I heard recently about your Cyber Tune-up!™ and have contacted your office for more details. My main concern is trying to understand some of the features of a cybersecurity risk assessment. I am writing our cybersecurity policy and procedures. I want to provide a section about our risk profile. I need some help in categorizing the areas that require particular attention. I am not a techie, and a lot of this stuff baffles me! My question is, what are the criteria for a risk profile in cybersecurity?
Thank you for your interest in our Cyber Tune-up!™ We are the only compliance firm in the country that offers it; in fact, we are the only firm that offers any of the compliance tune-ups! If you want more information, go here, and we’ll respond to your request.
Your question is excellent! Many companies do not even know that they have a risk profile. That’s right! Every financial institution has a risk profile. When my team evaluates a company’s compliance needs, we take into consideration its size, complexity, products, services, business strategy, and, importantly, its risk profile. So, starting the policy with an outline of your institution’s risk profile is critical to the integrity of the policy document itself.
The regulatory agencies focus on elements of internal control systems and risk management, improving audit practice (particularly related to material errors in financial reporting), and cybersecurity throughout the enterprise.
Cybersecurity is a key risk topic because of the ever-increasing sophistication of systemic attacks. Typically, the reason these attacks are successful is because of missing or ineffective attention to rudimentary “security hygiene” practices in the systems and network environments, such as the failure to mitigate known vulnerabilities.
Regulators consider two factors in determining the risk profile vis-à-vis cybersecurity: the Inherent Risk Profile, which identifies the institution’s inherent risk before implementing controls; and the Cybersecurity Maturity, which includes domains, assessment factors, components, and individual declarative statements to identify specific controls and practices in place.
There are five risk assessment criteria for the Inherent Risk Profile that should be outlined in your institution’s risk profile and five criteria for Cybersecurity Maturity that should be met by management.
The five risk assessment criteria of Inherent Risk Profile in an institution’s risk profile are:
- Technologies and Connection Types
- Delivery Channels
- Online/Mobile Products and Technology Services
- Organizational Characteristics
- External Threats
The five risk assessment criteria for Cybersecurity Maturity in an institution’s risk profile are:
- Cyber Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience
I recognize that you are not a techie, but there are some actions that you can take to ensure a positive risk profile for cybersecurity.
Strengthen your Cybersecurity Risk Profile
- Retain a firm to design internal control systems
- Create internal control policies
- Develop and document a formal internal control environment
- Monitor internal control systems
- Retain an independent firm to test the controls
- Conduct a risk assessment independently or internally
- Train personnel on managing internal systems
Management should document the risk mitigation efforts and choices, including the strategic, operational, and budgetary considerations that informed those choices; describe fully any accepted risk, including from unmitigated vulnerabilities; and set forth an action plan to implement and monitor the cybersecurity framework.
Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group