Ask a financier, a telco CEO, and a cyber security analyst about the impact of new banking regulations to risk management policies, and you’ll very likely get three different answers. Everything from how banks – and companies with banking functions – must govern their organizations, to how they can ‘use’ their clients’ money. Banking regulations also cover technical specifications for how individual transactions from one bank to another must be conducted. In addition, they cover many areas of concern to cyber security practitioners, like mobile banking, strong customer authentication, and e-signatures. To further complicate things, regulations come from a variety of ‘authorities’: federal, state, international, and other organizations.
In today’s blog, we’ll take a look at some of these regulations, and how these can impact your risk management policies.
Origins of Stricter Regulations
In the wake of the 2008 Wall Street financial crisis and the economic turmoil that followed, lawmakers rushed to pass a flurry of regulations designed to protect consumers from what many saw as irresponsible behavior by banks and other financial entities, including excessive risk taking and rampant abuse and misuse of loopholes in existing laws. (If you don’t know very much about what some have called the worst financial crisis since the Great Depression, I’d suggest reading or watching The Big Short to kick off your research.)
The best-known of these regulations was the Dodd-Frank law, passed in 2010. Memories are apparently short in Congress, however, as elected officials and the banking lobby are doing their best to roll back these protections in 2019. Nonetheless, there are a number of other laws that have been passed or that are being considered this year which are designed to help banks and regulators catch up to the realities of the “new” digital and cyber landscape.
For example, privacy is a top concern for consumers, as evidenced by legislation like the California Consumer Privacy Act, which will likely influence other states to enact similar privacy laws.
A “New” Digital Age?
As a cyber security professional, you might ask in bewilderment, “What? How is this a “new” digital age? Hasn’t online banking been around for a long time?” In the overall scheme of things, keep it in perspective that the first bank dates back about 4,000 years. Therefore, banks are still catching up to the drastic changes brought in by wide-spread Internet usage, digital transactions, and cryptocurrency. A seemingly small security incident can now have catastrophic consequences on proprietary business data and funds available in banking accounts, as well as customer information and privacy.
Regardless of what industry your business is in, you know how important a Governance, Risk management, and Compliance (GRC) program is. It has many functions, such as helping you determine where to allocate more resources.
Where Do I Start?
Cyber security risk is increasing and evolving every day, and new banking regulations are being created on what seems like an ongoing basis in response. So, you need to figure out how these regulations could impact your existing risk management program. But where do you start?
First, take a deeper look at your existing GRC program. Is it siloed? Many institutions take this approach, whether intentionally or by default. While in some cases there’s a need for some separation of duties and responsibilities, there should still be coordination with other departments outside the risk and compliance or security teams. Using different methodologies, data sets, or metrics when risks and controls are much more tightly integrated and shared across the organization is risky. It could yield inaccurate overall ranking of your risks, and waste further resources by using redundant processes.
The Basel Committee on Banking Supervision (BCBS) sets standards for the prudential regulation of banks and provides a forum for regular cooperation on banking supervisory matters. This means they have a unique pulse on regulations from around the world. BCBS identified that even though the broader IT and operational risk management practices are mature and are often used to address cyber-risk and supervise cyber-resilience, they still generally lack full cyber-strategy integration at the board-level. So does your GRC program incorporate your cyber strategy, by insinuating cyber into the operational risk functions? Make sure your board-level governance leadership knows how to spell ‘cyber’.
Let’s Talk About Regulatory Compliance
Unless you’ve been hiding under a tin-foil hat or never watch the news, you know about the European Union (EU) implementing the broad-reaching General Data Privacy Regulation (GDPR). I won’t go into the details here, but your organization will be fined heavily if you don’t disclose breaches as laid out in the regulation. So, not only do you have your company’s reputation to worry about, but a decent chunk of your revenue is at risk if you don’t comply with this standard. If you think this doesn’t apply to you, think again.
The patterns we see globally seem to be cropping up in more localized jurisdictions, too. California, for example, is adopting similar regulations in the California Consumer Privacy Act of 2018 (CCPA), so it’s likely we’ll see more of these types of requirements coming down from more states and other various authorities.
Instead of a unified globalization, we seem to be getting more individualized, yet following thematic trends. Several jurisdictions within the EU have mandated regulator-led penetration testing, for example. In the U.S., there have also been talks of a requirement for third-party-led cyber exercises. I would use that as a crystal ball to see what could be next on the horizon here.
Hint: The SEC Has Already Done So – Kind Of
The Securities and Exchange Commission (SEC), published a “Commission Statement and Guidance on Public Company Cybersecurity Disclosures”, recommending companies evaluate if they have sufficient disclosure controls and a plan in place to “ensure that relevant information about cyber security risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder.”
This is another trend we can expect to see for the near-term, which is somewhat vague direction and guidance on the programs you need to have, but clear guidance that you need to have one. This means incorporating your cyber security strategy into your operational risk management program if you haven’t already. Again, depending on regulations applicable to your company and/or industry, there may already be additional specific guidance. The New York State Department of Financial Services (NYDFS) released regulation 23 NYCRR 500 in 2017, mandating that financial services companies adopt a risk-based cybersecurity program and supporting capabilities.
And don’t forget to apply new concepts to the old requirements. Cyber security risks and incidents may need to be addressed when preparing disclosures that are required in registration statements under the Securities Act of 1933, as well as periodic and current reports under the Securities Exchange Act of 1934.
The point is, many companies may have outdated risk matrices, response documentation, and periodic report procedures that are not taking cyber security into account.
Know the Rules, Then Act!
So how does all of this affect your risk management process, and what can you do moving forward? Have that conversation with your chief risk officer (CRO) or chief risk management officer (CRMO) about where cyber security falls within existing regulations. Get your team familiar with the cyber-specific risks that are constantly increasing. Remember the risk formula: Threat x Vulnerability x Impact.
The impact of existing regulations is changing rapidly because of increased interoperability, and the widespread adoption of technological advances like mobile banking. So, not only do you have to worry about the first-order effects of a cyber breach, but you also have to deal with the penalties of non-compliance, especially when it comes to incident response.
The ‘fog’ that happens during a cyber breach can easily distract both responders and leadership from some of the requirements in newer regulations. You should use cyber exercises and include your legal, financial, operational, and cyber teams to make sure you’re prepared. Exercises can also help drive it into your organization’s muscle memory to communicate effectively during and after a crisis.
Ultimately, it’s imperative that your GRC program stays agile. You should be able to keep incorporating new regulations into your program as they come down. Leverage internally-sourced and externally-sourced broad-spectrum threat intelligence to inform your risk management processes.
Seek out help with a third-party risk assessment. Develop an exercise program to push the limits of existing processes. You should also incorporate the results into your risk management data and ensure you are doing your due diligence to meet both regulatory requirements and the needs of your customer base.