Are you "mature" enough? Cybersecurity maturity is the new black

From leading global bank corporations to local community savings institutions, cybersecurity breaches have occurred that have made national and local news headlines. The loss of personally identifiable information (PII) and account and credit card information make me wonder every time another breach is announced: how mature were their cybersecurity policies and procedures at the time of the breach? What about you? How mature are cybersecurity efforts at your financial institution (FI)?

Cybersecurity maturity reflects an organization’s level of preparedness to mitigate cyber threats and vulnerabilities.

Typical models used to measure an organization’s maturity levels rate on a scale of 0-5. Level 0 represents doing nothing (or very little). Level 5 represents an organization having optimized processes and controls to deter cyber threats. See below for an illustration on the Federal Financial Institutions Examination Council's (FFIEC) Cybersecurity Maturity Level.

If rating the maturity of your organization’s cybersecurity program (or information security program in general) is not something you have paid much attention to, this is a good time to do so:

According to the 2015 Cyber threat Defense Report published by the CyberEdge Group, over 70% of organizations surveyed (814 organizations in all) reported they were breached or were breached and did not know it in 2014. Of those 70%, only 24% believe they are not likely to be breached again in the next 12 months.

That means about 76% of those that suffered a breach in 2014 felt they were at least somewhat likely to have another breach in 2015. It sounds like cybersecurity on the whole needs some work.

Grow up: improve the maturity of your Cybersecurity

To help financial institutions combat the ever-increasing volume and sophistication of cyber threats, the FFIEC released the Cybersecurity Assessment Tool (CAT). The CAT provides a repeatable, measureable process to assess cybersecurity preparedness over time.

The tool uses relevant principles from the FFIEC Information Technology Examination Handbooks, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and other regulatory guidance and industry best practices. There are two parts to the CAT. Once both parts are completed, your management team and board can determine if your FI’s inherent risk and preparedness are aligned.

Inherent Risk Profile

The CAT helps an FI determine the inherent risk level within these risk profile categories:

• Technologies and Connection Types
• Delivery Channels
• Online/Mobile Products and Technology Services
• Organizational Characteristics
• External Threats

Inherent risk is defined as the risk posed to an organization without accounting for any mitigating controls in place. It’s a measurement of the threats that can be expected to be directed at an FI’s activities, services and products. The risk for each category is based on descriptions taken from the inherent risk portion of the CAT. When all the activities, services and products are assessed, your management can determine your FI’s overall inherent risk.

Measuring and Evaluating

This brings us to the second part of the CAT: How mature is your cybersecurity program? This helps management determine the residual risk based on controls in place to mitigate. The tool provides statements to help your institution evaluate behaviors, practices and processes and determine preparedness within the following five domains:

• Cyber Risk Management and Oversight
• Threat Intelligence and Collaboration
• Cybersecurity Controls
• External Dependency Management
• Cyber Incident Management and Resilience

It gets a little complicated from here and will make much more sense when you read through the CAT user guide. Essentially, each domain has a set of assessment factors and contributing components. Within each of these components is a set of declarative statements.

Your answers to the declarative statements will determine the maturity level of the cybersecurity controls for each practice of your institution, which will give management a roadmap of what areas need further assessment and/or controls. The maturity levels are:

• Baseline – minimal compliance, only doing what is required by regulations
• Evolving – Baseline + formal documented procedures, more than just minimal compliance
• Intermediate – Evolving + detailed formal processes, controls are validated and consistent
• Advanced – Intermediate + Cybersecurity practices and analytics integrated across lines of business. Majority of processes are automated and continuously monitored. Accountability is formally assigned to all processes by line of business owners.
• Innovative – Advanced + driving innovation in processes and technology for the industry. Involved in creating new controls and tools. Real time predictive analytics are tied to automated responses.

Benefits of using the CAT:

• Identify informed risk management strategies
• Help determine your overall cyber risk
• Assess your cybersecurity preparedness
• Determine if preparedness is properly aligned with risk
• Ascertain what cyber security controls are needed or need enhancement

The FFIEC has developed this tool to assist management and boards of FIs of all sizes to access their cybersecurity risk and be better prepared to meet it. The Cybersecurity Tool is available for download from the FFIEC website and can be completed by your IT, operations, and compliance staff. If your institution lacks the resources or time, BerryDunn can assist in completing the Cybersecurity analysis for you.

The more mature your cybersecurity, the better your institution will be. To learn more about how to apply the maturity tool and prioritize your actions, contact Miles Smith or Chris Ellingwood.