In response to the Coronavirus pandemic, many financial institutions have implemented new technologies and made modifications to their IT infrastructure to better serve customers, members, and employees during this time. These changes may have increased the institution’s inherent risk profile, however, making it necessary to review the Federal Financial Institution Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT) or National Credit Union Association’s Automated Cybersecurity Examination Tool (ACET). When adjustments are made to the organization, community banks, and credit unions must evaluate their risks and perform a gap analysis to ensure the institution is protected from cyber threats.
What is a Cybersecurity Gap Analysis?
A cybersecurity gap analysis starts evaluating the results of the CAT or ACET, (which is simply a snapshot in time of where you are with your risks (inherent risk profile) and controls (cybersecurity maturity) and then comparing “where your institution is” to “where you need to be.” In almost every case, there is some degree of misalignment between the two. Some common questions financial institutions ask are “Could we be doing more to oversee our cloud providers?” or “Should we be doing more to manage our internal administrators or third parties?” The idea of the gap analysis is to take your risk areas and determine what set of controls are most effective against those specific risk areas.
Completing the Cybersecurity Maturity section, for example, helps financial institutions better identify missing controls and processes. So, in order to increase the level of cybersecurity maturity, institutions should continually implement changes even if their inherent risk profile doesn’t change. Conducting a gap analysis is the first step in this process.
Why should institutions strive to continuously improve their security posture even if their risk profile doesn’t increase? Simply put, because the threat environment is constantly evolving. New threats (and new twists on old threats) require constant vigilance and continuous improvements to existing controls. Standing still means you’re probably falling behind. On the other hand, making steady, incremental progress on your control maturity demonstrates a proactive, forward-thinking approach to cybersecurity.
Key Areas of Focus
First, financial institutions must determine if their controls and risks align – no small task as there are roughly 30 risk elements and nearly 500 control maturity elements in the assessment. Attempting to improve all of these areas in the CAT can be challenging and expensive for any institution, but especially smaller community banks and credit unions. While all control maturity domains are important, if your financial institution has limited resources, there are two key domains that you should focus your attention on when developing the gap analysis.
- Domain 4: External Dependency Management
This domain involves establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships that provide access to the institution’s technology and information. Most financial institutions have a host of outsourced relationships that they rely on to keep operations running. Evaluating the interdependencies and associated security gaps from third-party vendors should be a key part of your analysis process.
- Domain 5: Cyber Incident Management and Resilience
This domain focuses on establishing, identifying, and analyzing cyber events, as well as the ability to prioritize, contain, and mitigate during cyber events. The institution should also have the ability to properly inform the appropriate stakeholders in response to a cyber event. Cyber resilience includes both planning and testing to maintain and recover ongoing operations during — and following — a cyber incident. In the current security environment, it’s not if a cyber event will occur but when. Financial institutions should have an effective cyber incident response plan to control, contain, and recover from a potential cyber incident.
For more information, watch our Banking Bits and Bytes episode, “What is a Cybersecurity Gap Analysis?”