Back in 2014, NIST released its Cybersecurity Framework (CSF) which provides a standardized framework for best practices in critical infrastructure sectors like healthcare, government, and financial services.
More recently, the Financial Services Sector Coordinating Council (FSSCC) unveiled its own NIST-based framework, which NIST was quick to hail as one of the “most detailed Cybersecurity Framework-based, sector regulatory harmonization approaches to-date.”
This enthusiasm is hardly surprising given the fact that NIST had been working closely with the FSSCC in creating their framework. This joint effort can be seen as a much-needed attempt to give the financial sector a more comprehensive approach to cybersecurity.
Why the Financial Sector Needs NIST
This move towards increased cybersecurity comes in response to an exponential rise in cybercrime. A recent report showed cybercrime to be the fastest growing form of crime in the world and the biggest threat facing both corporations and ‘mankind’ as a whole.
The financial sector has always operated with a certain level of trust between all parties, but now, the sector relies heavily on technology, moving that traditional trust structure between people, to a more nebulous trust in a digital realm.
The financial sector is the number one target for cybercriminals, particularly the growing mobile banking sector.
According to a recent threat landscape report, a quarter of all organizations experienced a mobile malware attack in the third quarter of 2018, with the majority of those attacks originating from a mobile device running an app.
Financial institutions carry a massive amount of personal information and data that can be of use to criminals. Larger institutions may be ahead of the curve with their cybersecurity strategies, but that is not universally true.
Digital technology has created a new wave of smaller fintech companies and a greater interconnection between these smaller companies and the larger traditional players. As a result, there is a huge potential for vulnerabilities within the system.
In 2018, the average cost of a data breach was nearly $4 million, but in the financial sector, those costs can run even higher. For example, Equifax has already spent at least $250 million to date on its own data breach. Aside from the basic financial cost of a breach and the steps taken to correct it, the reputational damage suffered can be impossible to quantify. For a business sector that relies on trust, this is an enormous problem.
How NIST Can Help the Financial Services Sector
There have been a number of other initiatives and frameworks introduced to help businesses, and banks, in particular, to manage their cybersecurity risks. These often contain many similar ideas and guidelines, but they lack a common language, which makes it difficult to deliver a standard approach to cybersecurity across organizations.
NIST’s framework offers a de-facto standard for businesses countering cybersecurity threats. It’s a framework both highly flexible and repeatable and offers a number of ways for financial services companies to improve their cyber risk standing by:
- Delivering a common language: NIST gives all organizations a common way to describe their current cybersecurity posture, define a target state and identify where gains and improvements can be made in cybersecurity risk management.
- Providing a common roadmap: Once a target has been defined, it is easy to assess progress towards that goal.
- Enabling communication: NIST can be used to communicate the current cybersecurity risks and the measures being taken to address these risks for internal and external stakeholders.
- Flexibility: This is one of the framework’s great strengths. Its creators recognize that cybersecurity requirements are highly specific to each company. A company’s security needs may depend on factors like:
- The territories in which it conducts business
- How it uses the data it collects
- The mobility of its workforce
- The endpoints plugging into the system
- Legacy technologies
- The blend of on-premises and cloud-based systems.
NIST understands the different challenges faced by firms in the financial sector and does a great job of complementing what has already been established rather than simply replacing it. This minimizes disruption and allows organizations to assess their current risk status and improve upon it by following NIST’s guidelines.
The rise in trends like bringing your own devices to work (BYOD) creates more uncertainty by increasing the number of possibly unsecured devices connecting into central systems. The landscape, has grown increasingly complex and fluid which only adds to the cybersecurity challenge confronting businesses in the financial sector.
Relatable use cases
NIST has been keen to provide as much guidance as possible. The intention is to create a series of use cases which can help businesses implement the framework within their own organizations. This guidance is crucial in creating a consistent framework between different organizations.
Collaboration is everywhere. In order to deliver the flexible services customers are demanding, financial services have to work with third parties, creating a new set of risks. Transferring data between parties inevitably puts that data at risk. Additionally, different cybersecurity frameworks between different parties can create vulnerabilities and opportunities for attack. The NIST framework’s focus on third parties makes it highly suitable for the financial sector.
NIST is a framework that has an enhanced understanding of the state of cybersecurity and the need to reduce administrative burden and complexity. The financial sector is more heavily regulated than any other in the world. Its global nature means entities must work with multiple frameworks in different territories like GDPR in Europe and a host of other similar, but significantly different, data security regulatory frameworks that exist elsewhere in the world.
NIST can maximize cybersecurity and improve compliance in a way that complements various industry-specific extensions. It is one of the most robust approaches used to date and offers a standardized approach with a key focus on third parties. In a world of digital collaboration and data fluidity, NIST can be a critical tool for the financial services sector.