The changing role of the examiner and cybersecurity risk in the financial services industry

According to the Identity Theft Resource Center (ITRC), there have been 139 data breaches recorded from January 1 through March 8, 2016, with nearly 1.8 million records exposed. The largest data breach to date was reported by health insurer, Centene Corp., which involved the breach of medical data for over 950,000 customers.

The increasing pace, magnitude, and sophistication of data breaches recently has spurred two influential organizations to announce greater scrutiny of cybersecurity risk. The National Association of Insurance Commissioners (NAIC) adopted 12 cybersecurity regulatory principles[1].  The New York State Department of Financial Services (NY DFS) identified core cybersecurity practices that banks and other financial services companies should adopt in a letter to Financial and Banking Information Infrastructure Committee (FBIIC) Members, dated November 9, 2015. These addressed requirements for cybersecurity policies and procedures, third-party service provider management, multi-factor authentication, etc. 

While examiners of insurance companies, banks, savings and loans, and credit unions have begun to develop robust examination approaches, tools and techniques, there is still a great deal of confusion amongst field examiners regarding which areas they should focus their efforts. Examiners should have a clear understanding of where they should spend their time to make best use of their very limited resources for maximum effectiveness and efficiency.

While each financial services organization is unique with special needs and risk factors, we believe that there are some key areas upon which all examinations should focus: 

Ensure that cybersecurity is considered in the organization’s top-down governance programs

Cybersecurity is not purely a technical issue; it is also a business issue. Any business decision (e.g., offering a new service or product to the public, utilizing a third-party service/cloud provider, acquiring a new business) may significantly increase an organization’s cybersecurity risk. As a result, cyber-risk needs to be considered in light of corporate strategy, customer service, public relations, and other areas.

In fact, both the NY DFS and the NAIC have said that they expect cybersecurity risks and mitigating steps to be included in Enterprise Risk Management (ERM) programs since it represents an organization-wide, strategic risk.

Evaluate the effectiveness of an organization’s cybersecurity management program

The best-prepared organizations are shifting their cybersecurity strategies from focusing on outright prevention, to implementing techniques to quickly detect breaches and limit the damage once a breach has been confirmed.

There are five main components to consider when evaluating the effectiveness of an insurance company’s cybersecurity management program. In each component, organizations need to think about the level of maturity of their processes and controls.

1) Data classification

It is easy for many security departments to turn into the department of “no”. This can happen when an organization has not developed a clear understanding of the types and locations of information assets it maintains and, instead, tries to protect all data without regards to their specific risk of disclosure, modification or loss. By developing a robust data classification process, an organization can determine how much effort and cost is required to properly secure the most critical information assets. Once an organization has completed such an initiative, managerial decisions can be made to balance security expenditures with the real business value of the data that the organization is trying to protect.

What is involved in data classification?

• Identifying the data that needs to be protected. When properly classified, most organizations find that information varies widely in terms of its risk of disclosure, modification or loss. Some information may be shared with the public, some information should be considered “company internal use” and some information is highly confidential that should be kept highly secure. The amount of financial resources the organization expends to protect information assets, should depend directly on their relative risk to your organization.
• Assigning a value to that data. Data has value, either in the amount of competitive advantage the data provides or the hard costs associated with unauthorized disclosure of that data. A successful data classification effort will determine the intrinsic value or risk of the data set. Once an organization determines the true value and risk of the data, it can determine how much to spend to protect it. Additionally, the sensitivity of that data may change over time requiring modification of the initial classification. 
• Cataloging where critical data exists. There are many places where data may exist (e.g., production databases, backup copies, data warehouses, departmental data stores, test, and development systems). The location becomes crucial in determining how to protect it.
• Identifying who has and who should have access to the data. This is critical and may evolve over time. It is entirely possible that a company does not have a full picture of who has access to certain types of data. By identifying who has access to certain data, a company can determine who has a legitimate business need to that data and can further restrict access to the data.

2) Cybersecurity control standards and implementation

Most of us are greatly familiar with general computer controls, which include the IT controls tested during a financial examination or a financial statement audit, but real cybersecurity controls go beyond simple change management and user access reviews.

Hackers aren’t filling out user access request forms or submitting change requests, so how does the organization make sure their control environment is prepared to deal with unknown and unseen threats? There are numerous cybersecurity control frameworks organizations can implement. Below are some of the most common frameworks:

National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity

Mandated by President Obama’s Executive Order which was signed on February 12, 2013, this framework unifies many leading control standards, including NIST SP 800-53 and International Standardization Organization (ISO) 27000 Series, into a comprehensive framework for how organizations can improve the security of critical infrastructure. At the core of the framework are control categories within the cybersecurity lifecycle: identify, protect, detect, respond, and recover. Control activity details can be found in the informative references associated with each control category.

Security and Privacy Controls for Federal Information Systems and Organizations (NIST 800-53)

One of the most comprehensive, this standard for security controls is used by organizations doing business with the United States government.  Categorized in terms of system impact, its control catalog specifies control baselines for high, moderate, and low impact systems.

ISO 27001

This international standard defines “requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).” The ISO standard sets out the process that an organization should follow when managing information security. Annex A of the standard provides detailed control objectives and controls for information security. The ISO 27001 certification only verifies the information security management system; it does not provide assurance on the implementation of controls specified within Annex A.

SANS Critical Security Controls

The SANS Institute prioritizes security functions with an emphasis on “what works” and defines the top twenty control areas for enhancing cybersecurity. Of the standards outlined here, this is aimed at a more technical audience. Each of the twenty control areas includes more than100 implementation activities organized into “quick win,” “visibility/attribution,” “configuration/hygiene,” and “advanced” categories. For organizations just starting to formalize a cybersecurity management program, the “quick win” controls throughout the standard are a great place to begin.

3) Regular verification of security control performance

Most leading cybersecurity control frameworks include verification controls, which are a vital part of the process of managing cybersecurity. Periodically, organizations should evaluate their cybersecurity controls to obtain assurance over control design and operating effectiveness. We often see organizations with internal audit departments that focus extensively on internal controls over financial reporting. Evaluating cybersecurity controls (through a combination of control testing and penetration testing) is also a great way for internal audit departments to continue to add value by enhancing the overall security posture of the organization.

4) Breach preparedness planning and testing

Based on the premise that cybersecurity professionals now expect their organizations to be hacked, it logically follows that the organizations should have breach response procedures in place. Breach preparedness begins with defining the activities an organization should follow when invoking the plan. Specifically related to cybersecurity incidents and active breach scenarios, a response plan includes critical activities like:

• Identifying who to notify internally. Depending on the dataset compromised, it is important to understand who to notify when there is a breach. Certain business processes and contingency plans need to be put in place; process owners need to be directly involved in developing them.
• Establishing a response team. Certainly, the IT department will be closely involved with the response. In addition, the general counsel, chief risk officer, chief financial officer and/or the chief audit executive will also have a key role for risk management and fiduciary responsibilities. Other stakeholders (e.g., regulatory affairs, vendor management, and human resources) may need to be involved.
• Implementing monitoring protocols to track intruder activity. Unplugging the compromised system from the network may not be an appropriate strategy following a breach. The organization may need to observe intruder behavior first hand to understand the extent of the breach. Additionally, law enforcement officials may need to monitor activity in their attempts to track the intruder. Unplugging the system alerts the intruder that his/her activity has been detected and will give the intruder time to cover their tracks.
• Establishing egress prevention. Once an attacker is in your network, he may remain there for a while looking for higher value targets. Preventing critical data from leaving the organization’s network without letting the attacker know he is being watched is important.
• Notifying proper legal authorities. Make sure the organization knows who to call when a breach occurs. Knowing who to contact when a breach is suspected can help shorten your overall response time.
• Determining the extent of the compromise. Understanding what data has been compromised is critical to managing the breach response process. The type and extent of compromised data may directly affect an organization’s notification, response, disclosure, and any potential penalties. If an organization has already classified and inventoried its information assets ahead of time, this process may be made much less time-consuming. 
• Coordinating with legal counsel and insurance carriers. Depending on the type and extent of breach, legal assistance may be needed to file the necessary notices and help manage any legal consequences of the breach. To the extent that the organization is covered by a cyber-liability policy, notifying the carrier is a necessary step to prepare for the claim.
• Analyzing root-cause and implementing security remediation. During the response, it is critical to identify how the breach occurred and then implement a remediation plan to address the vulnerabilities ensuring a similar breach cannot happen again.
• Practice, practice, practice. As with disaster recovery and business continuity planning, proficiency with the plan comes with practice, so organizations should periodically conduct tabletop tests of the breach response plan to make sure stakeholders know what to do in the event of an actual breach.

5) Risk acceptance and risk transfer

As recent high-profile breaches demonstrate, even with robust security processes in place, organizations can suffer a breach. When security measures fail, financial impacts (e.g., credit monitoring for affected customers, increased transaction processing costs, or fines assessed by regulatory agencies) may occur. Organizations must understand their financial exposure relative to a compromised dataset.

At that point, the organization can evaluate the overall effectiveness of its cybersecurity process and decide whether to accept that risk or transfer that risk through a cyber-liability policy. Insurance carriers are quickly evolving cyber policies and coverage. Underwriters are taking closer looks at how companies assess and manage their cybersecurity risks. By implementing effective cybersecurity management programs, organizations may be able to receive reduced premiums or more favorable policy limits.

Good business sense

Cybersecurity management is a complex topic that requires substantial organizational attention in order to be effective. It involves all areas of the organization – finance, human resources, operations, public relations, sales, etc. By working collaboratively across an organization, it is possible to more effectively manage cybersecurity risks in order to reduce the likelihood of an exposure, limit the extent and impact of an exposure, and be prepared to recover from the damages of a breach.

As cybersecurity risk becomes an even greater threat to the operations of financial services organizations over time, it will be up to examiners to assess the strength of cybersecurity processes and controls. By focusing their efforts on these key risk areas, examiners can make more efficient and effective use of their resources.

For more information on this topic, or to learn how Baker Tilly risk specialists can help, contact our team.

[1] “Principles for Effective Cybersecurity: Insurance Regulatory Guidance”, adopted April 2015 by the Cybersecurity Task Force of the NAIC.