The Shared Responsibility Approach for Risk Mitigation
The world is rapidly turning into a tangled web of cybersecurity and privacy regulations. First, the General Data Protection Regulation shook up businesses with EU resident customers by setting high expectations for consumer data privacy, as well as large penalties for companies that didn’t comply. That groundbreaking regulation was followed by a host of US state privacy laws, including the California Consumer Privacy Act, the Nevada Privacy Law, and the New York SHIELD Act. Internationally, over 80 countries and independent territories have now adopted some form of data privacy laws, and even more far-reaching privacy legislation is slated to be passed this year.
The most important issue facing financial institutions’ executives is formulating a shared responsibility approach in mitigating privacy and cybersecurity risk. It is understood that one can have cybersecurity controls without privacy controls, but no one can have privacy controls without cybersecurity controls. For example, this year Equifax announced a data breach that exposed the personal information of 147 million people. The company has agreed to a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories. The settlement includes up to $425 million to help people affected by the data breach. According to BankInfoSecurity, Equifax has also spent nearly $1.4 billion on cleanup costs, as well as overhauling its information security program, which includes implementation of privacy and cybersecurity controls.
The Non-Economies of Scale
Privacy and cybersecurity risk mitigation initiatives are nothing new for financial institutions; however, applying a shared responsibility approach by financial institutions is still a novel idea. There are three reasons for the segmented approach:
Privacy vs. Security: Privacy is not the same as cybersecurity. Like cybersecurity, privacy requires a combination of technology, processes, policies, and people. But while the disciplines are interdependent, they are not interchangeable. For example, a piece of data might be protected, even though the way a firm uses that data violates privacy principles. And many organizations are having a hard time finding a common framework that includes privacy and cybersecurity holistically to address its risk.
Traditional Risk Assessment Methodologies: Continual risk assessments are necessary but driven by rigid regulatory and privacy mandates. With the ever-changing threat environment, a risk assessment is only as good as the last time it was updated. For example, in your last risk assessment did you give enough cybersecurity and privacy credence to a global pandemic that will force you to have an almost 100% remote work force? The traditional risk assessment methodologies do not enable a shared reasonability framework in an expedited manner.
Competing Stakeholder Management: Historically, privacy functions have been nested within security groups that kept the firm out of trouble, but they were sometimes seen by the business as barriers to innovation. And in some cases, we have seen the privacy function aligned with the legal, risk, or compliance team. These siloed approaches have made the shared responsibility between privacy and cybersecurity teams an additional operational burden.
The Shared Responsibility Approach for Financial Institutions
At Guidehouse, we recommend the shared responsibility approach for financial services. Deploy a combined version of the newly released National Institute of Standards and Technology Privacy Framework v1.0 (NISTPF) with the Financial Services Sector Cybersecurity Profile, v1.0 (FSSCP). The five functions of the NISTPF—Identify-P, Govern-P, Control-P, Communicate-P and Protect-P—can be used to manage privacy risks arising from data processing. Protect-P is specifically focused on managing risks associated with cybersecurity-related privacy events (e.g., privacy breaches). Comparatively, the six functions of FSSCP—Identity, Governance, Protect, Detect, Respond, and Recover—although solely focused on cybersecurity risk, do complement the privacy functions in NISTPF via Identity, Governance, and Protect functions.
Even more, FSSCP, which was created for Critical Infrastructure Protection at the US Department of Homeland Security, could also be further modified with supervisory issuances such as Federal Financial Institutions Examination Council (FFIEC)’s Cybersecurity Assessment Tool; the Commodity Futures Trading Commission’s System Safeguards Testing Requirements; the Financial Industry Regulatory Authority’s "Report on Cybersecurity Practices;” the New York State Department of Financial Services’ "23 NYCRR 500: Cybersecurity Requirements for Financial Services Companies;” the Federal Trade Commission’s "Start with Security: A Guide for Business: Lessons Learned from FTC Cases;" the G7’s Fundamental Elements of Cybersecurity for The Financial Sector; the China Banking Regulatory Commission’s "Information Security Survey— 2016;" Singapore’s SAMA "Information Security Survey— 2016;" and other cybersecurity guidance and assessment mandates.
Mapping of NIST Privacy Framework Functions v1.0 (NISTPF) and Financial Security Sector Cybersecurity Profile (FSSCP)
The Net Benefits:
Guidehouse believes by combining NISTPF and FSSCP the following benefits could be achieved:
Boardroom Engagement: For the C-suite and board of directors, privacy and cybersecurity risk are a top concern and supervisors expect financial institutions to track their progress in mitigating identified privacy and cybersecurity gaps. By using this shared responsibility approach, financial institutions can benchmark their programs with the profile’s recommended practices, identify gaps, articulate those gaps to the C-suite and board directors in plain language, discuss appropriate resourcing for mitigation, and track the advancement in mitigation efforts over time.
Efficiencies: The shared responsibility approach promises to reduce the time a financial institution needs to complete a comprehensive assessment by offering a tailored set of diagnostic assessment questions, the diagnostic statements, reflecting the institution’s risk to the broader economy and compliance and regulatory mandates via economies of scale.
Special thanks to contributing author Stephen Singam.