US: Regulatory order serves as a message to all about cybersecurity and governance
On September 20th companies thinking through their cyber programs and governance were given a gift: an order laying out the building blocks for effective cybersecurity programs, executive supervision, and board oversight. The US Office of the Comptroller of the Currency (“OCC”), an independent bureau of the US Treasury Department, issued a cease-and-desist order against a national banking association regarding technology and operational risk management. Obviously, banks regulated by the OCC must pay attention or face a similar fate. However other companies regardless of whether they are subject to the OCC’s jurisdiction should take note of the import of this Order and its underlying guidance for implementing appropriate security controls and risk management procedures more generally. This Order sets the bar on how a company takes reasonable steps to build and oversee cybersecurity regardless of the sector.
Below we outline the building blocks set forth in the Order combined with practical steps companies can take to be proactive in managing their cyber risk:
- Compliance Committee: The Order requires the bank to establish a compliance committee to oversee compliance with the Order.
Practice note: Compliance with cyber regulations is not an issue limited to companies subject to OCC Orders. Many companies struggle with the role of the compliance team in cybersecurity and ask themselves: “With subject matter experts (SMEs) in the information security office and often in risk functions, do we as a company really need additional cybersecurity subject matter experts in compliance?” The short answer is yes - such SMEs would be helpful by bringing specialized knowhow and accountability, much like companies have other SMEs across their different functions in other areas. Beyond that, even without a true SME, compliance testing belongs with the compliance function. Companies should develop the protocols to carry out such testing and review.
- Action Plan: The Order requires the bank to develop an Action Plan to achieve compliance with the regulations. The Board is responsible for overseeing the Action Plan, with “success criteria” and timelines. Additionally, the Board is to receive quarterly updates on the Action Plan.
Practice note: Good project management requires a plan, and the same is true in cyber. After reviewing the applicable regulations or best practices, companies should develop an action plan and brief management and the Board on the plan. The Board, even without cyber experts, can then effectively oversee the company’s efforts in meeting the plan.
- Board and Management Oversight: The Order requires the bank to develop a plan to improve board and management oversight of technology and operational risk. Critically, this includes planning how issue remediation impacts risk.
Practice note: Questions always arise around effective Board oversight of cyber. Some regulators even propose cyber expert requirements for Boards. There are no simple answers to the questions: “how much oversight is sufficient?” and “what should the Board’s skillset be?” But asking about issue remediation is something every Director is capable of doing and helps identify true issues and delays in remediation.
- Technology Risk Assessment: The Order requires the bank to improve their technology and risk assessment process. Ultimately, the bank is to use their technology and risk assessments to report to the Board on technology risk.
Practice note: The information security risk assessment process is the lynchpin of a good program. A good information security risk assessment starts by understanding the inherent risks to the enterprise. These are different for each company. For some, it may be for-profit hackers, for others it may be espionage (theft of trade secrets), or attacks by nation-states. Of course, other risks exist, and companies should also catalog those risks. After identifying the risks, companies are in a position to assess the controls and residual risk. Risk assessments should assess the controls that matter to the regulators and map the controls to the regulations, tying together risk, information security and compliance.
- Risk Governance: On top of managing its risk assessment process, the Order requires the bank to update its risk governance framework.
Practice note: To maintain a robust risk governance framework, companies should develop metrics for information security and ensure that risk committees oversee these metrics as well as ad hoc issues arising within the organization. Effectively tracking the risks is the critical next step after developing the risk assessments.
- Operations and Internal Controls: The Bank is required to create a written plan to improve policies, procedures, processes, and internal controls.
Practice note: These are the nervous system through which a cybersecurity program functions effectively. Many companies have outdated policies and procedures given that the technology and threat environment change rapidly. Yet, other companies with strong policies and procedures struggle with poor implementation and insufficient testing. Legal, compliance and information security teams should develop a cadence to draft and review policies and procedures, and implement the controls accordingly.
- Information Security Program: The Bank is required to create an information security program and present it to the Board for approval and oversight.
Practice note: This is the one document that ties together all the other documents. If the policies and procedures are veins, this is the heart. An effective program tracks both technical controls and regulatory requirements to create a cohesive program. Senior management and the Board therefore have an opportunity to see the program as a whole. Critically, so do regulators, if there is ever an issue or examination.
- Staffing: The Bank is required to create a plan to hire and retain sufficient staff to remediate information technology and risk issues. The Board is required to oversee the staffing plan.
Practice note: There is a war on talent in the information security space. Hiring and retaining top talent is a tall order. But companies can achieve this by creating a plan that allows the team members to grow and learn the different information security domains. Once again, even without a cyber SME, this is an element of a cyber program that the Board can easily review: understand the needs of the enterprise, review the staffing plan, and assess progress towards the staffing plan.
- Data Management and Reporting: The bank is required to have a plan to ensure good data management and reporting.
Practice note: Companies have been adding new management, often in the form of a Chief Data Officer, to oversee data governance. Information security assessments regularly hinge on good data governance, such as data mapping and classification. Even if there is not a Chief Data Officer, companies should have clearly defined roles and responsibilities to oversee data. Having designated SMEs also helps with reporting up to the Chief Data Officer or other representative.
- Board responsibilities: For each of the requirements for the bank, the Order directs the Board to not only oversee the original plan, but to monitor the plan’s implementation at least annually.
Practice note: CISOs often enjoy what amounts to a free pass if senior management and Board members think the topic is too technical to ask effective questions and perform meaningful management. But understanding how the program is built, assessed, and implemented is no different for cyber than it is for other matters. Management and Boards should feel confident to ask tough questions, even if they are not technical, and ensure continued compliance with regulations and security best practices.
The Order is here.