Credit Union Times: Cybersecurity Experts: Compliance Doesn’t Equal Security

February 1, 2016 — Cybersecurity Experts: Compliance Doesn’t Equal Security

Meeting regulatory expectations is a large part of financial institutions’ cybersecurity strategies. However, you can comply with the regulatory requirements and still not be secure. A look at the FFIEC Cybersecurity Assessment Tool with comments from NuData Security.

In 2015, the value of the U.S. financial services cybersecurity market reached $9.5 billion, making it the largest non-government cybersecurity market and the fastest growing one as well, according to the Washington-based Homeland Security Research Corp.

Further, the New York City-based Deloitte revealed in its “2015 Banking Outlook” report that the U.S. financial services sector faced the greatest economic risk related to cybersecurity, and that financial institutions must dedicate more resources to improve the security, vigilance and resilience of their cybersecurity models.

Meeting regulatory expectations is a large part of financial institutions’ cybersecurity strategies. And it requires managers to broaden their focus from improving processes to integrating risk management, compliance and ethics into their organizations’ cultures.

Often, financial institutions seem caught between directing more resources toward compliance and cybersecurity protection, however.

“Financial institutions can easily fall into the trap that ‘compliance is security’ and nothing is further from the truth,” Stu Sjouwerman, founder/CEO of the Clearwater, Fla.-based KnowBe4, said.

Keeping up with compliance is even more difficult when the guidance changes or conflicts with other regulations.

For example, the Federal Financial Institutions Examination Council recently reopened the comment period for its six-month-old Cybersecurity Assessment Tool. The tool’s original intention was to allow financial institutions of all sizes to perform self-assessments and update risk management strategies using it along with other methodologies.

“There is no indication when the Assessment Tool 2.0 will come out. It could take more than a year,” Ross Shameski, chief privacy officer and general counsel for the Vancouver-based NuData Security, said.

Shameski added the anticipated changes to the FFIEC assessment tool are a step in the right direction, and some have begun speculating what the changes might be.

“The community is pushing the FFIEC to move away from the yes/no checkbox compliance [method] because we all know that doesn’t result in security,” Robert Capps, vice president of business development for NuData Security, said. “You can comply with the regulatory requirements and still not be secure. What is positive in the FFIEC tool and guidelines that came out last year is the inclusion of the financial institution boards in the decision making and approval process for information security and technology risks.”

NAFCU Regulatory Affairs Counsel Kavitha Subramanian submitted a letter to the FFIEC requesting that the assessment tool utilization remain voluntary.

“This voluntary Self-Assessment Tool will be helpful for credit unions of all asset sizes to measure and assess their individual cybersecurity maturity and determine what changes should be implemented based on their internal risk appetite,” Subramanian wrote. “We caution the Agencies against any future action to explicitly require financial institutions complete this Assessment as a supervisory or regulatory expectation.”

For the full story at Credit Union Times, click here.