CIO Review | 6/6/2017 | John Paul Cunningham
In the realm of cybersecurity, old threats continually evolve and new threats continually emerge. One of the most effective ways for companies in the financial services industry to protect themselves and their clients is to create a Chief Information Security Officer (CISO) position within their organizations.
In September 2016, the New York State Department of Financial Services proposed the nation’s first cybersecurity regulation to protect state financial institutions and their customers—and other states may follow. A key component of the New York State legislation is the requirement that companies create and fill a CISO role. In addition, the law elevates the role of the CISO, assigning CISOs additional accountability and personal liability for annually attesting to the effectiveness of the information risk controls and overall cybersecurity program.
Financial firms that have not previously employed CISOs, or who have appointed CISOs in name only, may not know precisely what the job and responsibilities entail. Regulators such as the SEC, FFIEC, and FINRA, as well as requirements spelled out in the New York State Department of Financial Services’ proposed law, mandate that a firm’s cybersecurity personnel must be specifically trained in the discipline of cybersecurity. They also require a financial firm to be organizationally structured so that its cybersecurity personnel are able to actively advise both senior management and the board of directors on cybersecurity issues, risks, and strategies. Firms can no longer rely on a CIO, CTO, or CISO in name only to be sufficient for compliance with the new regulatory standards.
Financial services firms should create a position for a CISO who can serve as a resource to empower teams across their organizations to better manage information security
Given the depth and breadth of today’s cyber threats, and the increasingly complex regulations surrounding the security of systems that store and process sensitive information, financial companies need to have CISOs on their leadership teams to implement, manage, and enforce cybersecurity programs and policies.
CISOs function as information-security sheepdogs for the people and assets of financial firms and other companies. Sheepdogs guide flocks toward their destination and help them avoid distractions along the way. They also alert them to danger from wolves and other predators. The responses to danger that sheepdogs are trained to elicit are vital for preventing their flocks from suffering severe losses. In much the same way, a CISO must be both shepherd and guard-dog—advising vertically, building strong partnerships horizontally, and playing the role of an ever-watchful risk manager to both inform and guard against threats to the people and the assets of the firm.
To best protect themselves and their clients from cyber-attacks, financial services firms should create a position for a CISO who can serve as a resource to empower teams across their organizations to better manage information security. CEOs and boards of directors should imbue the CISO with the following sheepdog-like responsibilities:
Guide: No company can prevent hacks if its employees don’t have a cybersecurity policy to follow. A CISO should draft a clearly written cybersecurity policy and distribute it to every employee. The policy should comprehensively articulate the roles and responsibilities of every employee in protecting the firm’s information assets. It should also include the implementation of firm-wide meetings and/or training sessions related to cybersecurity and the latest threats on at least a quarterly basis. Employees who attend should be tested to ensure they understand the firm’s security policy and how to protect against evolving cyber threats. In addition, a CISO should establish a risk register to record risks to information security, and the firm’s responses to them, for senior management and the board of directors.
Guard: Detecting and preventing cyber threats is arguably the most important responsibility of a CISO. After all, it is easier over the long term to establish and maintain a strong defense than it is to go on the offense after a security breach. But CISOs need state-of-the-art tools and, more importantly, top-line human capital to be effective in their “Guard” responsibilities. Firms should continuously invest in information security to ensure that their organizations always have effective technology controls in place to detect, protect, and respond to potential threats—as well as top information security talent in place to ensure the controls work properly.
Alert & Respond: CISOs and their organizations must plan for, and be equipped to respond effectively to, all security threats and breaches. A cybersecurity breach, like any crisis, requires a quick and orderly action to mitigate damage. To gain control of the situation and prevent widespread fallout, a CISO must assume the role of crisis manager—alerting employees, law enforcement, outside vendors, clients, regulators and other necessary parties about a breach as soon as possible, and guiding their organization through response and recovery. Communication and incident-response plans with step-by-step processes for handling a breach should be put in place before any threat has been detected, and provided to employees as part of the firm-wide cybersecurity policies that CISOs draft. Organizations should also rehearse their responses as part of their disaster recovery and business continuity exercises. “Practice as you will play” should be their motto. In addition, CISOs can work with their organizations’ marketing and compliance teams to formulate plans for communicating with clients, regulators, and the media about security breaches.
Rescue: Just as communication plans should be finalized and regularly reviewed prior to a security breach, CISOs must also take the lead in hammering out plans for post-breach recovery operations before such a disaster occurs. Recovery plans should consist of step-by-step instructions for retrieving lost or stolen data, and for restoring normal operations—including access to e-mails and files—as soon as possible. All employees who play a role in recovery operations need to be aware of what they must do, so it is important that CISOs lead practice “recovery drills” with some frequency. Records of these drills, and any cybersecurity education and testing for employees, should be saved by CISOs in the event of a regulatory audit.
Cybersecurity breaches don’t just result in stolen money and potential fines from regulators. They can do permanent damage to the reputations of financial services firms. CISOs possess the information-security expertise that firms need to adequately protect their clients’ sensitive financial data—and like sheepdogs, they guard an organization’s employee flock against cyber threats and sound the alarm when danger is detected.
Docupace Technologies, LLC pioneered and implemented SEC/FINRA-compliant Straight-through Processing technology for financial services companies. Docupace’s cybersecurity and document management and workflow solutions simplify the process of capturing, organizing, routing and accessing information for broker-dealers and registered investment advisors (RIAs) that, under new government regulations, must keep thorough, secure records of documents that explain how they formulated recommendations that are in the best interests of investors. Docupace’s innovative products have been proven to significantly reduce not-in-good-order (NIGO) conditions on document processing submissions for financial services companies.
Docupace currently services over 1 billion stored documents from more than 500 Broker Dealers and RIAs. For more information, please follow @docupace.