Quantifying Compliance Risk in Financial Services
Quantifying Compliance Risk in Financial Services
Article written by: Stephen Magnani (Senior Vice President-Office of the Chief of Information Security-Application Security Management, Citi) and Roger Young (VP, Chief Information Security Officer, Cenlar FSB)
Like several key business segments, the financial services (FS) industry operates in an increasingly complex regulatory environment. The General Data Protection Regulation (GDPR), whose enforcement began in 2018, is just one example of a new regulatory regime that affects all industry segments, including the already highly regulated financial industry. In recent years, the growth in fines and settlements associated with non-compliance has far outpaced earnings growth in US and European banks. And in Europe, non- compliance can subject a FS company to a fine of up to 4% of annual gross revenue. That not only creates a big incentive to adhere to data-protection regulations, it makes penalties for non- compliance a significant operational risk.
To minimize risk associated with non- compliance, FS companies must first understand their compliance exposer. To do that, they need to evaluate their security practices in the context of regulatory frameworks. Stephen Magnani, senior vice president, office of the chief of information security- application security management at Citi, explains, “Financial firms quantify their compliance risk by determining the gaps which exist in their compliance frameworks, which are multidimensional, including: operations, fraud, information security, technology among others. Compliance is a function of external regulations and internal policies, standards, and procedures, designed to meet the letter and intent of regulatory compliance as well as the safety and soundness of company and client data and assets. The quantification of risk can be determined by way of a gap analysis against those frameworks that are designed to meet regulatory requirements.”
Roger Young, vice president and chief information security officer at Cenlar FSB, notes that in practice, many organizations do not isolate compliance risk from other cyber-risk scores. “I see that many colleagues and professionals in our industry are not quantifying compliance risk but qualitatively assigning scores or risk levels to various areas, many times using heat maps and other charts,” he say. “When you ask how did you arrive at these scores, many will say, ‘Well, I took the CVSS [Common Vulnerability Scoring System] score, analyzed what controls are in our environment, reviewed the criticality of the device or application, and basically made a judgment call.’ Some are just making a best guess. I feel a better approach is to use a process of calculating probability of an event or inevitable failure of a control, something like the FAIR [Factor Analysis of Information Risk] methodology. These methods can help with justifying costs, especially when calculating cyber insurance.”
Young also points out that especially for FS companies, penalties need to be part of the calculation. “Integrated risk assessment takes into consideration your topology, various controls, and vulnerabilities on critically identified systems, perhaps even the number of previous successful attacks in your environment. Definitely in financial services, it should consider penalties or fines that may be assessed for failures.”
Quantifying compliance risk also factors in the criticality of the assets under consideration. As Magnani explains, “Digital assets in scope for vulnerability assessments and testing must be evaluated on a risk-prioritized basis to determine the level of risk associated with those assets and data stores. This allows for the application of ratings on discovered vulnerabilities that are based on a risk-adjusted quotient of the asset. Thus, high-risk assets which expose restricted or confidential personally identifiable information, and/or move money to non- linked accounts, are assessed vulnerability ratings which account for degrees of greater risk exposed by the functionality of the asset.” Magnani further notes that the task of quantifying risk is becoming more difficult. “As digital transformation progresses from the world of monolithic applications to cloud-native component architecture, the question of risk becomes more difficult to quantify when everything can be considered to be connected. In that case, everything can be considered high risk!” he points out.
Clearly FS companies need to consider compliance risk as they quantify their risk exposure. At the end of the day, to make useful business decisions from these assessments, the risk scores need to tie back to potential business impact in terms that are meaningful to managers and decision-makers.
- To minimize risk associated with non-compliance, FS companies must first understand their compliance exposer. To do that, they need to evaluate their security practices in the context of regulatory frameworks.
- Integrated risk assessment takes into consideration topology, controls, vulnerabilities on critical systems, the number of previous successful attacks in your environment, and in financial services, penalties or fines that may be assessed for failures.