People who operate in the financial sector ought to bridge the gap between compliance and risk because they are effectively one and the same and have the same end-goal. This is never more obvious than in the realm of cyber-risk and cyber-security.
Take a look at any large financial institution and all too often you will spot a manager responsible for risk management and another who has a duty to make it comply with regulatory rules, with separate teams that stick to their own areas. They report to different departments, often collecting the same type of data, but using it for different purposes. Unfortunately, there is seldom any significant or constructive co-ordination between the two.
This can be inefficient. People who operate in the financial sector ought to bridge the gap between compliance and risk because they are effectively one and the same and have the same end-goal. After all, most of the regulations that financial institutions must comply with are concerned with quantifying and reducing risk. If a risk department can prove that the firm is compliant, that firm's risk is guaranteed to be substantially reduced.
How regulations try to reduce risk
Over the past few years, regulations that govern the various operations of financial institutions have concentrated more and more on the reduction of risk and the stipulation that organisations ought to be able to measure their levels of risk in certain areas. For example, the PCI-DSS or Payment Card Industry Data Security Standard, which regulates card payment information, requires that businesses to which it appliles to carry out annual risk assessments in an effort to identify any weaknesses and threats that could endanger the security of sensitive data, particularly the details of cardholders. Regulators expect financial firms to use the information that they glean from their risk assessments to evolve strategies to remedy their shortcomings.
The PCI-DSS is far from the only regulation that requires businesses to mitigate the risks associated with keeping data and IT networks secure. For example, the European Union's GDPR or General Data Protection Regulation requires businesses to carry out Data Protection Impact Assessments to spot and minimise the risks that any new project poses to personal data.
Because various laws (and good business principles) oblige banks to protect digital information and systems, cyber-security controls play a significant part in both risk and compliance. People who oversee risk and compliance systems and controls therefore need to understand the current "security posture" of their organisation’s IT estate by working closely with the chief information security officer or CISO to stand any chance of obeying the applicable regulations.
To reduce risks and comply effectively, compliance officers must analyse the body of law that applies to security controls, consider what the risk assessments say and apply their conclusions to the security stack.
Complying and being secure in an effort to reduce risk
Regulatory compliance does not necessarily make an organisation secure. Businesses are under a huge amount of pressure to meet their regulatory obligations and to do so easily and quickly. This leads to “tick box” compliance, which is next to useless in the long term because it only shows that the organisation is secure at the time of an audit. It is not a true sign that the company complies with regulations continuously.
Firms therefore ought to put measures in place that ensure continuous compliance, so that they are always as secure as possible. Continuous compliance also enables a firm to respond quickly to regulators’ requests for information. For instance, if someone at a bank operating under the GDPR 'exposes' personally identifiable information, the bank can then easily show the regulator that it is compliant within the mandated 72-hour response time.
In the US, the Federal Financial Institutions Examination Council (FFIEC) allows financial institutions to use its Cybersecurity Assessment Tool, which helps them analyse their maturity in risk and cyber-security. Similarly, the Bank of England offers British companies CBEST, which is a penetration and cyber-security-testing apparatus. Both of these ‘kits’ will let a firm know where and how much it is exposed to cyber-harm, the overall maturity of its cybersecurity effort and the inherent level of cyber-risk throughout its empire.
CBEST and the Government-backed Cyber Essentials scheme provide an excellent apparatus for cyber-security best practices in the UK. If an organisation is using these apparati proactively, it is unlikely that it will fall foul of the regulators.
Likewise, the PCI DSS is a great foundation for measuring cyber-security risk because it provides very prescriptive controls with clear consequences. Once an organisation has satisfied the PCI DSS’ 12 standards it will have a solid minimum amount of data security and the required answers needed to improve its security posture. Its prescriptive nature is also a benefit because even though it has more than 200 sub-requirements in the core 12, it is not nearly as comprehensive as other regimes such as the FFIEC, which has 523 questions to be answered just to determine the technical security profile to generate a report about the level of risk.
The golden triangle of risk management, compliance and cyber-security
As we have seen, risk management, compliance and cyber security are very closely intertwined as it is not possible to be effective in one without the other two. Regulators are well aware of this triumvirate and create their regulations accordingly to ensure customer data, finances and other assets are being protected sufficiently. To this end, organisations must look to bridge the gap between these three elements, stop reinventing the wheel between disparate tasks, or face the possible consequences due to the inevitable gaps in their cyber-policies.
The managers of these three elements therefore need either to work closely together or indeed to be under the remit of one person. This ought to ensure that the goal of improving security to reduce risk (real and regulatory) is managed effectively, efficiently and proactively.