Since the onset of the GDPR mandate, cybersecurity continues to be a top of mind for organizations handling personal data. The New York State Department of Financial Services DFS) with its Cybersecurity Regulation and the State of California with its Consumer Privacy Act, going into effect in 2020, are the tip of the spear in bringing GDPR-style data privacy protection rules to the States.
The NYDFS Cybersecurity Regulation, which preliminarily went into effect in February, 2018, was further proof that regulators are continuing to raise the bar – particularly for financial institutions. Rather than simply stating that a cybersecurity risk assessment is required, the reporting procedures of the NYDFS Cybersecurity Regulation took it one step further, stating that the risk assessment must be sufficient to inform the design and maintenance of the cybersecurity program.
Since the guidance provided by the Cybersecurity Regulation is not overly prescriptive, the onus falls on the financial institutions to answer the question – does my heat map allow my organization to sufficiently address critical objectives such as:
- Identification, measurement and prioritization of the risks that are most important to business operations
- Cost-effective comparisons of risk remediation options, including proactive responses to said risks
- Effective communication of the posture of the cyber risk program to the Board and Senior Management who must sign off on the annual certification of compliance that is informed by the risk assessment
Rachel Slabotsky is Manager with the RiskLens Professional Services team
Organizations are leveraging the RiskLens platform that operationalizes the FAIR™ (Factor Analysis of Information Risk) model to look beyond the minimum compliance requirements to help address the above requirements in a more meaningful way – measuring and communicating cyber risk in financial terms.
While risk quantification isn't yet a requirement for these standards, regulators are heading in that direction. In fact, the US Federal Banking Regulators (Federal Reserve, OCC, FDIC) recognized FAIR as a known model for cyber risk quantification in its Advanced Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards. And a recent whitepaper from the Richmond Fed called out risk quantification with FAIR as a goal that financial institutions should work toward.
Below is an example of how a Fortune 500 Financial Institution effectively leveraged FAIR and RiskLens as the backbone to inform the design of their cybersecurity program to satisfy the reporting requirements of the NYDFS Cybersecurity Regulation and also improve their reporting to the Board.
Objective: Identify, measure and prioritize the risks that are most important to business operations
In order to effectively quantify risk, the FAIR model requires consistently defining scenarios based on assets, threats and loss effects. The organization leveraged this approach by identifying the most critical assets, the most likely threat actors, and the most probable and/or impactful ways in which the loss would materialize. To avoid temptation of analysis paralysis, the team grounded themselves around the objective at hand – informing the design of the cybersecurity program.
Once the most probable and impactful scenarios were identified, the list was prioritized with a small team of FAIR analysts and IT leaders with a wealth of knowledge of the business by triaging the risks. This exercise was completed over the course of a two-day Top Risk Identification Workshop using the RiskLens platform Triage function, led by experienced consultants from the RiskLens Professional Services team.
Once triaged, the top 20 scenarios were fully quantified in the RiskLens Cyber Risk Quantification (CRQ) platform. Figure 1 displays the comparison of top scenarios, with a range of probable outcomes (Note: Top 8 selected for graphical reporting purposes):
Figure 1: Top Risks
- Clear measurement of loss events that carry a "reasonable likelihood" of causing material harm
- Prioritization of mitigation efforts
- Justification of additional security investments and controls – including specific types of encryption
- Ability to communicate the impact that cyber risk has on business outcomes in a language that the business can understand, i.e., dollars and cents