Managing Cybersecurity Is a Risk Management Function
Cybersecurity breaches continue to make headlines. Just recently, the systems at multiple hospitals were successfully attacked, with at least one hospital purportedly paying a ransom to regain control.
These types of attacks can threaten the very existence of a company. But executives and boards in many organizations feel as if they don’t understand cybersecurity well enough to provide proper oversight.
With the need for management to protect its assets, how can management overcome its lack of understanding on security-related issues? The key is understanding that cybersecurity is a risk, just like credit risk, operational risk, and other organizational risks. Successful oversight requires a risk-based approach that is not limited to your IT or security departments.
Cybersecurity is first and foremost a business risk and needs to be managed with that in mind. It is a risk that your assets, stored online, might be stolen or compromised.
In the mortgage industry, risk management functions historically focused on managing credit risk. After Sarbanes-Oxley and Dodd-Frank, the role of the risk manager evolved in many organizations to cover operational risk.
Today, with the growing risk posed by cybersecurity breaches, many companies are expanding the risk management role to cover cybersecurity and privacy risks.
As well they should.
Risk managers are uniquely qualified to examine, understand, and quantify risk. Yes, they will need to learn more about cybersecurity, but risk managers will learn by doing what they do best — asking questions until they can understand the risk and the trade-offs in determining the best way to cost-effectively manage those risks.
Deploying a risk-based approach under the leadership of risk management professionals will help to balance cybersecurity risks against other corporate opportunities.
Resources and Tools
Risk management professionals initially may be hesitant to assume any responsibility for understanding and documenting cybersecurity-related risks. After all, they don’t work in the security profession and they certainly don’t speak the lingo.
So how can professionals whose careers have been focused on managing other risks effectively help manage cybersecurity risks?
The most important thing to understand is that there are many resources available to help with this task. Some resources may cost a little money. These include the use of Shared Assessment questionnaires to manage third-party vendors and security threat monitoring functions such as those offered by the Financial Services Information Sharing and Analysis Center (FS-ISAC).
Certain other resources are free. Three are described below:
NIST Cybersecurity Framework—The Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST) is a tool that uses “business drivers to guide cybersecurity activities” and helps companies evaluate “cybersecurity risks as part of the organization’s risk management processes.” The Framework is fairly large and comprehensive. For individuals familiar with the implementation of controls under Sarbanes-Oxley, the NIST Framework should be easy to understand. If your organization is new to frameworks or a structured approach to cybersecurity, it will likely be somewhat daunting.
Don’t let that stop you. Start small, pick an area of perceived risk, and learn as you go. Managing cybersecurity risks is an iterative process, just like managing other risks. It will continue to evolve as you learn more about the risk. The key is to start. If the NIST Framework is too much for your organization to start with, the FFIEC may offer a simpler starting point.
FFIEC Cybersecurity Assessment Tool—The Federal Financial Institutions Examination Council (FFIEC) is an organization consisting of six financial institution regulatory agencies, including the Federal Reserve and the Consumer Financial Protection Bureau. The FFIEC realized that many smaller and medium-size financial institutions might not have the resources necessary to effectively evaluate their cybersecurity risks. To assist these entities, the FFIEC created the FFIEC Cybersecurity Assessment Tool to help them assess their cybersecurity risks and preparedness. The tool consists of two components: an inherent risk profile and a cybersecurity maturity assessment.
The inherent risk profile helps companies to understand and document their technology activities, which allows a company to identify the types of cybersecurity risks that it needs to manage.
The tool’s second component, the maturity assessment, helps companies address the maturity of their cybersecurity practices.
The combination of these components helps companies prioritize the areas that most require attention. One final note on the FFIEC Tool: Although its use is voluntary by financial institutions, several FFIEC organizations have stated that their examiners will utilize the tool themselves as part of their oversight function.
MBA Whitepaper on Components of an Information Security Program—Finding an easy-to-understand document that explains cybersecurity risks is not easy. To help business leaders, the Mortgage Bankers Association created The Basic Components of an Information Security Program, a white paper that describes, in plain English, the minimal items that should be included in a company’s cybersecurity program.
The document highlights the most important actions that an organization can take to protect itself. The language used in the document aligns with the language used in the NIST Framework, which should enable organizations to migrate toward using the NIST Framework as they mature in their cybersecurity practices.
Don’t Wait to Get Started
Bad guys don’t follow any rules. They simply want to steal what they can, however and whenever they can. They operate very differently from the bank robbers of the 1930s. They can steal from the other side of an international border, where our policing function may have limited ability to prevent the act or catch the criminal (or nation state wishing to cause harm).
And they can quickly morph their methods to exploit new vulnerabilities.
When it comes to protecting the online assets of your company, you need an ongoing process that evaluates the changing risks to your organization. Involving IT, information security, business executives, and risk managers in the development and maintenance of your cybersecurity program will ensure that your organization takes a thoughtful, risk-based approach to managing the security of your online assets.
Rick Hill is vice president of Industry Technology for the Mortgage Bankers Association and executive vice president of MISMO, an organization that develops standards for the residential and commercial real estate finance industries.
“Perspectives” showcases views from industry thought leaders on current topics or events. Views expressed in “Perspectives” do not reflect the views of Fannie Mae, and Fannie Mae does not endorse or support the positions or opinions expressed herein. To submit your idea, contact us at [email protected].