Congratulations to David Zaken, Supervisor of Banks at the Bank of Israel, for wading in, no, for jumping in with both feet in potentially shark-infested waters of cyber regulation, with the recent issuance of “Directive 361”, Cyber-security Management, aimed at banks and credit card companies.
(The original directive in Hebrew can found here: http://www.boi.org.il/he/BankingSupervision/SupervisorsDirectives/DocLib/361.pdf)
The purpose of the Directive is to support banks in efforts to manage cyber-related risks and help banking corporations manage such risks. The Directive puts bank executives on notice that cybersecurity efforts can no longer be relegated to obscure folk too often toiling away in backrooms crowded with wires and equipment.
Cybersecurity efforts are now out of the closet and front and center in bank board rooms and C-suites, which has still to take place in too many corporations throughout the United States.
I want to focus on two specific elements of the Directive:
- Banks and credit card companies must appoint a cyber security manager;
- Board of directors’ responsibilities must be defined in the cyber realm;
In considering implementation of the Directive, two sayings leap to mind: the devil is in the details, and the road to hell is paved with good intentions.
Appointment of a cyber security manager first calls for an understanding of the purpose of that position. That may sound obvious, but it’s not. The cyber Security (CS) manager needs to understand everything including but far from limited to who does what where on computer terminals and other devices connected to the bank’s system, and the crown jewels of the bank, spanning not only bank routing and account information but so much more.
First and foremost, banks cannot indulge in window dressing. The CS manager responsibilities should not just be dumped on the already-in-place computer trouble shooter, nor on the current information security officer – without adequate resources and support.
Banks typically have fairly good IT departments to keep things running, but protecting things requires additional skills as well as a mindset that can think a bit like a criminal. Adding these responsibilities to the IT department requires training and support for staff.
The person in this role must know what is at risk and how to protect it, which means understanding the inadequacies of the system and the people who use it. The CD manager must have the knowledge to not only advise on what to change but also what protective measures to take, and in many cases that means some acquisition of security products and services. The C-Suite must understand such expenditures are needed and approve them.
Turning to the Board of Directors’ work requires an education effort all its own. Directors must understand the ever increasing financial drain on banks and all entities from cyber criminals – there’s plenty of open source information and studies to cite. The risk management committee itself should define the Board’s individual and collective responsibility for the firm’s cybersecurity as well as take on report and audit responsibilities – and the CS manager should make reports directly to the committee and the Board.
Such direct reports may make bank executives uncomfortable, but there should be zero possibility of gatekeepers preventing the true state of affair from being known. No dilution of fact. No whitewashing.
The Directive also specifies a structured approach, a flexible framework to bolster cybersecurity.
Looking at the framework concept, the Bank Regulator and individual banks must understand and practice that a framework is not a finite prescription. The framework of concepts and best practices must evolve to pace, and preferably, outpace the ever evolving cyber threat and tactics.
I recently attended the United States – Israeli Cybersecurity Initiative conference in Washington, D.C., and heard an Israeli speaker say there were no information sharing and analysis centers (ISACs) yet formed in Israel. There is an acute need for such ISACs to be formed, preferably one for each critical infrastructure sector such as banking, for the purposes of threat and information sharing.
Trust is a major ingredient to the success of ISACs and it takes time to build trust. But cyber attacks are a common enemy to all banks. And if truth be known, one way or the other, every bank has been breached. Every bank is at risk and there is increased safety in combined efforts.
The Directive is a good beginning, but the devil is indeed in the details, and the implementation of those details. Let’s not have misguided good intentions of cost-containment and silence lead to financial hell.
Anne F. La Lena is a consultant in Washington, D.C., specializing in regulatory implementation, industry and government relations, and public communications in cybersecurity and telecommunications.