Strengthening Standards

Strengthening_Standards_770

NIST receives feedback on improving cybersecurity framework

By Maria Korolov

Cybersecurity is complex, confusing and continually changing. It can be hard to tell where to start and where to go. Even the terminology used for cybersecurity can vary from person to person, vendor to vendor or regulation to regulation.

To address this problem, the National Institute of Standards and Technology created a set of guidelines and best practices called the Cybersecurity Framework. NIST first released the framework in 2014, and security experts across a broad range of industries, including the financial sector, began applying it.

“The first thing in 2014, right when the NIST directives came out, I put together an analysis of where we stood in these key areas of risk and control identified in the framework,” says John Coleman, chief information officer at Grandpoint Bank, a $3.2 billion-asset community bank based in Los Angeles. “I don’t know how we would have been able to come to the point where we have, if not for the unifying effect and directive and a uniform set of standards.”

The result was an analysis of what Grandpoint Bank needed to fix, from a cybersecurity perspective, and it also has stood up to the evolving nature of the cyberthreats the bank faces.

“I haven’t seen anything that’s so outside the box that it goes beyond what’s contemplated by the framework,” Coleman says.

Takeaway

Government agencies are still refining sanctioned cybersecurity standards.

Broad feedbacks

Other community banks also have had good experiences with the NIST Cybersecurity Framework, says Brian Pye, a principal with the consulting firm CliftonLarsonAllen LLP. “We’ve been hearing from small and mid-sized financial institutions that they would like how the framework has been developed,” he says.

One criticism that Pye has heard was that some banks were confused about trying to work with both the NIST framework and the cybersecurity guidelines issued by the Federal Financial Institutions Examination Council in 2015. There are some differences between the two, he says. The NIST framework is designed to be broader, to apply to more industries and to focus more on the risk-management level, and the FFIEC’s guidance is focused specifically on the financial services industry.

“The FFIEC is more granular on the key risks that regulators care about,” Pye says. However, he adds that he sees no major conflicts between the two agency documents, pointing out that the FFIEC’s guidelines were built on top of the NIST framework. “They work well together.”

However, Eric Pulse, director of risk advisory services at financial advisory firm Eide Bailly LLP in Fargo, N.D., says that more could be done to align the two frameworks. “I wouldn’t use the word ‘disagree,’ but from a structural perspective, putting them together in a similar fashion would have been beneficial and eliminated some potential confusion in the marketplace,” he says.

Matt Barrett, NIST’s Cybersecurity Framework program manager, says that he also has heard about problems some banks have had in aligning the NIST framework with the FFIEC guidelines, and that he was surprised by this feedback. “I saw a lot of value in the FFIEC cyber assessment tool,” he says, “but organizations were talking about its lack of alignment with the Cybersecurity Framework.”

Since 2014, NIST has organized or participated in dozens of educational conferences on its framework, and based on the feedback from those events, it has begun working on an update of the framework. That update will be released in early 2017, Barrett says. In particular, he says, the NIST will provide more guidance on authentication and overseeing cybersecurity of outside vendors.

Making improvements

One of the purposes of the framework, he says, was to help organizations apply the same set of cybersecurity principles in multiple contexts, such as in compliance, budgeting and risk management. The framework also is built with flexibility in mind, to help organizations apply it to their particular risk environments and even to new and emerging cybersecurity threats.
In fact, one of the best practices specified in the framework is to keep up-to-date on emerging threats and to look ahead, to think beyond

“No control framework is intended to be a be-all and end-all, and is not intended to apply for all time.”
—Brian Huntley,
cybersecurity expert

the box, says Brian Huntley, a chief information security officer at IDT911 LLC, an information security services company in Scottsdale, Ariz.

“No control framework is intended to be a be-all and end-all, and is not intended to apply for all time,” Huntley says. “But there are generally applicable strategies and tactics that you can apply.”

One area that he personally hopes to see more focus on in the future is that of privacy protection. The European Parliament approved a data protection regulation this spring, scheduled to go into effect in 2018, with fines up to 20 million euros for companies that violate consumer privacy—no matter where those companies base their operations.

Community banks and their outsourcing providers might be affected by the laws directly, says Huntley, and other national regulators, including the Federal Trade Commission, might issue similar regulations.

“In the mid-term future, we will see a U.S. federal ruling on this,” he says. “States may weigh in sooner, if only because they can.”


Maria Korolov is a technology writer in Massachusetts.