According to the Identity Theft Resource Center (ITRC), there have been 139 data breaches recorded from January 1 through March 8, 2016, with nearly 1.8 million records exposed. The largest data breach to date was reported by health insurer, Centene Corp., which involved the breach of medical data for over 950,000 customers.
The increasing pace, magnitude, and sophistication of data breaches recently has spurred two influential organizations to announce greater scrutiny of cybersecurity risk. The National Association of Insurance Commissioners (NAIC) adopted 12 cybersecurity regulatory principles[1]. The New York State Department of Financial Services (NY DFS) identified core cybersecurity practices that banks and other financial services companies should adopt in a letter to Financial and Banking Information Infrastructure Committee (FBIIC) Members, dated November 9, 2015. These addressed requirements for cybersecurity policies and procedures, third-party service provider management, multi-factor authentication, etc.
While examiners of insurance companies, banks, savings and loans, and credit unions have begun to develop robust examination approaches, tools and techniques, there is still a great deal of confusion amongst field examiners regarding which areas they should focus their efforts. Examiners should have a clear understanding of where they should spend their time to make best use of their very limited resources for maximum effectiveness and efficiency.
While each financial services organization is unique with special needs and risk factors, we believe that there are some key areas upon which all examinations should focus:
Cybersecurity is not purely a technical issue; it is also a business issue. Any business decision (e.g., offering a new service or product to the public, utilizing a third-party service/cloud provider, acquiring a new business) may significantly increase an organization’s cybersecurity risk. As a result, cyber-risk needs to be considered in light of corporate strategy, customer service, public relations, and other areas.
In fact, both the NY DFS and the NAIC have said that they expect cybersecurity risks and mitigating steps to be included in Enterprise Risk Management (ERM) programs since it represents an organization-wide, strategic risk.
The best-prepared organizations are shifting their cybersecurity strategies from focusing on outright prevention, to implementing techniques to quickly detect breaches and limit the damage once a breach has been confirmed.
There are five main components to consider when evaluating the effectiveness of an insurance company’s cybersecurity management program. In each component, organizations need to think about the level of maturity of their processes and controls.
It is easy for many security departments to turn into the department of “no”. This can happen when an organization has not developed a clear understanding of the types and locations of information assets it maintains and, instead, tries to protect all data without regards to their specific risk of disclosure, modification or loss. By developing a robust data classification process, an organization can determine how much effort and cost is required to properly secure the most critical information assets. Once an organization has completed such an initiative, managerial decisions can be made to balance security expenditures with the real business value of the data that the organization is trying to protect.
What is involved in data classification?
Most of us are greatly familiar with general computer controls, which include the IT controls tested during a financial examination or a financial statement audit, but real cybersecurity controls go beyond simple change management and user access reviews.
Hackers aren’t filling out user access request forms or submitting change requests, so how does the organization make sure their control environment is prepared to deal with unknown and unseen threats? There are numerous cybersecurity control frameworks organizations can implement. Below are some of the most common frameworks:
National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity
Mandated by President Obama’s Executive Order which was signed on February 12, 2013, this framework unifies many leading control standards, including NIST SP 800-53 and International Standardization Organization (ISO) 27000 Series, into a comprehensive framework for how organizations can improve the security of critical infrastructure. At the core of the framework are control categories within the cybersecurity lifecycle: identify, protect, detect, respond, and recover. Control activity details can be found in the informative references associated with each control category.
Security and Privacy Controls for Federal Information Systems and Organizations (NIST 800-53)
One of the most comprehensive, this standard for security controls is used by organizations doing business with the United States government. Categorized in terms of system impact, its control catalog specifies control baselines for high, moderate, and low impact systems.
ISO 27001
This international standard defines “requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).” The ISO standard sets out the process that an organization should follow when managing information security. Annex A of the standard provides detailed control objectives and controls for information security. The ISO 27001 certification only verifies the information security management system; it does not provide assurance on the implementation of controls specified within Annex A.
SANS Critical Security Controls
The SANS Institute prioritizes security functions with an emphasis on “what works” and defines the top twenty control areas for enhancing cybersecurity. Of the standards outlined here, this is aimed at a more technical audience. Each of the twenty control areas includes more than100 implementation activities organized into “quick win,” “visibility/attribution,” “configuration/hygiene,” and “advanced” categories. For organizations just starting to formalize a cybersecurity management program, the “quick win” controls throughout the standard are a great place to begin.
Most leading cybersecurity control frameworks include verification controls, which are a vital part of the process of managing cybersecurity. Periodically, organizations should evaluate their cybersecurity controls to obtain assurance over control design and operating effectiveness. We often see organizations with internal audit departments that focus extensively on internal controls over financial reporting. Evaluating cybersecurity controls (through a combination of control testing and penetration testing) is also a great way for internal audit departments to continue to add value by enhancing the overall security posture of the organization.
Based on the premise that cybersecurity professionals now expect their organizations to be hacked, it logically follows that the organizations should have breach response procedures in place. Breach preparedness begins with defining the activities an organization should follow when invoking the plan. Specifically related to cybersecurity incidents and active breach scenarios, a response plan includes critical activities like:
As recent high-profile breaches demonstrate, even with robust security processes in place, organizations can suffer a breach. When security measures fail, financial impacts (e.g., credit monitoring for affected customers, increased transaction processing costs, or fines assessed by regulatory agencies) may occur. Organizations must understand their financial exposure relative to a compromised dataset.
At that point, the organization can evaluate the overall effectiveness of its cybersecurity process and decide whether to accept that risk or transfer that risk through a cyber-liability policy. Insurance carriers are quickly evolving cyber policies and coverage. Underwriters are taking closer looks at how companies assess and manage their cybersecurity risks. By implementing effective cybersecurity management programs, organizations may be able to receive reduced premiums or more favorable policy limits.
Cybersecurity management is a complex topic that requires substantial organizational attention in order to be effective. It involves all areas of the organization – finance, human resources, operations, public relations, sales, etc. By working collaboratively across an organization, it is possible to more effectively manage cybersecurity risks in order to reduce the likelihood of an exposure, limit the extent and impact of an exposure, and be prepared to recover from the damages of a breach.
As cybersecurity risk becomes an even greater threat to the operations of financial services organizations over time, it will be up to examiners to assess the strength of cybersecurity processes and controls. By focusing their efforts on these key risk areas, examiners can make more efficient and effective use of their resources.
For more information on this topic, or to learn how Baker Tilly risk specialists can help, contact our team.
[1] “Principles for Effective Cybersecurity: Insurance Regulatory Guidance”, adopted April 2015 by the Cybersecurity Task Force of the NAIC.