Founder Feature | 5 Questions Bankers Should Ask About Cybersecurity
Thanks to Finosec for contributing to the ICBA ThinkTECH Accelerator’s Founder Feature series! Finosec offers a simple and automated governance platform to save banks time and enhance exam preparedness. To meet Finosec and the other nine Fintechs in the 2021 ICBA ThinkTECH Accelerator, click here. For questions, please email firstname.lastname@example.org.
By Zach Duke CEO and Founder, Finosec
Community bankers want to be confident when it comes to their information security and cybersecurity, and a huge part of my goal as a member of the 2021 cohort for the ICBA ThinkTECH Accelerator, powered by The Venture Center is helping to provide that assurance. At Finosec we’ve seen time and again that the excessive manual labor required for user access validation and information security oversight is complex, and can leave community bankers feeling lost and disoriented. The key to simplifying your approach to cybersecurity starts with these 5 foundational questions:
1. Is your Information Security Officer independent and supported?
Best practices and examiner expectations mandate that a bank’s Information Security Officer is independent of Operations and IT. Make sure this role is covered, is independent, and receives the support and resources necessary to best protect the bank and the bank’s customers.
2. Are your systems and banking functions documented?
One of the most common challenges we see in our discussions with community banks is the lack of documentation of their systems and business functions. Typically, the bank has leaders who know these intricacies, but the systems aren’t centralized and documented. This oversight can leave the bank vulnerable. All banks need a detailed system map to document the functions, vendors, logins, and locations.
If you want to dive into this more, take a look at our free resource on The Critical Foundation of a Cybersecurity Governance Platform.
3. Are you using an enhanced risk assessment process?
Managing risk is a mandatory part of running the bank. IT and Information Security are no different. Make sure your risk assessment is leveraging the data in the system map, including the bank’s systems and functions, not an outdated asset-based approach. Additionally, the risk assessment process should be integrated with the bank’s culture and seen as an ongoing effort, as opposed to a once-a-year process in a spreadsheet.
4. Are you documenting and validating your information security program?
For those who are on the board or steering committees, you’ve probably heard people say, “If it isn’t in the minutes, it didn’t happen.” The same is true with information security and cybersecurity. Ask yourself how you manage changes to systems, exceptions from audits and exams, and how you validate adherence to your Information Security Program. Are these processes leveraging disparate systems like email, task lists, or even yellow sticky notes? If it isn’t documented, it didn’t happen.
5. Are your user access reviews up to the task? Managing user access has become a priority for mitigating risks, especially in the new normal of remote work. Regulators have taken notice, and they are pushing for more frequent system access reviews. In fact, the FDIC and OCC put out a joint statement on the process, which I summarized here.
Does the bank document all of the employee-accessible systems? Ask yourself how often your team reviews the user access, if the reviews are based on the system’s risk, and what results from this reporting. It is not uncommon for these reports to be hundreds if not thousands of pages of antiquated and complex reporting. Are the reports your team reviews effective?
At Finosec, we believe that managing information security and cybersecurity doesn’t have to be overwhelming. These five questions build a strong foundation for a compliant and effective cybersecurity governance program.
Thanks to Finosec for contributing to the ICBA ThinkTECH Accelerator’s Founder Feature series! To visit the 2021 ICBA ThinkTECH Accelerator, click here. For questions, please email email@example.com.