The financial services industry faces the dual challenge of being highly targeted by threat actors and highly regulated. While compliance is not security, security should be the foundation of a financial institution’s compliance program. While concerns about protecting customer data and IT audits are usually top-of-mind in this industry, financial reporting compliance requirements also incorporate cybersecurity. For example, in 2018, two malware campaigns stole more than $1 billion over five years across 100 financial institutions located in more than forty countries. Incorporating Attack Surface Management (ASM) technologies is one easy step you can proactively take to strengthen their security and make life easier for your auditors.
In Finance, Compliance is Complicated
The financial services industry faces a complex compliance landscape consisting of diverse regulations with competing penalty structures and different legal mandates.
At a high level, financial institutions need to comply with the following types of laws across international, federal, and state levels:
- IT and security
- Privacy
- Financial reporting
Depending on your institution’s charter, structure, and customer base, you may need to comply with international laws, like the General Data Protection Regulation (GDPR) or unique state laws like the New York Department of Financial Services (NY DFS) Cybersecurity Regulation.
Additionally, you likely need to meet financial reporting requirements like the Sarbanes-Oxley Act (SOX) and protect cardholder data according to the Payment Card Industry Data Security Standard (PCI DSS).
Compliance violations for financial institutions differ compared to other industries – but can be stiff. Under PCI DSS, organizations may be fined and non-compliance can disrupt business operations. Severe violations could lead to a Memorandum of Understanding (MoU) that requires you to resolve issues and subjects you to additional audits in the future. Failure to resolve these issues can lead to suspension of operations.
Proactive Documentation Can Make Audits Less of a Headache
No one likes being audited. They require time-consuming data collection, documentation and often lead to more work – but they are an essential part of any security program. When it comes to meeting the expectation of your auditor there are two things you need to do – 1. you need to be doing the work, but 2. You also need to prove that the work you did followed internal processes and that leadership was engaged. If it’s not documented, you can’t get credit.
Traditional approaches to compliance relied on static practices – but by adopting more proactive solutions, such as ASM you can reduce the work associated with an audit by continuously documenting your work. Given that today’s environments are dynamic, policies, procedures, and daily activities can no longer be static and more proactive and continuous approaches are needed.
Consider the following issues:
- Adding new applications expands the attack surface
- Internet-facing IT assets change regularly leading to a lack of visibility
- High volumes of alerts overwhelm security teams
- Vulnerabilities may not all be equally exploitable
If your organization is relying on static processes and security tools to respond to these changing threats – you are putting yourself at compliance risk. Lack the people, processes, and technologies to adequately evolve their cybersecurity programs is not an acceptable response to the SEC and FTC which are increasingly tightening their expectations around cybersecurity.
Playing to the Test – Best Practices for Security Professionals
The FFIEC “Information Security Booklet” provides guidance to examiners conducting regulatory audits, suggesting ways to evaluate a financial institution’s security program in the context of its overall risk.
By taking the lead from regulators, you can establish information security programs that align with auditor goals.
Manage the Information Security Program
Under Section II, financial institutions should have in place a program that continuously:
- Identifies risk
- Measures risk
- Mitigates risk
This includes the discovery of internet-facing assets that can be difficult to manage.
Establish Security Operations Processes
Under Section III, financial institutions should have a security operations process in place that:
- Identities and assesses threats
- Monitors threats
- Identifies and assesses incidents
- Establishes incident response processes
For appropriate detection, investigation, and response processes, security teams need to reduce alert fatigue so that they can prioritize activities based on considerations like:
- How easily a cybercriminal can exploit a vulnerability
- Whether enterprises commonly use a technology
- Amount of research needed to exploit the vulnerability
Measure Security Program Effectiveness
Under Section IV, financial institutions need to test and measure their security program’s effectiveness through:
- Self-assessments
- Penetration tests
- Vulnerability assessments
- Independent third-party audits
To appropriately measure the effectiveness, financial institutions need benchmarks and metrics that help them prove:
- Asset discovery
- Risk-based vulnerability management
- Ability to build business value and workflow into risk
- Time it takes the team to communicate and respond to new threats
Using Attack Surface Management to Achieve Better Audit Outcomes
ASM provides the automation needed to streamline managing a financial institution’s internet-exposed footprint. Combined with asset management and Security Information and Event Management (SIEM) tools, ASM automates discovery so that financial services organizations can gain the needed visibility and documentation that ensure successful audits. The risk-based management capabilities include external assessments and impact scoring that enable more effective security operations and provide metrics for assessing security program effectiveness.
Randori continuously monitors the external attack surface, looking for unexpected changes, so financial services companies can uncover blind spots, misconfigurations, and process failures. This enables real-time attack surface monitoring, vulnerability intelligence, and risk management capabilities. There is never anything to install, as Randori runs fully in the cloud and nothing lives on systems.
Using the Randori dashboard, financial institutions can create a single source of information showing the number of high-priority targets to quickly view their complete external attack surface. Constantly updated as new assets are discovered, the dashboard enables continuous monitoring for the external attack surface. This reduces the incidence of shadow IT, bringing greater visibility into the true risk of a security incident.
By keeping a close eye on their attack surface, organizations can reduce overall risk. Not only will this help to perform well on compliance audits, but it will keep them resilient against future attacks.
