Who Is Ultimately Responsible for Cybersecurity?
By John M. Carbo, Director of Information Security, Abacus Group
In the past, cybersecurity responsibilities at investment firms might have been left to the compliance department. In 2017, the New York Department of Financial Services (DFS) mandated that “senior management must take this issue seriously and be responsible for the organization’s cybersecurity program.” The firm is still responsible when it uses a third-party IT service provider.
In general, the trend is for senior management to be ultimately responsible for the effectiveness of the firm’s cybersecurity program. It is not acceptable to delegate the ownership of this task to junior personnel or interns. The question then becomes – who is the individual that is qualified for overseeing and implementing the cybersecurity program? Many times, the de facto choice is the CFO or CCO which makes sense for small to midsize firms. Regardless of the exact position, the individual tasked with this responsibility needs to be a senior member of the firm with full support of management.
What does “qualified individual” mean?
There are no exact definitions given on what qualities a qualified individual has, but we can come to some logical conclusions. Firms need to consider their regulatory environment, investor and client requirements for security, the firm’s technology needs, and most importantly the data collected and stored. Piecing together this landscape should help identify the individual or individuals who are best equipped to oversee the cybersecurity program. The landscape can be foggy or treacherous so getting outside help is a great start.
Remember, the firm is ultimately responsible for oversight but can outsource many elements of the cybersecurity program. The qualified individual, with understanding of the business requirements, regulations and data, will be in good position to work with cybersecurity professionals that can build the overall program with the firm. The goal of the DFS, cyber regulatory requirements and best practices is to encourage firms to identify and assess cybersecurity risks that threaten confidentiality, integrity and availability of information systems and data.
Identifying cybersecurity risk should always start with what needs to be protected. Think about the data possessed by the firm, where it resides (in-house or third-party), and what would happen if it were publicly disclosed. Figuring this out will provide context to a cybersecurity risk assessment and helps in determining risks that need to be addressed first. Cybersecurity firms can identify vulnerabilities and risks, but it is often in a vacuum. With any risk assessment, it is crucial to understand the value of the data before spending time and money to protect it. Providing context to the risk assessment is the job of the firm’s qualified individual.
Unless the qualified individual has the appropriate cybersecurity skillset (and a team), it makes sense to outsource many cybersecurity functions. Not many firms will have an individual skilled in penetration testing. Even if they did, it is beneficial to have an external firm perform the penetration test because it will more closely mimic an attacker. Policy writing is time consuming and there is no need to reinvent the wheel. Cybersecurity firms will have well written and compliant policies that can be tailored to fit the firm’s culture. There are many requirements that firms have no choice but to outsource. If the firm’s information technology is provided by a third-party then the firm must oversee many functions. Asset inventory, device management, identity management, disaster recovery and network security are some functions that the firm has minimal or no control over. Through service agreements with vendors, the firm can ensure that the vendor is meeting the cybersecurity standards that are required.
Conversely, the firm cannot offload its responsibilities to the vendor. The firm’s cybersecurity program needs to address how the firm authorizes access for its end users, mandates multifactor authentication, classifies the sensitivity of data, business continuity and disaster recovery testing, and incident response. It is important that a firm has its own incident response plan because not all incidents will involve the primary IT provider.
Even if your firm does not fall under the DFS, it is good to move towards this model of creating an effective cybersecurity program. Identify the risk landscape and the individual best equipped to work with cybersecurity professionals to formalize the firm’s cybersecurity program.
DTCC prescribes a systems-based approach to recovery, intra-firm collaboration, and regulatory coordination.
Exchanges and CCPs have successfully moved to operate remotely.
Financial infrastructures, Europol and the European Union Agency for Cybersecurity will share information.
There is also a material increase in concern over cyber-risk.
Managers should continue to modernize legal and compliance.