How Third-Party Assessments Protect Banks Against Risks
The Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of Currency (OCC) and the National Credit Union Association (NCUA) all require banks and credit unions to conduct annual security testing designed to help in preventing cybersecurity episodes. The Federal Financial Institutions Examination Council (FFIEC) guidelines, as well as financial regulators’ information security assessment processes include logical and administrative controls such as access rights administration; transmission and storage encryption; malicious code defenses including anti-virus, firewalls and gateway rules; and heuristic or signature intrusion detection and response.
Institutions of all sizes could benefit from using third parties to conduct cybersecurity assessments to help them better understand their security posture and target where and how they can better prepare their infrastructure and controls to fend off threats. The 11th Global Risk Management report from Deloitte, which surveyed 94 financial institutions around the world, notes that “only 52 percent of respondents said their institutions are extremely or very effective at managing” cybersecurity risks.
On the plus side, the Cost of a Data breach 2019 study points out that organizations across industries that perform extensive testing of their response plans save over $1.2 million.
A Look Inside Cybersecurity Assessments
Mature cybersecurity assessments need to cover a lot of ground. Under the overall banner of compliance assessment are tests designed to meet data security shortfalls. Vulnerability testing for detecting and classifying security loopholes in the infrastructure is absolutely a baseline requirement. Ethical penetration testing that manually simulates a cyberattack to discover how an attacker can gain unauthorized access to systems matters a lot, too. Both are important to assessing compliance with PCI DSS.
Application assessment also is a form of ethical hacking, where security engineers try to break into off-the-shelf or in-house applications (such as through APIs) and make recommendations for security improvement, such as a centralized, simplified access policy. It’s key to marry application assessment with a configuration review to avoid the possibility of open ports on servers that could lead to breaches of sensitive information. And in today’s social media-saturated world, assessments should address phishing scam possibilities via those platforms.
Another big part of successful cybersecurity assessments comes when financial firms have strategic conversations with IT and security experts to help determine where to start making improvements to the security fabric.
Banks, credit unions and other financial businesses have no choice but to engage in security assessments on a yearly basis. Given what’s at stake, there’s no room for getting this wrong.