Financial institutions and other organizations face a head-spinning number of information security risks—and the threats are becoming more complex and difficult to detect. In 2020, the FBI’s Internet Crime Complaint Center received a record number of complaints: 791,790, with reported losses exceeding $4.1 billion. The complaints—many of which included sophisticated phishing emails, business email compromise, and ransomware—represented a 69-percent increase in total from 2019, according to the FBI 2020 Internet Crime Report. In almost every case, a financial institution was involved; either as the direct target, a payment intermediary, or the account holder (victims) source of funds.
Importance of Resilience
With IT security, one of the primary goals for financial institutions is to minimize operational risk by limiting downtime; a process also referred to as “resilience”. Formally defined as the “…ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions…”, resilience also includes the ability to withstand and recover from deliberate attacks or naturally occurring disasters.
Resilience extends beyond after-the-fact recovery capabilities to incorporate proactive measures for mitigating the risk of a reasonably anticipated disruptive event in the overall design of operations and processes, including IT infrastructure. Resilience strategies, including maintaining security standards, should extend across the entire business, including outsourced activities. Because of the constantly changing threat environment, banks and credit unions should be regularly refining their security strategies. But it can be challenging for institutions to effectively manage the resources required to create a resilient infrastructure, including the staff, hardware, software, facilities, utilities, and other resources required to support operations. This monumental task encompasses everything from technology and telecommunications infrastructure to the critical dependencies provided by third-party service providers.
With so much complexity, having integrated security controls that coordinate and communicate with each other can make it easier for institutions to detect and prevent an incident before it happens, and to respond and recover afterward. Integration involves blending separate technology and controls into a single system that simplifies the work of short-staffed, time-strapped IT departments. The integration of security technology can ensure that financial institutions have a more manageable—and sustainable—approach to addressing the increasing volume and sophistication of security threats that they encounter.
Compliance and IT Security Integration
Of course, the rationale for integrating security and technology goes beyond the practical need to safeguard an institution’s information, infrastructure, and other assets, as it’s also a matter of compliance.
Information security should be embedded within the institution’s culture, according to the Federal Financial Institution Examination Council (FFIEC), and an institution’s security culture contributes to the effectiveness of its information security program. In fact, the FFIEC IT Handbook’s Information Security booklet indicates that “an institution with a stronger security culture generally integrates information security into new initiatives from the outset and throughout the life cycles of services and applications.”
Financial institutions should have a robust and effective information security program that supports their IT risk management process, according to FFIEC guidelines. Based on the FFIEC IT Handbook’s Information Security booklet, an effective IT program should:
- Identify threats, measure risk, define information security requirements, and implementing control
- Integrate with lines of business and support functions in which risk decisions are made
- Integrate third-party service provider activities with the information security program
Integrating third-parties into your security program is not just accepted by the regulators, it’s expected. According to the FFIEC, “In many situations, outsourcing offers the institution a cost-effective alternative to in-house capabilities…without the various expenses involved in owning the required technology or maintaining the human capital required to deploy and operate it.” However, the FFIEC goes on to recommend that institutions who elect to outsource technology, line of business activities, and support functions, ensure the integration of these activities with their information security program through an effective third-party service provider (vendor) management program. The FFIEC IT Handbook’s Information Security booklet asserts that: “Effective integration of these programs is evident when the institution creates and enforces expectations that align with the internal information security program in such a way that the combined activities of the institution and its third-party service providers result in an acceptable level of risk.”
Security threats will always be a constant challenge, but successfully integrating security and technology within an institution’s banking infrastructure can help institutions win the fight. Safe Systems provides banks and credit unions with an array of compliance-focused IT services to help them improve their overall security posture. Our proven experience, paired with our compliance-focused technology and security solutions, enables financial institutions to significantly strengthen their resilience by seamlessly aligning compliance and security.