CSF standard, it is likely not risk-based, and your resources are likely not focused on what is important. Resources are being expended to implement controls that mitigate small amounts of risk while high-risk threats are missed entirely. A good security program should identify threats and the inherent risk of those threats, then base mitigation efforts on the risk level. If the reports you are receiving as a board member do not define the threats that controls are meant to mitigate, you should be asking for this information and making sure control implementation is prioritized appropriately.
- Is third-party risk management under control? Most institutions outsource most of their critical systems and processes to other companies, believing that this transfers the risk to the outside party. It doesn’t. The risk still belongs to the institution. What outsourcing does is transfer the implementation of some controls (but not the risk) to the outside party. There are other controls (employee training, password lengths, MFA requirements, etc.) that still need to be managed within the institution.
It is the responsibility of the institution (and the board) to own all the risk, to assess whether the third party is effectively implementing controls that they are responsible for, and to identify the internal controls that the institution still needs to maintain. Instead of performing one risk assessment for outsourced systems, your institution should be performing two: one of the threats and controls in place at the vendor and one for the threats and controls inherent in the way the bank is using the service. - Is there adequate monitoring and incident response? Regardless of how many layers of preventative controls are put into place, an employee is still going to eventually click in the wrong place and expose the organization to an attacker. At that point, the keys to stopping an attack are strong monitoring, alerting, and response…and not just during business hours, as most serious attacks occur on weekends. Your institution should regularly be testing detection and response through auditing and penetration testing, with the frequency of this testing determined by past test performance. If there have been lapses in past testing, up the testing frequency until you feel comfortable that current controls are detecting attackers. Also, if you do not want to hire staff to monitor 24 hours per day every day of the year, urge your institution to outsource this monitoring to a competent security operations center.
- Can we recover? The final defense in the event of a cybersecurity event will be recovery. Because your data is in so many places today, it can be a daunting task to ensure that backup copies of all critical data can be accessed and restored in the event of an attack. Backups of internal systems need to be stored where attackers cannot delete them, and you need to ensure that third parties have similar controls over their backups. Recovery of critical data should be tested periodically so that you have an idea of how long it will take to recover from a serious attack, and BCP plans should take these recovery times into consideration when prioritizing restores.
- Are we really insured? In the event of a ransomware or other serious attack, cyber insurance coverage may be the difference between the institution being able to survive or not. Most cybersecurity policies today include stringent control requirements as a condition of insurance. If your institution says these required controls are in place but it turns out they are not, you may find yourself eating huge losses after an attack. Make sure that critical controls required by insurance carriers are confirmed by auditors, and that any gaps in these controls are remediated as quickly as possible.
Bedel Security helps boards of financial institutions across the country sleep soundly at night, knowing that their institutions are doing all that they can to protect customer data and transactions. If you are a board member and do not have this confidence, Bedel Security can help! Reach out any time to support@bedelsecurity.com.