In today’s business environment, cyber threats are constantly evolving, and financial institutions are among the most highly targeted industries. Financial institutions are considered part of the critical national infrastructure, and protecting NPI (non-public information) and financial transactions is a high priority for banks and credit unions as they strive to address ransomware, account takeovers, mobile banking exploitation, and other cybercrimes.
The role of the Information Security Officer (ISO) is an important strategic IT and business role with a high level of visibility, responsibility, and associated accountability. The Information Security Officer is required to interact with the IT steering committee, board of directors, auditors, examiners, and others to provide periodic status updates on the institution’s information security program. To date, we have identified 7 distinct areas of responsibility for the ISO, consisting of 35 individual metrics requiring reporting and documentation.
Qualities for this role include leadership skills, political influence, thorough knowledge and understanding of regulatory requirements, the ability to work with internal management and third parties, and an in-depth understanding of the organization’s technology infrastructure and operations. This is a tall order for any organization much less a community financial institution that may lack individuals with expected qualifications, bandwidth, and experience. The vast majority of community financial institutions do not have dedicated ISO’s, but instead add the title (and associated responsibility and accountability) to someone that may already wear multiple hats.
To assist those taking on the role of an ISO at a community financial institution, we’ve provided five areas of focus for success:
- Ensure the Protection of Information
The ISO’s primary responsibility is to safeguard the security and confidentiality of nonpublic information (NPI) as well as the institution’s financial transactions. In doing so, the ISO must lead efforts to ensure adequate administrative, technical, and physical controls based on risk are in place. Information assets encompass everything from hardcopies archived in a file cabinet, to information stored in a computer system to data being transmitted over the internet (including remote deposit capture and mobile banking transactions).
- Understand Key Regulations and Requirements for Compliance
The ISO must adhere to the Gramm-Leach-Bliley Act (GLBA), which is also known as the Financial Modernization Act of 1999. The GLBA, which requires financial institutions to explain how they share and protect their customers’ private information, provides a strong framework for information security. So does the Federal Financial Institutions Examination Council (FFIEC). The FFIEC is a five-member agency responsible for establishing consistent guidelines and uniform practices and principles for financial institutions. They have published, and periodically update, 12 handbooks for information security requirements and best practices. The ISO must understand the regulatory expectations of both GLBA and FFIEC.
- Be Proficient in Cybersecurity and the Cyber Assessment Tool (CAT)
Cybersecurity, according to the FFIEC, is the evolving process for protecting consumer and bank information by preventing detection and responding to attacks. The FFIEC outlines specific cybersecurity standards within the CAT, which is designed to help institutions determine their cyber risks and control maturity levels. Although financial institutions are not required to use the CAT to conduct their annual cyber assessment, they are expected to annually assess their cyber posture and report that status to the Board. Since the CAT is the defacto standard for cybersecurity measurement, it is the most common methodology. ISO’s must also be familiar with the FFIEC IT Examination Handbook and cybersecurity standards, which cover business continuity planning, IT/information security policies, audit, incident response planning, and other important topics.
- Perform Duties Beyond Overseeing and Coordinating Proactive Security Efforts
Since no environment is ever 100% secure all the time, the ISO is also responsible for responding to attempted/actual cyber-attacks in a timely manner which may include potential involvement in legal proceedings; interacting with the cyber insurance coverage carrier; accountability for commercially reasonable security controls; strategic planning for internal infrastructure change; growth/acquisition; overall IT/cyber risk appetite; risk assessments for new technology; and customer-facing online banking services.
- Review Periodic Tasks That Include Effective Systems Management and Security
The institution’s ISO needs to have visibility and accountability into existing technology driven security measures, including implementing approved software, anti-malware efforts, software patches, encryption, and multi-factor authentication to prevent unauthorized access to information. The ISO should also ensure the financial institution has adequate intrusion detection and intrusion prevention systems in place; review back up failures; and evaluate activities for high-risk online banking customers (ACH/wires).
Cybersecurity is a constant challenge for financial institutions, especially smaller banks and credit unions with limited resources. Because of the ever-expanding expectations for the role, institutions often struggle with hiring and retaining individuals with the extensive expertise needed to fill the ISO’s shoes. However, financial institutions that require assistance are increasingly turning to trusted third-party providers to ensure that information security requirements are properly addressed on a periodic basis.