By Steve Horvath, Vice President, Strategy & Cloud, Telos Corporation
When we think of our finances, we think of them as a responsibility – a commitment to ensure payments are submitted on time, and our credit score is where it should be. We often don’t think of how cybersecurity and compliance fit into the picture, at least beyond credit card breaches or financial fraud.
The reality is, as cybersecurity threats become increasingly more sophisticated – and the financial services industry seemingly more complicated – financial organizations need to put a renewed focus on compliance activities. According to recent research, organizations are spending over $3.5M each year on compliance activities. This figure increases to over $4M in the financial services sector, likely due to unique regulations and procedures having to do with anti-money laundering (AML), sanctions, and more. Additionally, the financial services sector is one of the most likely sectors (58 percent) to report they need to hire more staff to cover an increasing workload. The bottom line is this: in the financial services industry, compliance is often a full-time job.
Compliance activities are often synonymous with the NIST Cybersecurity Framework, which consists of standards, guidelines, and best practices to manage cybersecurity risk. While this framework provides a strong foundation for addressing compliance challenges – offering a variety of resources that can be used to align on compliance priorities – companies need to improve their approach to compliance activities in the financial sector. Here are the top 4 key considerations to bear in mind as part of a holistic compliance strategy for financial services organizations.
Third-party vendor risk management programs
Third-party risk is a common concern among organizations across industries, as they are entrusting other contractors to perform certain business activities for them. According to a recent global survey conducted by Ernst & Young, 58 percent of financial services firms have implemented centralized approaches to third-party risk management. Additionally, 41 percent of financial services organizations may adopt a managed services approach to third-party risk management within the next few years. As with any industry, managing a vendor’s risk is key to compliance in the financial services sector.
But unfortunately, a traditional vendor evaluation often does not capture ever-evolving risks. Gartner reports that more than 80 percent of legal and compliance leaders indicate third-party risks were identified after initial onboarding and due diligence. In the same study, one chief compliance officer at a financial services organization revealed there is no question that third parties are redefining how their business competes in the new digital world.
It’s clear that ensuring a risk management program for third-party vendors is in place is of utmost importance for any organization that wants to avoid undue risk and potential compliance fines. Finserv and other organizations can look to examples like Shared Assessments’ Third Party Risk Management (TPRM) Framework, which outlines fundamentals and processes to consider when building such a program – to include outsourcing analysis, contract management, monitoring, and more.
Before establishing a third-party vendor risk management program, it’s important for financial services organizations to either choose NIST-compliant vendors or have some sort of compliance policies in place to create peace of mind that their partners are responsible and do not pose much risk.
If you need a place to start, SecurityScorecard advises setting an assessment scope. The process includes determining which risk criteria pose the greatest threat. One example given is a company handling payment card data. This type of company faces substantial compliance risk (particularly PCI DSS), and should therefore include compliance to this regulation in their assessment scope.
Proof of compliance
When you buy a home, car, or any other large asset, a contract often serves as evidence that you are the owner. This concept is not so different for financial services organizations that have to provide proof of compliance.
The Financial Services Sector Coordinating Council (FSSCC) explains that Profiles within the NIST Cybersecurity Framework can be used as an assessment tool for financial institutions to evidence compliance with regulatory frameworks – a “common college application for regulatory compliance,” as they call it. Proof of compliance within the financial services industry is especially important because newer areas in play must be considered, such as facial recognition checks, two-factor authentication, social media, and other factors. This added layer of complexity is all the more reason that financial organizations need to prove they are compliant.
Training is the key to upskilling employees. This is arguably even more important for financial organizations educating staff on such a complex and ever-changing topic as compliance. These organizations must ensure they comply with the minimum security-related requirements associated with compliance and building a cyber-aware workforce will allow employees a more holistic view into how cybersecurity and compliance operations.
The Financial Services Information Sharing and Analysis Center (FS-ISAC) posits that a top priority for organizations is employee training due to the low cost and high return. The more security-aware financial services employees are, the better they can understand how to approach certain situations and maintain compliance.
While credit cards may have a limit, there is no limit to the number of compliance regulations that will undoubtedly emerge across industries in the coming years. Put into effect on May 25, 2018, the General Data Protection Regulation (GDPR) really set the gold standard for data protection in the EU, followed less than two years later by the California Consumer Privacy Act (CCPA). Both signal a trend toward more regulations to come. With this reality, financial services organizations need to ensure their compliance activities are up to snuff before they are slapped with unwanted fines.
About the Author
Steve Horvath is the Vice President of Strategy & Cloud at Telos Corporation. He currently serves as Vice President of Strategy and Cloud with a focus on long-term strategic partnerships and solutions spanning the company’s breadth of offerings. With over 20 years of practical experience in the information security domain, Steve is considered an expert in risk and compliance for information technology. He is a graduate of the University of Maryland, College Park, and maintains both Certified Information Systems Security Professional (CISSP) and Project Management Professional (PMP) certifications. Steve can be reached online at (https://www.linkedin.com/in/bigdogsteve/) and at https://www.telos.com/