The Identity Blog

Background image

Financial Institutions to Focus on Greater Cybersecurity

In the wake of perhaps the greatest data breach recorded, it seems the financial services industry needs to up its game and fast.

The guidance issued by the Department of Financial Services (DFS) this month supports DFS’s first-ever cybersecurity regulation, which went into effect earlier this year, and requires banks, insurance companies, and other financial services institutions regulated by DFS to establish and maintain a cybersecurity regulations. These regulations require, among other protective measures, set minimum standards of a cybersecurity program based on the risk assessment of the entity, personnel, training and controls in place in order to protect data and information systems.

This is only the beginning

Make way for a tighter focus on controls and programs for cybersecurity requirements across the board. The cybersecurity rules proposed require financial institutions to have extensive cybersecurity protections in place. At a high level, regulated financial institutions must:

  1. Establish a Cybersecurity Program
  2. Adopt a Cybersecurity Policy
  3. Designate a CISO
  4. Define policies and procedures related to Third-Parties*

Among these RULES there are a series of requirements; regarding cybersecurity programs, policies, personnel, risk assessments, trainings, and even breach reporting within 72-hours.

The rules set minimum standards for financial services companies to ensure sensitive data, systems, and customers’ personal information, are safe from a breach of any kind. While many financial institutions already have cybersecurity and identity and access management programs which meet the minimum standards set by the new rules, most organizations HAVE NOT addressed the threat third parties pose.

The challenge with third parties!

The new rules state that regulated entities must have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties. The challenge is that most companies address third party risk as a compliance check box and high-level risk mitigation, most of the time putting liability back onto partners in the event of a breach. This just isn’t good enough. With more than 50% of data breaches occurring as a result of a third party, companies need to address third party IDENTITY risks as well. Companies need to put as much, if not more, into the management of the lifecycle of third party identities if they are going to ever truly protect the organization.

We recently wrote about how you can’t manage what you can’t see. While employee identities are carefully managed via an HR system and related business processes, too often third party identity management is the “Wild West” consisting of scattered spreadsheets, emails, inconsistent processes and vague lines of ownership.

This is a serious gap because Identity Management is the foundation for Access Management and Governance. Many IAM programs take Identity Management as a given, usually handled by an HR system. Often, third party identities are not even in scope for the initial phase of an IAM program.

If employee identities were managed poorly, it would be a major issue tackled in the first phase of any implementation, even though third parties carry the same or even greater risk than employees. Companies need to take third party risk and identity lifecycle very seriously, and in financial services, with the new rules in place, it is no longer a back burner issue, it is front and center.

In Summary

Companies can no longer wait to put the proper policies and procedures in place to mitigate risk for the organizations and without technology and automation, much of these requirements will fail to be effective. For those companies who have addressed the minimum requirements within their cybersecurity program odds are pretty good that third party risk and identity lifecycle were put on the back burner. Or worse, overlooked completely.

If your organization utilizes third parties, in addition to these requirement, you likely have a need for a robust solution to manage third party identities as well as third party access and activity.