What emerging trends and approaches are you currently seeing in the risk and compliance space?
There is a difference of emphasis, urgency and maturity in banking and finance—banking is ahead of all other industries in terms of technology, and the American banking industry is a little ahead of the big globals, but not by much. Globals are very regulatory driven and have no choice, they must have very mature programmes. But the biggest news of all is privacy—I think that will be the focus for 2018. I’m always looking at regulations in the industry, as a business, Opus benefits from regulation, people turn to us when they have regulatory issues. But you could say there was less regulatory focus outside of banking until the General Data Protection Regulation (GDPR) and now, the issue of privacy is everywhere.
How are financial institutions dealing with these risks? And what challenges do they face?
It differs between industries and where they are in the world with regard to local regulators. When you’re talking about the more mature organisations, they have created frameworks for information security management and they’re applying them with ever greater rigor around the world.
With ISO 27001 and the National Institute of Standards and Technology (NIST), we are increasingly seeing it everywhere, not just in the US. The growth of NIST outside the US was a big surprise to us. Organisations are still struggling with risk management in all the different functions, but they’re moving on that.
On the privacy front, the response is a little bit more of a scramble. There are organisations that are claiming they are GDPR-compliant, but I’m not sure I fully believe them.
The more mature organisations have completed a gap assessment, which is an important part of complying with these powerful regulations robustly. However, I don’t think some have gone very far beyond doing internal gap assessments.
Our perspective is third party, and there’s a lot of third-party issues because GDPR focuses on who is processing your data and their privacy regimes. In a world where everything is being outsourced, there are potentially many more issues. When you know what your third parties are doing, you should have a picture of which ones have your data. But is that party specific to the level of what data they have or where they stand on their GDPR compliance? So that layer is just starting to come in to focus. Most organisations are beginning to deal with that.
In terms of cybersecurity, financial institutions can secure their own systems and network, but how can they ensure third party and external companies are doing the same?
With cybersecurity and privacy, there is a significant overlap between the templates. Typically, organisations will take a standard like ISO 27001 or NIST and add elements that are relevant to their business. For example, if you are a bank you have to worry about your partners that call your customers and the relevant consumer protection regulations.
And the issue here is what to do with your third party—the same thing, you have to assess how they are dealing with information security and privacy. The two risk domains are closely related.
The differences come when you recognise that third parties are another company and you can’t control them.
The first challenge is simply knowing who your third parties are and what they do for you. The standard refrain is that marketing is the worst offender, hiring what is known as shadow IT, they’re hiring their own data processors and they’re giving them sensitive and non-public information.
How can financial institutions work with the third-party companies to find out where the vulnerabilities lie?
They need to have an inventory of all their third parties and find out what they do for them. That’s the first major step, whether that’s GDPR compliance or information security, it’s the same in both respects.
The most evolved programmes are already doing periodic assessments, essentially security controls audits. They take their cookbook of recipes against cyber issues, assessing those third parties against almost exactly the same metric as you would assess internally. That’s a laborious process and a snapshot in time, you have to repeat this method periodically. The most mature organisations are sending people on-site to review their vendors cyber security posture.
But nevertheless, in between these periodic assessments you have to monitor. If everyone had a buttoned-up security environment, it doesn’t mean it will stay the same come tomorrow.
Organisations are not static, they are opening new reports on routers, and at the same time closing others. They’re patching some, but perhaps not all of their servers. Are they catching the vulnerabilities that could expose them to all sorts of problems?
There are IT threat data feeds that can help tremendously, because they will provide you with a view of the third parties’ public Internet-facing “surface”. They can’t look inside the company, but can look outside and tell you what ports they’ve left open inadvertently, if they have issues with their software patching or if their are vulnerabilities in their domain name system records or anything else associated with connectivity.
Vigorous assessments that are happening periodically, combined with technology-driven monitoring, are currently the state of the art.
How do financial institutions manage the time, cost and resources needed to address increasing levels of regulation? What challenges are they facing around increased regulation?
Third parties are becoming an increasingly scary challenge for them because they are starting to realise that focusing assessments on the most critical relationships (usually defined by spend) may miss significant sources of risk. Oracle, IBM, Microsoft and most other large providers are pretty competent when it comes to information security.
The biggest risk may come from the small- and medium-sized organisations, such as financial technology companies that are providing new technologies and new services, and who are not as evolved from an information security and privacy perspective.
The other challenge that I’m seeing is the issue of human resources—nobody has enough staff to assess all their third parties, let alone the riskier ones that may not be the biggest relationships. They may realise they need many more assessments than they are currently executing—it could go from 200 a year to something like 500. The small and medium-sized enterprises, who will do these assessments, have a fairly rare blend of technical knowledge and communication skills. After all, they have to negotiate with third parties, who they can’t control, to help them meet the requisite information security and privacy standards. They have to be good with technology and people.
This resource problem may be one of the biggest challenges in the industry for a while.
