Six Tips CISOs Should Consider for Stronger Compliance and Risk Mitigation

By Michael Brown and Ricardo Ferreira | February 15, 2023

There is a lot of change happening in the financial services industry. The sector is known for embracing technological innovation to enable new experiences and to power global economies. Yet, Some regulators worry that the financial industry has reached a point of inflection in terms of risk due to the digitization of financial services institutions (FSIs) and their reliance on digital service providers who frequently employ other digital service providers. It could be possible that if one provider fails, there’s a chance that other providers could also fail, causing widespread harm to financial institutions and severe hardship in society as a result.

Consequently, regulators are creating new compliance and accurate reporting requirements and rules – and with a shorter timeframe for meeting them. This can feel overwhelming, but regulators want FSIs to understand the implications of depending on third-party providers and services.

The Urgency for Cybersecurity Risk Strategies

Some regulators are requiring FSIs to develop “exit strategies” in order to prevent the domino effect of one service provider collapse leading to more failures and the possible paralysis of a country’s financial industry. For example, regulators in the European Union are granting them windows of about 30 days. Therefore, FSIs have one month to replace a piece of technology or locate a new cloud provider in the event of a significant incident.

When FSIs are developing exit strategies, cybersecurity must be taken into consideration. Following are suggestions for financial industry CISOs who are attempting to adhere to the new rules while maintaining their digital transformation process.

Six Recommendations for Financial Services CISOs to Mitigate Cyber Risk

1. Find out where you’re at risk: Prioritizing the most important and susceptible business processes requires FSIs to identify their most essential ones and assign them a risk rating. CISOs need to determine the risks and vulnerabilities of the organization, which requires communication throughout the entire firm.

2. Implement cyber awareness training: To help their firms make up for the global shortage of cybersecurity talent, FSIs must upskill their workforce. Whatever their role, all personnel need cybersecurity awareness training as well as recurring updates on the latest risks and attack techniques.

3. Automation is key: Automation and augmentation are crucial to overcoming the cybersecurity skills gap. AI/ML technologies give teams actionable alerts from a single pane of glass. This enables them to manage and orchestrate the network and security enterprise-wide. This will reduce human error, as well.

In the past, most banks had their own teams of third-party governance workers who used enormous spreadsheets to inventory all the controls. This manual approach was unwieldy and error-prone. Some financial institutions had to employ vendors and outsource their compliance work, but as more rules are implemented, this strategy is neither manageable nor scalable.

FSIs are facing tighter profit margins and increasing operational costs because of these new regulations. If their data isn’t integrated and their infrastructure isn't automated, FSIs are unlikely to meet compliance and regulations.

4. Learn from others: FSIs and their CISOs need to know what’s going on outside their four walls. The DORA regulations in Europe allow information sharing among FSIs to help them learn about the latest indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) going on “in the wild.”

To improve your visibility into the external digital attack surface, think about using a DRP (digital risk protection) solution. Future cyberattacks can be predicted using sources like the Darkweb.

5. Use high-level communication: When speaking with business stakeholders, a CIO or CISO needs to use a common language. And the business team won't understand if the conversation is focused on low-level controls. However, it is much simpler to have a conversation throughout the business if the IT leaders elevate the message and solely discuss the company’s risk and protection, threat detection, response, and recovery.

FSIs employ a variety of control frameworks, including NIST 80053, COBIT, and ISO 27001, both in the U.S. and the EU. FSIs frequently develop their own frameworks, which incorporate elements from a variety of frameworks.

6. Understand pertinent regulations and compliance: It all comes down to laying the proper foundation, one that not only incorporates the technology’s vision but also involves feedback loops between those who will be impacted by the policy, the stakeholders, and those who will be creating it. Many organizations lack a comprehensive perspective and are not laying the right foundations, especially as they are experiencing rapid digital acceleration. From a business perspective, as well as from an IT and security perspective, it is crucial to be aware of the specific requirements that you must adhere to.

Preparing Your Risk Strategy

Banks face increasing regulations and compliance requirements as the cyber landscape grows ever more complex. For many nations, (including the U.S.,) financial services institutions are considered critical infrastructure, and their collapse would be extremely harmful to their economies. So, the expansion of regulations is here to stay for the foreseeable future. In a scenario where one service provider’s failure can create a cascade of failures that cripple a bank, the requested 30-day provider turnaround is understandable but nevertheless hard. Taking action on the six steps recommended above will help CISOs prepare for all the requirements and risks they are facing.