Security program models for banks-Financial Cybersecurity Program - Leverage a Risk-Based Threat Model

Cybersecurity is the most critical and immediate concern for banks, their customers, and the wider financial system. Financial institutions face a daily barrage of cyberattacks that can cause the loss of data, assets, and confidence, and as digital banking expands they are increasingly exposed. Still, many have no effective plan to respond. Incident rates are soaring. Despite the growing threat and increasing pressure from regulators to confront it, many banks have failed to engage cyber risk effectively, often treating it as a secondary concern.

Security program models for banks

Security program models for banks

Security program models for banks

Security program models for banks

What makes VerSprite different from other security partners? Savvy financial institutions are now moving beyond this paradigm and employing a modern approach to cybersecurity—the Zero Trust model. Let us build a tailored engagement for you. Microsoft also offers a complete teamwork and productivity solution. Read More. A smart Security program models for banks stack, supported by machine learning to improve mechanisms over time, should be deployed to integrate bankz security controls and platforms. Machine learning also helps reduce noise by distinguishing between real alerts and false positives. Microsoft helps simplify the management of security in a modern Zero Trust architecture, leveraging the visibility, scale, Sfcurity intelligence necessary to combat cybercrime.

Peter north cum tory lane. Defending a Target Rich Industry

The Midels Department's years-long review of former Secretary Hillary Clinton's use of a private email server found that although 38 current Age middle sexy woman former department officials violated government security policies, there was no "persuasive evidence of systemic, deliberate mldels of classified information. Another example involves vendors that may be allowed to access the bank's system without proper security mofels, such as firewalls. Cybercrime as-a-service. By using this site, you agree to the Terms of Use and Privacy Policy. The risk assessment provides a framework for establishing policy guidelines and identifying the Security program models for banks assessment tools and practices that may be appropriate for an institution. Conversely, the evaluators may use all system design and implementation documentation. Multi-factor Authentication. Once it is determined that an IDS is necessary to detect possible security breaches, several factors should be considered in evaluating IDSs, including: The comprehensiveness of the attack signature database, including the frequency of bankx that incorporate newly identified concerns. Web applications rarely use cryptographic functions properly to protect data Security program models for banks credentials. Attackers can manipulate those references to access other objects without authorization. A bank's information security program should consider these control factors in assessing overall risk on an ongoing basis.

That analysis creates a risk score that banks can use to decide whether an ongoing transaction is fraudulent and trigger an alert.

  • Mathew J.
  • Institutions using the Internet or other computer networks are exposed to various categories of risk that could result in the possibility of financial loss and reputational harm.
  • The guidance attached to this bulletin continues to apply to federal savings associations.
  • This bulletin reminds national banks and their technology service providers that application security 1 is an important component of their information security program.
  • Pursuant to section 3 of the Bank Protection Act of 12 U.

To truly be effective, a cybersecurity program must continually evolve and improve. To measure and improve, cybersecurity organizations need to adopt a cybersecurity maturity model. A cybersecurity maturity model provides a framework for measuring the maturity of a security program and guidance on how to reach the next level. There are several cybersecurity maturity models from which to choose. Which model you choose is not nearly as important as actually choosing one and using it.

The C2M2 was developed by the U. Department of Energy for use by power and utility companies. However, any organization can use it to measure the maturity of their cybersecurity capabilities. The model consists of 10 domains and provides a measurement for each one, allowing organizations to identify areas of weakness and strength. However, it does denote a progression expressed as "tiers. You measure your organization in the various domains covered to determine your level of maturity.

Therefore, these frameworks are subjective. There will be next steps, including improving your measurements and metrics. Whichever framework you choose, your organization should build a program around it that will have meaning to you. Most importantly, a cybersecurity maturity model provides a path forward and enables your organization to periodically assess where they are along that path.

This can be a valuable tool not only for improving your cybersecurity efforts but also for communicating with upper management and getting the support you need. Opinions expressed are those of the author. Share to facebook Share to twitter Share to linkedin.

Do I qualify? Jason Christopher. Read More.

Before implementing some or all of these measures, an institution should perform an information security risk assessment. Next-Gen Security Technologies. Contact support. Top 10 Data Breach Influencers. By using this site, you agree to the Terms of Use and Privacy Policy. The notorious Joker's Stash cybercrime marketplace, which specializes in selling stolen payment card data, has a new listing for 1.

Security program models for banks

Security program models for banks

Security program models for banks

Security program models for banks. Each depositor insured to at least $250,000 per insured bank

Detection measures may be enhanced by the use of intrusion detection systems IDSs that act as a burglar alarm, alerting the bank or service provider to potential external break-ins or internal misuse of the system s being monitored.

Another key area involves preparing a response program to handle suspected intrusions and system misuse once they are detected. Institutions should have an effective incident response program outlined in a security policy that prioritizes incidents, discusses appropriate responses to incidents, and establishes reporting requirements.

The appendix provides a detailed discussion on prevention vulnerability assessment tools and penetration analyses , detection IDS tools , and response measures. Before implementing some or all of these measures, an institution should perform an information security risk assessment. Depending on the risk assessment, certain risk assessment tools and practices discussed in this paper may be appropriate.

However, use of these measures should not result in decreased emphasis on information security or the need for human expertise. A thorough and proactive risk assessment is the first step in establishing a sound security program. This is the ongoing process of evaluating threats and vulnerabilities, and establishing an appropriate risk management program to mitigate potential monetary losses and harm to an institution's reputation.

Threats have the potential to harm an institution, while vulnerabilities are weaknesses that can be exploited. The extent of the information security program should be commensurate with the degree of risk associated with the institution's systems, networks, and information assets. For example, compared to an information-only Web site, institutions offering transactional Internet banking activities are exposed to greater risks.

Further, real-time funds transfers generally pose greater risks than delayed or batch-processed transactions because the items are processed immediately. The extent to which an institution contracts with third-party vendors will also affect the nature of the risk assessment program.

Performing the Risk Assessment and Determining Vulnerabilities. Performing a sound risk assessment is critical to establishing an effective information security program. The risk assessment provides a framework for establishing policy guidelines and identifying the risk assessment tools and practices that may be appropriate for an institution.

Banks still should have a written information security policy, sound security policy guidelines, and well-designed system architecture, as well as provide for physical security, employee education, and testing, as part of an effective program. When institutions contract with third-party providers for information system services, they should have a sound oversight program.

At a minimum, the security-related clauses of a written contract should define the responsibilities of both parties with respect to data confidentiality, system security, and notification procedures in the event of data or system compromise. The institution needs to conduct a sufficient analysis of the provider's security program, including how the provider uses available risk assessment tools and practices.

Institutions also should obtain copies of independent penetration tests run against the provider's system. When assessing information security products, management should be aware that many products offer a combination of risk assessment features, and can cover single or multiple operating systems. Several organizations provide independent assessments and certifications of the adequacy of computer security products e. While the underlying product may be certified, banks should realize that the manner in which the products are configured and ultimately used is an integral part of the products' effectiveness.

If relying on the certification, banks should understand the certification process used by the organization certifying the security product. Other examples of items to consider in the risk assessment process include: Identifying mission-critical information systems, and determining the effectiveness of current information security programs. For example, a vulnerability might involve critical systems that are not reasonably isolated from the Internet and external access via modem.

Having up-to-date inventory listings of hardware and software, as well as system topologies, is important in this process. Assessing the importance and sensitivity of information, and the likelihood of outside break-ins e. For example, if a large depositor list were made public, that disclosure could expose the bank to reputational risk and the potential loss of deposits.

Further, the institution could be harmed if human resource data e. Assessing the risks posed by electronic connections with business partners. The other entity may have poor access controls that could potentially lead to an indirect compromise of the bank's system. Another example involves vendors that may be allowed to access the bank's system without proper security safeguards, such as firewalls.

This could result in open access to critical information that the vendor may have "no need to know. For example, if hackers successfully access a bank's system and use it to subsequently attack others, the bank may be liable for damages incurred by the party that is attacked.

Potential Threats To Consider. Serious hackers, interested computer novices, dishonest vendors or competitors, disgruntled current or former employees, organized crime, or even agents of espionage pose a potential threat to an institution's computer security.

The Internet provides a wealth of information to banks and hackers alike on known security flaws in hardware and software. Using almost any search engine, average Internet users can quickly find information describing how to break into various systems by exploiting known security flaws and software bugs.

Hackers also may breach security by misusing vulnerability assessment tools to probe network systems, then exploiting any identified weaknesses to gain unauthorized access to a system. Internal misuse of information systems remains an ever-present security threat. Many break-ins or insider misuses of information occur due to poor security programs. Hackers often exploit well-known weaknesses and security defects in operating systems that have not been appropriately addressed by the institution.

Inadequate maintenance and improper system design may also allow hackers to exploit a security system. New security risks arise from evolving attack methods or newly detected holes and bugs in existing software and hardware. Also, new risks may be introduced as systems are altered or upgraded, or through the improper setup of available security-related tools.

An institution needs to stay abreast of new security threats and vulnerabilities. It is equally important to keep up to date on the latest security patches and version upgrades that are available to fix security flaws and bugs. Information security and relevant vendor Web sites contain much of this information. Systems can be vulnerable to a variety of threats, including the misuse or theft of passwords. Hackers may use password cracking programs to figure out poorly selected passwords. The passwords may then be used to access other parts of the system.

By monitoring network traffic, unauthorized users can easily steal unencrypted passwords. The theft of passwords is more difficult if they are encrypted. Employees or hackers may also attempt to compromise system administrator access root access , tamper with critical FILes, read confidential e-mail, or initiate unauthorized e-mails or transactions.

Hackers may use "social engineering," a scheme using social techniques to obtain technical information required to access a system. A hacker may claim to be someone authorized to access the system such as an employee or a certain vendor or contractor. The hacker may then attempt to get a real employee to reveal user names or passwords, or even set up new computer accounts. Another threat involves the practice of "war dialing," in which hackers use a program that automatically dials telephone numbers and searches for modem lines that bypass network firewalls and other security measures.

A few other common forms of system attack include: Denial of service system failure , which is any action preventing a system from operating as intended. It may be the unauthorized destruction, modification, or delay of service. For example, in a "SYN Flood" attack, a system can be flooded with requests to establish a connection, leaving the system with more open connections than it can support.

Then, legitimate users of the system being attacked are not allowed to connect until the open connections are closed or can time out. Internet Protocol IP spoofing, which allows an intruder via the Internet to effectively impersonate a local system's IP address in an attempt to gain access to that system.

If other local systems perform session authentication based on a connection's IP address, those systems may misinterpret incoming connections from the intruder as originating from a local trusted host and not require a password. Trojan horses, which are programs that contain additional hidden functions that usually allow malicious or unintended activities.

A Trojan horse program generally performs unintended functions that may include replacing programs, or collecting, falsifying, or destroying data.

Trojan horses can be attached to e-mails and may create a "back door" that allows unrestricted access to a system. The programs may automatically exclude logging and other information that would allow the intruder to be traced. Viruses, which are computer programs that may be embedded in other code and can self-replicate.

Once active, they may take unwanted and unexpected actions that can result in either nondestructive or destructive outcomes in the host computer programs. The virus program may also move into multiple platforms, data files, or devices on a system and spread through multiple systems in a network. Virus programs may be contained in an e-mail attachment and become active when the attachment is opened. It is important for financial institutions to develop and implement appropriate information security programs.

Whether systems are maintained in-house or by third-party vendors, appropriate security controls and risk management techniques must be employed. A security program includes effective security policies and system architecture, which may be supported by the risk assessment tools and practices discussed in this guidance paper and appendix.

Information security threats and vulnerabilities, as well as their countermeasures, will continue to evolve. As such, institutions should have a proactive risk assessment process that identifies emerging threats and vulnerabilities to information systems. A sound information security policy identifies prevention, detection, and response measures.

The appendix provides more details on risk assessment tools and practices that may be used to improve information security programs. Preventive measures may include regularly using vulnerability assessment tools and conducting periodic penetration analyses. Intrusion detection tools can be effective in detecting potential intrusions or system misuse.

Institutions should also develop a response program to effectively handle any information security breaches that may occur. When used regularly, both techniques can be integral components of an institution's information security program.

Vulnerability assessment tools, also called security scanning tools, assess the security of network or host systems and report system vulnerabilities. These tools can scan networks, servers, firewalls, routers, and applications for vulnerabilities. Generally, the tools can detect known security flaws or bugs in software and hardware, determine if the systems are susceptible to known attacks and exploits, and search for system vulnerabilities such as settings contrary to established security policies.

In evaluating a vulnerability assessment tool, management should consider how frequently the tool is updated to include the detection of any new weaknesses such as security flaws and bugs. If there is a time delay before a system patch is made available to correct an identified weakness, mitigating controls may be needed until the system patch is issued.

Generally, vulnerability assessment tools are not run in real-time, but they are commonly run on a periodic basis. When using the tools, it is important to ensure that the results from the scan are secure and only provided to authorized parties. The tools can generate both technical and management reports, including text, charts, and graphs. The vulnerability assessment reports can tell a user what weaknesses exist and how to fix them.

Some tools can automatically fix vulnerabilities after detection. As in intrusion detection systems, which are discussed later in this appendix, there are generally two types of vulnerability assessment tools: host-based and network-based. Another category is sometimes used for products that assess vulnerabilities of specific applications application-based on a host. A host is generally a single computer or workstation that can be connected to a computer network. Host-based tools assess the vulnerabilities of specific hosts.

They usually reside on servers, but can be placed on specific desktop computers, routers, or even firewalls. Network-based vulnerability assessment tools generally reside on the network, specifically analyzing the network to determine if it is vulnerable to known attacks. Both host- and network-based products offer valuable features, and the risk assessment process should help an institution determine which is best for its needs.

Information systems personnel should understand the types of tools available, how they operate, where they are located, and the output generated from the tools. Host-based vulnerability assessment tools are effective at identifying security risks that result from internal misuse or hackers using a compromised system. They can detect. The tools may also provide a periodic check to confirm that various security policies are being followed. For instance, they can check user permissions to access FILes and directories, and identify FILes and directories without ownership.

Network-based vulnerability assessment tools are more effective than host-based at detecting network attacks such as denial of service and Internet Protocol IP spoofing.

Network tools can detect unauthorized systems on a network or insecure connections to business partners. Running a host-based scan does not consume network overhead, but can consume processing time and available storage on the host.

Conversely, frequently running a network-based scan as part of daily operations increases network traffic during the scan. This may cause inadvertent network problems such as router crashes. After the initial risk assessment is completed, management may determine that a penetration analysis test should be conducted.

For the purpose of this paper, "penetration analysis" is broadly defined. Bank management should determine the scope and objectives of the analysis. The scope can range from a specific test of a particular information system's security or a review of multiple information security processes in an institution. A penetration analysis usually involves a team of experts who identify an information system's vulnerability to a series of attacks. The evaluators may attempt to circumvent the security features of a system by exploiting the identified vulnerabilities.

Similar to running vulnerability scanning tools, the objective of a penetration analysis is to locate system vulnerabilities so that appropriate corrective steps can be taken. The analysis can apply to any institution with a network, but becomes more important if system access is allowed via an external connection such as the Internet. The analysis should be independent and may be conducted by a trusted third party, qualified internal audit team, or a combination of both.

The information security policy should address the frequency and scope of the analysis. In determining the scope of the analysis, items to consider include internal vs. A penetration analysis is a snapshot of the security at a point in time and does not provide a complete guaranty that the system s being tested is secure. It can test the effectiveness of security controls and preparedness measures. Depending on the scope of the analysis, the evaluators may work under the same constraints applied to ordinary internal or external users.

Conversely, the evaluators may use all system design and implementation documentation. It is common for the evaluators to be given just the IP address of the. The evaluators may use vulnerability assessment tools, and employ some of the attack methods discussed in this paper such as social engineering and war dialing. After completing the agreed-upon analysis, the evaluators should provide the institution a detailed written report. The report should identify vulnerabilities, prioritize weaknesses, and provide recommendations for corrective action.

A penetration analysis itself can introduce new risks to an institution; therefore, several items should be considered before having an analysis completed, including the following: If using outside testers, the reputation of the firm or consultants hired.

The evaluators will assess the weaknesses in the bank's information security system. As such, the confidentiality of results and bank data is crucial. Just like screening potential employees prior to their hire, banks should carefully screen firms, consultants, and subcontractors who are entrusted with access to sensitive data.

The information security program also should include training for bank staff and regular testing of the key controls, systems, and procedures. To ensure objectivity, tests should be conducted or reviewed by third parties or staff who are independent of those who develop or maintain the security programs. Oversee Service Provider Arrangements.

Banks also have an obligation to oversee their service providers. Banks that use service providers should exercise appropriate due diligence in selecting them, including conducting a review of the measures taken by the service providers to protect customer information. The contract between the bank and the service provider must require the provider to implement appropriate measures designed to meet the objectives of the guidelines. As part of this monitoring, a bank should review audits, summaries of test results, or other equivalent evaluations of its service providers.

Adjust the Program. Risks to customer information change over time with changes in technology, the sensitivity of customer information, internal or external threats to information, and the bank's own business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems.

Therefore, banks should monitor, evaluate, and adjust, as appropriate, their information security program. The OCC expects banks to make the appropriate changes to their information security programs before any bank-initiated changes are made to their customer information systems, such as changes to accommodate new services.

Implement the Guidelines. The guidelines are effective on July 1, However, there is a two-year grandfathering provision for service provider contracts.

Existing service provider contracts namely, contracts entered into until March 5, do not have to be renegotiated to comply with the Guidelines until July 1, Insurance entities may be subject to security regulations issued by their respective state insurance authorities. What are you searching for in OCC. Office of the Comptroller of the Currency.

Search OCC Website. About About Overview.

Cybersecurity is the most critical and immediate concern for banks, their customers, and the wider financial system. Financial institutions face a daily barrage of cyberattacks that can cause the loss of data, assets, and confidence, and as digital banking expands they are increasingly exposed. Still, many have no effective plan to respond. Incident rates are soaring. Despite the growing threat and increasing pressure from regulators to confront it, many banks have failed to engage cyber risk effectively, often treating it as a secondary concern.

The most secure banks have ramped up their ability to detect and respond to attacks, but the majority require a strategic rethink. That means taking cybersecurity out of its IT silo and treating it as equal to risks such as credit, counterparty, and compliance. A new operating model is required, alongside strategic investment in talent, new technologies, and reformed ways of working throughout the organization. The task is complex, but the prize is valuable: a secure banking system for the digital age.

The vast majority of attacks go unreported, but numerous banks have been hit in the past year. One of the most notorious recent incidents saw hackers take tens of millions of dollars from a central bank payment system. Threats vary in style and intent.

Distributed denial of service and payment system attacks are common, but attackers can also route through suppliers or seek to gain some advantage by taking private data hostage. More than 1, of these ransomware attacks were detected every day in Equal amounts of damage can be inflicted by disgruntled employees who publish confidential data on social media; likewise, damage can be accidentally self-inflicted, as a result of lost laptops or IT failures, for example.

Estimates of annual losses across the industry run to the tens of billions of dollars. The impacts of cybersecurity incidents go beyond the immediate loss of money or data.

Clients and financial markets can quickly lose confidence, and the costs associated with repairing the damage and communicating with stakeholders are significant. In addition, the many digital touchpoints between financial institutions mean that contagion effects cannot be discounted, adding a systemic element to the risks banks face.

Banks must respond to cybersecurity risk not only to protect their businesses but also to meet regulatory requirements and industry standards. Nearly three-quarters of jurisdictions worldwide are planning new cybersecurity regulations, guidance, or supervisory practices for the financial sector within the next year, according to the Financial Stability Board.

Among global examples, the ISO27k series of standards, published jointly by the International Organization for Standardization and the International Electrotechnical Commission, provide best practices for information security management systems. They comprise recommendations regarding the processes, documents, technology, and people needed to manage, audit, and improve information security.

Implementation requires board-level leadership and coordination. National authorities are also taking action. For example, the German banking supervisor BaFin in late published detailed banking supervisory requirements for domestic IT systems that focus on information security, including for outsourced products and services.

The increasing number and complexity of cyberattacks, alongside growing regulatory pressure, highlight the need for financial institutions to strengthen information security and cyber resilience.

However, many are ill-equipped to respond to the challenge, in part because they have historically underestimated the risks. Their lack of preparedness has resulted in seven key weaknesses. Banks often lack a defined process for assessing cyber risk, or they approach the exercise from back to front. The ideal starting point is to make a comprehensive inventory of data, applications, and networks and infrastructure. This can inform the next step, which is to specify the criticality of individual data sets.

Banks must use the information they garner on data to determine where they are most exposed. At this stage, they often make the mistake of prioritizing applications and infrastructure, skipping the crucial first data step. Without a structured approach, banks can fail to gain a comprehensive picture. The other commonly missing piece of the puzzle is an understanding of threats and how these might manifest for example, through unpatched vulnerabilities on phones.

Banks often rely entirely on newsletters and updates from security vendors to stay up to date, rather than performing an ongoing independent investigation into where they may be most vulnerable. Failure to Prioritize Cybersecurity. Banks often fail to make cybersecurity a core element of the decision-making process in managing key IT assets.

Often this is evidenced by the peripheral role of chief information security officers CISOs , who may be disconnected from IT product development, digitization efforts, and operations. Banks tend to lack protocols for CISOs to assess concepts or provide feedback that would hardwire information and IT security awareness into the design or purchasing process. Too often they are out of the loop on board-level decisions and the proceedings of risk committees, or they are hobbled by a lack of adequate human or financial resources.

Focus on Prevention Over Detection and Response. Financial institutions habitually focus on preventing cyberattackers from entering their systems, which is useful in protecting against untargeted attacks but insufficient to secure the organization from determined assailants. The uncomfortable reality is that attackers are gaining entry with relative ease and are usually able to sit undetected in bank systems for long periods—an average of days, according to one study.

Given the practical impossibility of impermeability, the state of the art in information security has moved toward detection and response. Failure to Hire Talent. Financial institutions often fail to attract and retain enough people with the knowledge necessary to tackle threats and sustain operational capabilities.

In a recent study, a German industry group focused on IT found that the number of unfilled positions in Germany rose from about 6, in to about 9, in , a deficit the group predicted would widen. Adding to the staffing challenge facing financial institutions: the younger, more dynamic cohort associated with the cyber and IT community no longer sees finance as a natural career choice. Weak Third-Party Management.

Banks are increasingly turning to outsourcing to acquire and manage IT assets and control costs. The security of services provided by outsourced contracts, including cloud hosting, remains the responsibility of the bank. However, many banks do not know how their IT partners work and few have in place systems and protocols for oversight and monitoring.

Banks do not have the resources to police every vendor they work with or to monitor external vulnerabilities and networks. Lack of a Security-Aware Culture. Many banks lack a culture in which the institution as a whole including risk owners, risk managers, and audit takes responsibility for reducing information security risk, encouraging collaboration, and building systemic resilience. Often information security is the sole responsibility of the CISO, and there is insufficient leadership, awareness, and expertise at the board level.

Banks commonly fail to provide their staffs role models, training, tools, or incentives. Operational Stress. Operational shortfalls can include weak knowledge resources, a lack of codified processes to manage incidents resulting in heterogeneous responses , and insufficient technology to monitor, log, and react to suspicious activity.

A common problem is an inability to integrate technology and human capabilities. The result is operational inefficiency, more risk, and a lack of the resources needed to bounce back from a major incident. Banks should also create a threat profile, comprising a view of activities by industry, product, and geography, that aims to align threats with day-to-day operations and areas of specialization.

If, for example, a bank has a strong payments franchise, it can focus its cybersecurity expertise on that activity. Banks should then conduct a threat-hunting exercise, in which they seek to identify attackers by, for example, scanning the dark web or by using sensors in internal systems. There is little value in an approach geared to isolated incidents or regulatory findings.

Instead, banks must holistically rethink their organizational capabilities. That means instituting a dedicated operating model and providing CISOs and executives with a framework for information security risk management.

See Exhibit 2. The central goal of the new operating model should be the ability to reliably prevent attacks, detect intruders, implement a response, and carry out a recovery plan that includes communicating with stakeholders. In addition, the model must inform daily operational capabilities so that cyber risk is managed through a single strategic and operational approach. It is also crucial for banks to take cybersecurity out of its IT silo, treating it as equal to other key risks and making it subject to similar levels of analysis, modeling, and management.

The model should address strategy, governance and organization, risk management, risk architecture, and culture. Risk Strategy. Banks must start by defining the risks they face, establishing a taxonomy tailored to their business activities, assets, and risk profile. Executives should be able to quantify how much risk the bank can tolerate in view of its key assets.

Governance and Organization. Banks should erect governance frameworks for the management of information risk across the three lines of defense: risk owners business lines and IT , risk management including the CISO and risk committees , and internal audit. The organizational model should reflect the crucial role and responsibilities of the CISO, who must have sufficient power to represent information security issues across business lines and decision-making hierarchies.

Given the difficulty of obtaining and retaining talent and operational capabilities, banks must balance employee training and development against the likelihood that internal capabilities will be insufficient in the short term. External advisors and vendors can be useful in keeping banks informed of the evolving threat landscape and in day-to-day monitoring, but banks need to be smart about marrying them to internal teams and work toward long-term self-sufficiency.

Risk Management. Banks should conduct regular assessments of regulatory requirements across jurisdictions and ensure that these are reflected in their own policies, procedures, and guidelines. They should implement monitoring processes in order to be kept up to date. Risk assessment—mapping key IT assets to threats—is crucial. Banks must evaluate their internal controls and make a risk treatment decision; there are four choices: accept the risk do nothing , mitigate it, avoid it close the relevant business or system , or transfer the risk through insurance.

From an operational perspective, risk management requires the ability to detect and observe intruders, usually by analyzing system sensors and databases. One approach is to identify anomalies in log-in data—for example, a system user appearing to log in while on vacation or at other unusual times. The bank must have a regularly rehearsed response-and-recovery plan ready when an intruder is detected or some other breach occurs even something as minor as a lost laptop.

There should be an accompanying communication strategy, both internal and external including for regulators. In the recovery phase, forensic examination of the incident is key to reinforcing defenses. In relation to outsourced IT contracts, banks must put in place governance and protocols for oversight and monitoring, which may be automated. Contracts should be reviewed and aligned with the new operating model.

Risk Architecture. CISOs should trigger implementation programs—guiding IT teams to harden systems, for example, by requiring more complex passwords that must be renewed more often—and make standards an integral part of application development.

One imperative is to ensure that risk policies are understood by stakeholders and are properly incorporated into systems. Regulatory compliance and processes should also be monitored. Banks should also embrace the sharing of information on threats and incidents, both internally and with peers and third parties.

Security program models for banks