The Office of the Superintendent of Financial Institutions (OSFI) published the Cyber Security Self-Assessment Guidance in October 2013, and while the recommendations are intended to help federally regulated financial institutions beef up their cyber security, the guidelines are universal.
“The guidance is a single source of sound questions that institutions of all sizes can use to assess their own cyber-risk exposures and the effectiveness of their systems and processes,” said OSFI spokesperson and senior communications advisor Brock Kruger.
“The intention of the guidance is to create a standard framework for self-assessment that allows each institution the flexibility to enact systems and processes that are most effective and appropriate to their own operations.”
A universal guidance
Though the document was intended to provide federally regulated financial institutions with a framework for building their cyber-security defense and best practices, according to Bradley Freedman, cyber-risk management expert and partner at Borden Ladner Gervais LLP, any Canadian organization with an Internet connection should be paying attention.
“It’s a super helpful checklist, not only for federally regulated institutions, but really organizations of all kinds, to help identify different kinds of risks associated with technology that’s connected to the Internet,” he said. “It can help them identify those issue and assess how those organizations are assessing and responding.”
Breaking down the guidelines
The OSFI Cyber Security Self-Assessment Guidance provides a variety of helpful resources, including assessment tools, checklists and recommendations for best practices.
“Some of these recommendations are quite simple and straightforward,” said Freedman. “A lot of them focus on internal practices and education, because cyber risks are not only from external threats, but a large percentage … result from human error, or mistakes, or oversight or misconduct, which [were] well intentioned but misguided, as opposed to deliberate, malicious internal misconduct.”
Freedman adds that the guidance isn’t intended to guard against any particular type of threat. Instead, it outlines best practices that, when properly followed, significantly reduce the likelihood of a cyber incident. They include guidelines on outsourcing and contractors, cloud computing, bring-your-own-device policies, encryption and password policies, and much more.
“Financial institutions and other institutions can manage those risks through common-sense, low-cost practices and policies,” he said. “There have been a number of reported incidents where lists or databases have been stored in a cloud service unencrypted, for example, where proper procedures for passwords are not used or where computing devices like smartphones or storage devices like thumb drives have been misplaced and those things aren’t encrypted. Those simple things are easy to implement at a relatively low cost.”
The cost of inaction
While many of the guidelines can be followed for little or no cost, Freedman suggests that some institutions have struggled to adopt the more costly recommendations, such as infrastructure upgrades.
“It’s a difficult financial time right now — organizations are trying to cut costs, and the lack of action might not be because management doesn’t understand this issue, but because they’re making choices about priorities,” he said. “All you have to do is read the newspaper and you’ll see large and well-funded organizations experiencing these problems.”
Freedman, however, believes this approach is misguided, as a small investment in cyber-risk management can help protect against a much more costly cyber incident in the future.
“An ounce of prevention is, in most cases, the most cost-effective thing to do,” he said. “The problem is that it still costs money.”
According to a 2014 study by the Center for Strategic and International Studies, cyber crime costs the global economy almost US$445 billion per year.
Maintaining a ‘reasonable standard of care’
While following the guidelines will not provide legal protection in the event of a cyber incident, Freedman says this specific document may be taken into consideration as the court determines a “reasonable standard of care.”
“If an organization is the victim of a cyber incident, and someone looks to sue the organization or the directors or others, the court is going to ask the question: ‘What was an appropriate standard of care?’” he said. “The OSFI guidance and assessment checklists and similar documents will all be part of that factual matrix that’s used by any court to determine the reasonable standard of care required.”
Cyber risk management is not just an IT issue
While cyber-risk management is a significant undertaking that requires a holistic approach, far too many senior leaders consider it an IT issue.
In an international survey of more than 1,000 senior-level IT leaders by the Ponemon Institute, only 34 per cent of respondents said their senior leadership views cyber security as a strategic priority, and only 22 per cent indicated their organization’s security leader briefed the board on cyber security strategy. Furthermore, only 14 per cent of security leaders reported directly to the CEO.
“For many organizations there’s a misperception of the importance of this issue of cyber-risk management, the level of attention it requires and who ought to deal with it,” said Freedman. “The OSFI guidelines, and all the other guidances being issued by similar regulators and industry associations and others, emphasize the point that this issue needs to be elevated to the highest levels.”
A never-ending battle
Cyber-risk management requires a holistic approach, but it should also include an ongoing reassessment of needs and priorities.
“Financial institutions should focus on the effectiveness of their own controls and their focus should be on making sure that these controls are appropriate and updated regularly as risks evolve,” said Kruger.
Though risks and priorities will continue to evolve, the OSFI guidance attempts to provide a foundation to guide organizations in the direction of vigilance, education and best practices.
“Each institution has its own specific exposures. However, the biggest risk for any institution is not knowing their own exposures and not taking appropriate action,” said Kruger. “Applying the Cyber Security Self-Assessment Guidance is a good step in reducing this risk.”
Image courtesy of Free Digital Photos