In 2015, the value of the U.S. financial services cybersecurity market reached $9.5 billion, making it the largest non-government cybersecurity market and the fastest growing one as well, according to the Washington-based Homeland Security Research Corp.
Further, the New York City-based Deloitte revealed in its “2015 Banking Outlook” report that the U.S. financial services sector faced the greatest economic risk related to cybersecurity, and that financial institutions must dedicate more resources to improve the security, vigilance and resilience of their cybersecurity models.
Meeting regulatory expectations is a large part of financial institutions' cybersecurity strategies. And it requires managers to broaden their focus from improving processes to integrating risk management, compliance and ethics into their organizations’ cultures.
Often, financial institutions seem caught between directing more resources toward compliance and cybersecurity protection, however.
“Financial institutions can easily fall into the trap that ‘compliance is security’ and nothing is further from the truth,” Stu Sjouwerman, founder/CEO of the Clearwater, Fla.-based KnowBe4, said.
Keeping up with compliance is even more difficult when the guidance changes or conflicts with other regulations.
For example, the Federal Financial Institutions Examination Council recently reopened the comment period for its six-month-old Cybersecurity Assessment Tool. The tool’s original intention was to allow financial institutions of all sizes to perform self-assessments and update risk management strategies using it along with other methodologies.
“There is no indication when the Assessment Tool 2.0 will come out. It could take more than a year,” Ross Shameski, chief privacy officer and general counsel for the Vancouver-based NuData Security, said.
Shameski added the anticipated changes to the FFIEC assessment tool are a step in the right direction, and some have begun speculating what the changes might be.
“The community is pushing the FFIEC to move away from the yes/no checkbox compliance [method] because we all know that doesn’t result in security,” Robert Capps, vice president of business development for NuData Security, said. “You can comply with the regulatory requirements and still not be secure. What is positive in the FFIEC tool and guidelines that came out last year is the inclusion of the financial institution boards in the decision making and approval process for information security and technology risks.”
NAFCU Regulatory Affairs Counsel Kavitha Subramanian submitted a letter to the FFIEC requesting that the assessment tool utilization remain voluntary.
"This voluntary Self-Assessment Tool will be helpful for credit unions of all asset sizes to measure and assess their individual cybersecurity maturity and determine what changes should be implemented based on their internal risk appetite,” Subramanian wrote. “We caution the Agencies against any future action to explicitly require financial institutions complete this Assessment as a supervisory or regulatory expectation."
Learn more about how credit unions are handling cybersecurity regulation in the Feb. 10, 2016 print issue of Credit Union Times.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.