Industry Voice: Risk Managers Can’t Afford to Ignore Cybersecurity Vulnerabilities
By Rick Hill | May 24, 2016
Cybersecurity breaches continue to make headlines. Just recently, hackers successfully attacked the systems at several hospitals. And at least one hospital purportedly paid a ransom to regain control.
These types of attacks can threaten the very existence of a company. But at many organizations, executives and boards don’t feel they understand cybersecurity well enough to provide proper oversight.
Needing to protect company assets, how can management overcome its inadequate understanding on security-related issues? The key is understanding that cybersecurity is a risk – just like credit risk, operational risk, and other organizational risks. Successful oversight requires a risk-based approach that is not limited to your IT or security departments.
Cybersecurity is first and foremost a business risk, and you need to manage it with that in mind. It is a risk that your assets – stored online – might be stolen or compromised. In the mortgage industry, risk management functions have historically focused on managing credit risk. But after Sarbanes/Oxley and Dodd/Frank, the role of the risk manager has evolved in many organizations to cover operational risk.
Today, with the growing risk cybersecurity breaches pose, many companies are expanding the risk management role to cover cybersecurity and privacy risks.
As well they should.
Risk managers are uniquely qualified to examine, understand, and quantify risk. Yes, they will need to learn more about cybersecurity. But risk managers will learn that by doing what they do best – asking questions until they understand the risk and the tradeoffs in determining the best way to cost effectively manage those risks.
Deploying a risk-based approach under the leadership of risk management professionals will help to balance cybersecurity risks against other corporate opportunities.
Resources and Tools
Risk management professionals initially may be hesitant to assume any responsibility for understanding and documenting cybersecurity-related risks. After all, they don’t work in the security profession, and they certainly don’t speak the lingo.
So how can professionals whose careers have focused on managing other risks effectively help manage cybersecurity risks?
The most important thing to understand is that there are many resources available to help with this task. Some resources may cost a little money. These include shared assessment questionnaires to manage third-party vendors, and the security threat monitoring that the Financial Services Information Sharing and Analysis Center offers.
But some resources are free. Here are three of them:
NIST Cybersecurity Framework –The National Institute of Standards and Technology’s (NIST) Cybersecurity Framework is a tool that uses “business drivers to guide cybersecurity activities” and helps companies evaluate “cybersecurity risks as part of the organization’s risk management processes.” The framework is fairly large and comprehensive. Individuals who are familiar with the implementation of Sarbanes/Oxley controls should find the NIST framework easy to understand. But for those new to frameworks or a structured approach to cybersecurity, it may be somewhat daunting.
Don’t let that stop you. Start small, pick an area of perceived risk, and learn as you go. Managing cybersecurity risks is an iterative process – just like managing other risks. It will continue to evolve as you learn more about the risk. The key is to start. If the NIST framework is too much for your organization to start with, the FFIEC may offer a simpler starting point.
FFIEC Cybersecurity Assessment Tool – The Federal Financial Institutions Examination Council (FFIEC) consists of six financial institution regulatory agencies – including the Federal Reserve and the Consumer Financial Protection Bureau. The FFIEC realized that many smaller and medium-size financial institutions might not have the resources necessary to effectively evaluate their cybersecurity risks. To assist these entities, it created the FFIEC Cybersecurity Assessment Tool to help them assess their cybersecurity risks and preparedness. The tool has two components – an Inherent Risk Profile and a Cybersecurity Maturity Assessment.
The Inherent Risk Profile helps companies understand and document their technology activities – which enables them to identify the types of cybersecurity risks they need to manage.
The tool’s second component – the maturity assessment – helps companies address the maturity of their cybersecurity practices.
The combination of these components helps companies prioritize the areas that most require attention. One final note on the FFIEC tool: Although using it is voluntary for financial institutions, several FFIEC organizations have stated that their examiners will utilize the tool themselves as part of their oversight function.
MBA Whitepaper on Components of an Information Security Program – To help business leaders understand cybersecurity risks, the Mortgage Bankers Association created The Basic Components of an Information Security Program. This whitepaper describes – in plain English – the minimal items that a company should include in its cybersecurity program.
The document highlights the most important actions that an organization can take to protect itself. The language in the document aligns with language in the NIST framework. This should enable organizations to migrate towards using the NIST framework as they mature in their cybersecurity practices.
Don’t Wait to Get Started
Bad guys don’t follow any rules. They simply want to steal what they can, however and whenever they can. They operate very differently from the bank robbers of the 1930s. They can steal from the other side of an international border, where our policing ability to prevent the act or catch the criminal – or nation state – may be limited.
And they can quickly morph their methods to exploit new vulnerabilities.
When it comes to protecting the online assets of your company, you need an ongoing process that evaluates the changing risks to your organization. You need to involve IT, information security, business executives, and risk managers in the development and maintenance of your cybersecurity program. This will ensure that your organization takes a thoughtful, risk-based approach to managing the security of your online assets.
Rick Hill is vice president of industry technology for the Mortgage Bankers Association and executive vice president of MISMO, an organization that develops standards for the residential and commercial real estate finance industries.
"Industry Voice" showcases views from industry participants on current topics or events. Views expressed in "Industry Voice" do not reflect the views of Fannie Mae, and Fannie Mae does not endorse or support the positions or opinions expressed herein. To submit your idea for an "Industry Voice," contact us at Editor_HIF@Fanniemae.com.