Trust and Technology: What it Takes to Manage Cyber Compliance in Finance
Cybersecurity and cyber compliance are highly discussed topics — and for good reason.
According to the IBM Cost of a Data Breach Report, the average cost per breach in 2023 was a staggering $4.45 million. The costs of these breaches have significantly increased in the last few years and are predicted to continue to accelerate in the years ahead. Regulatory bodies have taken decisive action to bolster cyber compliance measures in response to these escalating risks. Firms must adopt cyber compliance measures to maintain security, reduce risks, and support business growth before the proposed rules are finalized and enforced.
Why this matters
Every organization and its stakeholders are vulnerable to cyber intrusions, which can have repercussions that extend beyond financial losses. New regulations are being reviewed, and as organizations navigate this complex and evolving landscape, the need for a robust cyber compliance solution becomes increasingly apparent.
Smarsh hosted a recent Compliance Week webinar, Trust and Technology: Cyber Compliance in Finance, where our experts dug into the frighteningly important area of concern: how do firms ensure cyber compliance?
Jonathan Evans, Lead of Cyber Compliance, and Wiley Asher, Cyber SME, faced this question head-on, covering cybersecurity models, cyber threats, and what organizations should be doing now to fortify their cyber compliance.
Below are some of the highlights from the webinar.
Cybersecurity Maturity Model Certification (CMMC)
If you’re unfamiliar or need a refresher, CMMC was developed by the Department of Defense. It emphasizes the importance of human elements in cybersecurity and the need for comprehensive preparation, categorization, and selection of controls. “[CMMC] promotes a culture of cybersecurity,” said Asher. “Everyone needs to be involved in this, in fact, not just within a firm to keep out the bad guys, but across firms."
The CMMC follows the larger NIST Cybersecurity Framework (CSF), which is a 7-step process in transforming your cyber risk management:
- Prepare: Take a good, honest look at your organization and risk management then document what steps you're going to take and how you'll go about it.
- Categorize: This could also be thought of as “tiering’ because you’ll need to not only categorize the different risks and offenders your organization faces, but you’ll also need to order them based on threat level.
- Select: When selecting your controls, you’ll need to define those controls that will go into play. Then, we're putting those controls into play by assessing how those controls are working.
- Implement: Put those new controls into play and put them to the test.
- Assess: Now that you’ve tested these controls, determine how they’ve worked and if they’ve done a sufficient job or not.
- Authorize: Grant authorization of these controls to the necessary personnel and document who those individuals are.
- Monitor: See how everything works out and when it’s fully set into motion.
In their discussion, Evans and Asher highlighted the circular nature of the NIST risk management paradigm and the crucial role of leadership in maintaining preparedness for potential breaches.
"Once you get done after the entire seven-step process,” said Asher, “you're going to do it again because this constantly needs to be kept up to date."
Evans and Asher also emphasized the importance of practicing and being well-prepared for cybersecurity challenges. Evans gave a quick breakdown of the ‘prepare’ step of the NIST framework, noting the four key components are users, devices, network, and third-party risk.
"In terms of your resources,” says Evans, “understand those four components are really what you're looking for, and what you need to prepare in terms of having controls in place beforehand.”
Vendor cybersecurity: Managing third-party risk
Third-party risk was another crucial topic discussed. Evans and Asher emphasized the importance of managing third-party risks in today's business environment, particularly in the context of remote work and outsourcing.
Evans laid out what organizations need to do from a third-party risk point of view, highlighting four steps:
- Tier: Identify and classify every third-party provider that a company works with, determining the amount of risk attached to each provider, and allocating resources for risk management in accordance with the results.
- Due diligence: Risks posed by each third-party relationship are thoroughly evaluated, and due diligence conducted to make sure the third party is reliable and complies with the organization's security requirements.
- Risk mitigation: Risk mitigation includes understanding who in the organization will maintain relationships with third-party vendors, inserting proper service level agreements to protect your organization, and ensuring continued adherence to current agreements.
- Remediation: Incident response plans are crucial should an event occur. The procedures should outline actions for locating and controlling the event, alerting stakeholders, and carrying out a post-incident evaluation to find areas for improvement.
Cybersecurity and compliance: Financial crimes and cyber rules
Given the evolving nature, increasing frequency, and mounting sophistication of cybersecurity attacks — as well as the potential for harm to investors, firms, and the markets — cybersecurity practices are a key focus for firms and regulators. For example, the SEC proposed Rule 10 to mitigate increasing cybersecurity risks faced by financial firms, and while that rule is still in review, it's only a matter of time before it's enforced and future rules follow.
"The most important piece," said Evans, "is that you have somebody accountable within your organization concerning that cybercrime, [that's] number one. Number two is that you are prepared to report an incident within four days should it happen."
Evans and Asher offered insights into managing cyber compliance in the modern regulatory landscape. They insisted that organizations focus their cyber compliance efforts in a few key areas, including:
- Bolstering reporting: There are reporting requirements and guidelines for handling cybersecurity breaches, including the need for non-rewritable, non-erasable archiving of communications for legal purposes
- Studying the SEC Rules: The SEC rules encompass identity theft, privacy, and financial information, with an emphasis on supervisory control and accountability for message supervision
- Preparing for enforcement: With upcoming new rules being considered for adoption, organizations need to proactively decide and act on cybersecurity measures
Asher also touched on the challenges of regulatory ambiguity and the necessity for organizations to have experts in-house or outsourced who speak the regulatory language, as well as having clear cybersecurity protocols in place and adhering to them.
Smarsh makes cyber compliance easy — today and in the future
Modern organizations need a comprehensive approach to cyber compliance that enables continuous monitoring of cybersecurity risks from a single vendor. The Smarsh Cyber Compliance platform provides a unique, holistic cyber risk score for devices, networks, and users, allowing you to identify and address cybersecurity gaps effectively.
The Smarsh Cyber Compliance platform offers a powerful, all-encompassing approach to cyber compliance from a single vendor, covering:
- Endpoint cyber posture monitoring and remediation for devices
- Phishing training and security awareness
- Compliance behavior assessments for users
- Continuous network vulnerability scanning and reporting
- Comprehensive vendor due diligence including third-party risk data and OFAC sanctioning reports
By leveraging the Smarsh Cyber Compliance solution, organizations can ensure the highest level of organizational security while reinforcing compliance initiatives. Don't hesitate to start a conversation with one of our experts today to secure your organization with the Smarsh Cyber Compliance platform.
Share this post!
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US