QUESTION
I heard recently about your Cyber
Tune-up!™ and have contacted your office for more details. My main concern is
trying to understand some of the features of a cybersecurity risk assessment. I
am writing our cybersecurity policy and procedures. I want to provide a section
about our risk profile. I need some help in categorizing the areas that require
particular attention. I am not a techie, and a lot of this stuff baffles me! My
question is, what are the criteria for a risk profile in cybersecurity?
ANSWER
Thank you for your interest in our
Cyber Tune-up!™ We are the only compliance firm in the country that offers it;
in fact, we are the only firm that offers any of the compliance tune-ups! If you
want more information, go here, and we’ll respond to your request.
Your question is excellent! Many
companies do not even know that they have a risk profile. That’s right! Every
financial institution has a risk profile. When my team evaluates a company’s
compliance needs, we take into consideration its size, complexity, products,
services, business strategy, and, importantly, its risk profile. So, starting
the policy with an outline of your institution’s risk profile is critical to
the integrity of the policy document itself.
The regulatory agencies focus on elements
of internal control systems and risk management, improving audit practice
(particularly related to material errors in financial reporting), and cybersecurity
throughout the enterprise.
Cybersecurity is a key risk topic
because of the ever-increasing sophistication of systemic attacks. Typically,
the reason these attacks are successful is because of missing or ineffective
attention to rudimentary “security hygiene” practices in the systems and
network environments, such as the failure to mitigate known vulnerabilities.
Regulators consider two factors in
determining the risk profile vis-à-vis cybersecurity: the Inherent Risk Profile, which
identifies the institution’s inherent risk before implementing controls; and the
Cybersecurity Maturity, which includes domains, assessment factors, components,
and individual declarative statements to identify specific controls and
practices in place.
There are five risk assessment
criteria for the Inherent Risk Profile that should be outlined in your institution’s risk
profile and five criteria for Cybersecurity Maturity that should be met by
management.
The five risk assessment criteria of Inherent Risk Profile in an institution’s risk profile are:
- Technologies and Connection Types
- Delivery Channels
- Online/Mobile Products and Technology Services
- Organizational Characteristics
- External Threats
The five risk assessment criteria
for Cybersecurity Maturity in an institution’s risk profile are:
- Cyber Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience
I recognize that you are not a
techie, but there are some actions that you can take to ensure a positive risk
profile for cybersecurity.
Strengthen your Cybersecurity
Risk Profile
- Retain a firm to design internal control systems
- Create internal control policies
- Develop and document a formal internal control environment
- Monitor internal control systems
- Retain an independent firm to test the controls
- Conduct a risk assessment independently or internally
- Train personnel on managing internal systems
Management should document the risk mitigation
efforts and choices, including the strategic, operational, and budgetary
considerations that informed those choices; describe fully any accepted risk,
including from unmitigated vulnerabilities; and set forth an action plan to
implement and monitor the cybersecurity framework.
Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group
