Swimming in Cybersecurity Alphabet Soup
Posted on 06/12/2019 at 09:10 AM by John Lande
Well-intentioned organizations trying to implement cybersecurity best practices can quickly become discouraged by the ocean of rules, guidance, and standards. The National Institute of Science and Technology (“NIST”), the Federal Financial Institutions Examination Council (“FFIEC”), National Association of Insurance Commissioners (“NAIC”), and the New York Department of Financial Services (“NYDFS”), to name a few, all have cybersecurity rules and guidance. While many of the recommendations and requirements among this alphabet soup of agencies overlap each other, implementation can still be daunting.
The NIST framework is comprehensive and detailed. The FFIEC provides a useful assessment tool for financial intuitions, and it maps its recommendations to the NIST framework. The NAIC model law, which this blog recently discussed in relation to the NYDFS guidance, requires organizations to conduct a risk assessment, but leaves it up to the organization to select the tool.
In October 2018, the Financial Services Sector Coordinating Council (“FSSCC”) published a synthesis of these standards into a single assessment tool. The tool is an attempt to bring harmony to what are often similar standards that use slightly different language.
The tool helpfully distinguishes between different tiers of financial institutions. Tier 1 national institutions are critical infrastructure, so it applies to the largest financial institutions in the country. Tier 2 institutions have the ability to cause a substantial national financial issue, but are not large enough to be deemed critical. Tier 3 institutions have a high degree of interconnectedness with certain sectors. Finally, tier 4 institutions have fewer than 1 million customers. Most community banks will be tier 4 institutions.
Based on the institution’s classification, the analysis tool tailors the results to the institution’s needs. This provides institutions with a useful pre-exam assessment to help identify areas that might be of concern to regulators, as well as identify possible deficiencies in the organization’s cybersecurity preparedness. Even non-financial institutions can benefit from use of the FSSCC tool, because it is mapped to the NIST framework.
With the dizzying array of cybersecurity recommendations and standards available, many organizations fall victim to a “check the box” mentality to satisfy a regulator or meet a standard. However, cybersecurity depends on organizations doing an analysis of their specific risk profile, and tailoring their cybersecurity defenses accordingly. Finding a workable assessment tool that makes sense for a particular organization can go a long way toward helping that organization reduce the risk of a cybersecurity incident. That, after all, is the real goal of cybersecurity planning.
Categories: Cybersecurity Law, John Lande
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.