With cyber security incidents becoming more frequent and sophisticated, the need for strengthened cybersecurity practices and protocols is more important than ever. But where should firms and the industry focus now?
Ana Lotharius, ISITC board member and Director of Strategic Initiatives and Americas Industry Relations at DTCC, recently sat down with Stephen Scharf, Managing Director and Chief Security Officer at DTCC, to discuss cybersecurity best practices for organizations.
Ana: What are the best cybersecurity practices an organization can take to protect itself?
Stephen: The industry may have morphed its nomenclature over the years, from computer security to information security to data security to cybersecurity, but the core fundamental practices on how an organization can best protect itself have not changed.
There are multiple tenets within cybersecurity that are as crucial today as they have been in the past – patch management, vulnerability management, effective monitoring of infrastructure, identity management, network segregation, segregation of duties and network access - to name a few. There are nuances to each of these areas, but this is the general model that most firms follow and maps back to the frameworks that have been developed and enhanced over the years.
But as cybersecurity threats continue to grow, coupled with increased regulatory focus in this area, firms are evolving their approach to cybersecurity, building upon successful methods of the past and identifying new ways to bolster their defense and recovery strategies for the future. As we progress as an industry, it’s going to be important that we work together to establish standards, especially around data sharing among firms and key stakeholders. Due to the interconnectedness of the financial markets, we also must rethink existing business continuity practices and build more resilience into business practices and technology platforms.
Ana: You spoke about data sharing. Are firms actively sharing data today to prevent and respond to cyber threats?
Stephen: There is always room for improvement, but the short answer is yes. We have certainly made great strides over the past decade. When I started out as a CSO 15 years ago, a group of us would get together and no one would share information. The person who broke down first to share information was viewed as foolish. With the same group, now 15 years later, things have completely switched, and the person not sharing information is the foolish person in the room.
Today, malicious activities are being coordinated by criminals. Sharing attack techniques, toolkits, tactics, and other mechanisms for protecting against illegal activities is crucial to the well-being of firms and the industry. Otherwise, we will be at a significant disadvantage.
Ana: What sort of regulatory standards should be put in place for stronger industry-wide cybersecurity?
Stephen: The industry has been rallying around the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). It is a solid piece of work that was initially put together in 2014 and has gone through several iterations. Essentially, it provides a broad collection of cybersecurity best practices and evaluation criteria, so a firm can measure themselves against the framework.
After successfully using the NIST CSF for a few years, the financial services industry identified a few areas that could be improved. First, it became clear that it would be helpful to consider the criticality of a firm when deciding how robust a control set should be required. Second, third-party risk management and other potential areas also needed to be addressed.
Building upon the advancements of the NIST framework, the Financial Services Sector Coordinating Council (FSSCC), an industry collection of financial services firms that coordinate important infrastructure and homeland security initiatives in the United States, introduced new recommendations. Last October, FSSCC released a new Cybersecurity Profile that provides a framework to help guide financial institutions of all sizes as they work to build their cybersecurity risk management programs, including an assessment that firms can use to determine their compliance across regulatory requirements. FSSCC developed multiple tiers that identify how many controls apply to a firm based on each firm’s criticality. They’ve also added controls within the third-party risk space, which is especially important to consider with the continued growth of interconnectedness risk across the industry.
Ana: What are the next steps around this effort?
Stephen: The next steps are going to be socialization, firms leading by example, and advocating for market participants to adopt this profile within their individual sectors. Each sector has a different risk profile designed to attract certain investors based on unique characteristics. FSSCC seeks to help establish the standard for how cybersecurity practices are measured within each sector. For firms that have already adopted NIST, updating to FSSCC should be straightforward since the FSSCC profile builds upon the former NIST framework.
Firms should also engage with regulators to gain their buy-in to introduce a common cybersecurity framework across jurisdictions. While the NIST and FSSCC effort was started in the US, a common global regulatory framework will allow organizations under multiple regulations to streamline their processes and enhance their programs. There is already a lot of industry interest and engagement around this, and regulatory engagement is critical.
Ana: Ultimately, how will this effort – and other efforts to standardize this space – benefit regulators and the industry?
Stephen: The bottom line is that standardization is a good thing. It doesn’t limit regulators’ ability to ask for information but adds a common framework for how this communication can take place. This also doesn’t need to be a “big bang” approach. Changes can be incremental and introduced over time. Standardization is ultimately beneficial for regulators and the industry because it will enable all of us to evolve to meet the pressing demand of cybersecurity in the most effective and efficient way possible.