Cyber Security Regulations: Key to Managing Banking Industry Operational Risk?

Managing the banking and finance segment for Schneider Electric has taken me around the world over the past few years, and no matter where I go, from Hong Kong to London, our clients are concerned about cyber security threats and operational risk management.  Government regulators are concerned as well with many countries implementing their own policies and regulations for keeping banking data safe and buildings secure.  That’s why, it was no surprise to hear about the policy implemented in New York State on March 1.

The State of New York Department of Financial Services put in place the nation’s first ‘risk-based’ insurance, banking and finance industry regulations to encourage financial services firms to stay in front of technology trends and advances, and it includes some minimum standards and protections to prevent cyber breaches.  The legislation is intended to provide protections to prevent cyber security breaches including:

• Controls relating to the governance framework for a robust cyber security program including requirements for a program that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization;
• Risk-based minimum standards for technology systems including access controls, data protection including encryption, and penetration testing;
• Required minimum standards to help address any cyber breaches including an incident response plan, preservation of data to respond to such breaches, and notice to DFS of material events; and
• Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS.

Source:  http://www.dfs.ny.gov/about/press/pr1702161.htm

Secure bank buildings minimize operational risk.

Regulations alone won’t improve operational risk

These regulations acknowledge that it’s not just our data that’s at risk but that banks must also carefully manage access controls to thwart cyber-attacks and reduce operational risk.  For some larger banks who are already complying with global regulations, this new regulation is likely not a concern.  Other financial institutions may find themselves seeking the support of critical vendors and disaster recovery and cyber security experts.

While the implementation of regulations themselves may not help manage operational risk for these financial services companies, a solid plan and governance can.  At Schneider Electric, the cyber security of our products, systems and software is of critical importance.  We maintain in-house cyber security expertise and we work with the world’s top cyber security firms like McAfee, part of Intel Security, to protect mission-critical communication and networking systems.  Beyond our products, we work with our banking and finance clients on their cyber security strategy to help secure everything from their intelligent building management systems to their data centers from both physical and virtual attacks.

So while regulations alone won’t help the banking and finance industry manage operational risk, maintaining a solid cyber security strategy and working with vendors who maintain a state of the art cyber security practice for their products, systems, and software will.