The Shared Responsibility Approach for Risk Mitigation
The world is rapidly turning into a tangled web of cybersecurity and privacy regulations. First, the General Data Protection Regulation shook up businesses with EU resident customers by setting high expectations for consumer data privacy, as well as large penalties for companies that didn’t comply. That groundbreaking regulation was followed by a host of US state privacy laws, including the California Consumer Privacy Act, the Nevada Privacy Law, and the New York SHIELD Act. Internationally, over 80 countries and independent territories have now adopted some form of data privacy laws, and even more far-reaching privacy legislation is slated to be passed this year.
The most important issue facing financial institutions’ executives is formulating a shared responsibility approach in mitigating privacy and cybersecurity risk. It is understood that one can have cybersecurity controls without privacy controls, but no one can have privacy controls without cybersecurity controls. For example, this year Equifax announced a data breach that exposed the personal information of 147 million people. The company has agreed to a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories. The settlement includes up to $425 million to help people affected by the data breach. According to BankInfoSecurity, Equifax has also spent nearly $1.4 billion on cleanup costs, as well as overhauling its information security program, which includes implementation of privacy and cybersecurity controls.
Privacy and cybersecurity risk mitigation initiatives are nothing new for financial institutions; however, applying a shared responsibility approach by financial institutions is still a novel idea. There are three reasons for the segmented approach:
At Guidehouse, we recommend the shared responsibility approach for financial services. Deploy a combined version of the newly released National Institute of Standards and Technology Privacy Framework v1.0 (NISTPF) with the Financial Services Sector Cybersecurity Profile, v1.0 (FSSCP). The five functions of the NISTPF—Identify-P, Govern-P, Control-P, Communicate-P and Protect-P—can be used to manage privacy risks arising from data processing. Protect-P is specifically focused on managing risks associated with cybersecurity-related privacy events (e.g., privacy breaches). Comparatively, the six functions of FSSCP—Identity, Governance, Protect, Detect, Respond, and Recover—although solely focused on cybersecurity risk, do complement the privacy functions in NISTPF via Identity, Governance, and Protect functions.
Even more, FSSCP, which was created for Critical Infrastructure Protection at the US Department of Homeland Security, could also be further modified with supervisory issuances such as Federal Financial Institutions Examination Council (FFIEC)’s Cybersecurity Assessment Tool; the Commodity Futures Trading Commission’s System Safeguards Testing Requirements; the Financial Industry Regulatory Authority’s "Report on Cybersecurity Practices;” the New York State Department of Financial Services’ "23 NYCRR 500: Cybersecurity Requirements for Financial Services Companies;” the Federal Trade Commission’s "Start with Security: A Guide for Business: Lessons Learned from FTC Cases;" the G7’s Fundamental Elements of Cybersecurity for The Financial Sector; the China Banking Regulatory Commission’s "Information Security Survey— 2016;" Singapore’s SAMA "Information Security Survey— 2016;" and other cybersecurity guidance and assessment mandates.
Mapping of NIST Privacy Framework Functions v1.0 (NISTPF) and Financial Security Sector Cybersecurity Profile (FSSCP)
Guidehouse believes by combining NISTPF and FSSCP the following benefits could be achieved:
Special thanks to contributing author Stephen Singam.