Cyber Security – Avoid Prescriptions When Keeping Up With Threats

By Ben Knieff- NICE Actimize

Banks are part of a interconnected ecosystem with law enforcement, vendors and other critical industries when it comes to cyber security. New cyber security regulations should help to facilitate cyber security efforts among these players instead of burden banks with a checklist of to-do’s.

The start of 2013 has included substantial focus on cyber security issues, from President Obama’s Executive Order for critical infrastructure standards from NIST to the continuation of DDoS attacks against a range of financial institutions. These issues have put a spotlight on the challenges financial institutions face in protecting their systems, data, and customers from criminals with financial, political, and activist motives. Now the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC) has responded to the NIST’s requests for comments from the industry on how to establish cyber security framework requirements, providing extremely well-reasoned and practical comments and highlighting a key fact: the financial services industry has already established itself as a leader at protecting their infrastructure, data, and customers. The industry is rightly concerned that new standards and regulations add to the burden of requirements from a wide variety of sources such as the FFIEC, GLBA, SOX, and a multitude of others. It also very rightly points out that the notion of “cyber security” covers a range of practice areas from data protection to intrusion detection to financial malware, each of which have very different risk mitigation approaches, skill sets, and technical solutions.

No prescriptive checklist can effectively address all of the multitude of risks within any industry, much less across industries. As the FSSCC points out, only a risk-based approach focused on outcomes, harmonized with various regulations will help institutions approach the challenge effectively. We have observed the criminal community adapt extremely quickly to defenses put in place by institutions; a checklist approach is akin to giving them the game plan so they know exactly what not to do and which weaknesses to exploit. Yet, this shifts the burden to institutions to ensure they have strong risk assessment techniques and adequate threat intelligence. This can be challenging for smaller institutions relying on service providers for many technology needs. Vendors have a responsibility to be responsive to these needs, assess their own risks, and act accordingly to protect the institutions that depend on them not only for solutions, but also risk and threat management expertise. This interconnectedness between financial institutions, vendors, law enforcement, and other providers of critical infrastructure means risks and severity of threats are asymmetric, and this is where regulatory requirements can bring the most value. When Party A’s enhancement of security has a greater benefit to Party B than itself, regulation can provide a path to improve the system as a whole. An excellent example is technology to enable signing emails. While not a panacea, it’s an existing technology that can help reduce threats from phishing and malware distribution. Yet ISPs have little economic incentive to broadly deploy the technology and, as such, financial institutions and businesses of all kinds continue to face these threats.