CybersecurityFinancial firms go beyond NIST's cybersecurity framework

The National Institute of Standards and Technology (NIST) released its Framework for Improving Critical Infrastructure Cybersecurity in February 2014. Utilities, banks, and other critical industries welcomed the guidelines, but many considered the framework to be a baseline for what was needed to continuously protect their networks from cyberattacks. Some financial firms have developed industry-based cyber policies through association such as the Financial Services Information Sharing and Analysis Center’s (FS-ISAC) Third Party Software Security Working Group. The group has been reviewing cyber policies since 2012, before the NIST guidelines were finalized.

According to the Wall Street Journal, FS-ISAC cybersecurity guidelines were developed partly due to the financial industry’s increasing use of third parties to perform services and build software. Jim Routh, chief information security officer at Aetna Inc. and a member of the working group, said members feared that using third parties represented an additional area where cyber criminals could target attacks. Routh explained that the working group, which included representatives from major financial firms such as JP Morgan Chase, Citi, and Goldman Sachs, was formed to “simply focus on additive controls that address the specific risks of software security for third parties, since new controls are available today that are not necessarily part of the conventional controls in practice,” adding that many members of the working group already had their own cybersecurity controls for third parties in place.

The FS-ISAC believed, however, that an industry-wide approach was needed. “It is the responsibility of the financial services industry to make software security requirements explicit rather than implicit,” the association said in its report on the subject. By recognizing a set of control requirements to specific services and products provided by third parties, financial firms “can improve the adoption rate for vendors, and ultimately can provide software security from an outlier request to a standardized norm,” the report said.

Bob Ganim, chief information security officer at Neuberger Berman, notes that in addition to industry guidelines, the firm applies its own policies for third-party vendors. “Simply adhering to the letter of the law of policies or standards many times is not enough,” he said. Neuberger Berman employs a risk-assessment process to evaluate each third-party vendor, factoring the sensitivity of the information each vendor stores or process. For example, beverage suppliers would be less scrutinized when compared to firms that handle client’s financial information. After reviewing vendors, Neuberger Berman recommends improvements to meet its standard of security. “We have walked away from vendors and also have had vendors improve their environment so they were able to meet the requirements,” Ganim said. When vendors object to the recommendations, “we get on the phone with them to explain what we’re looking for” and that approach has been successful, he said.

Neuberger Berman goes a step further and reviews the security polices its vendors may be requiring from their own vendors, as even fourth-party risk could threaten its own information. “Our data is being processed by the vendor we contract with, but they use other providers and we still are liable for that data, it is our client’s data, so we also look to approach them to make sure they are evaluating their service providers,” Ganim said.