Matt Tolbert, Senior Cyber Specialist, Federal Reserve Bank of Cleveland, gave some specific pointers on cybersecurity resilience in a presentation at the recent 2021 FAIR Conference – good advice for financial institutions now but also an indicator of where regulations may be headed.
Cyber resilience is top of mind for the regulator of the largest US banks. Fed Chairman Jerome Powell said in an interview earlier this year, “The risk that we keep our eyes on the most now is cyber risk…There are scenarios in which a large financial institution would lose the ability to track the payments that it's making. Where you would have a part of the financial system come to a halt, or perhaps even a broad part.”
5 Metrics to Measure Progress in Cyber Risk Management Resilience
Matt Tolbert presented this IT and cyber resilience checklist:
#1 Number and completeness of cyber-attack scenarios identified.
Tolbert said he finds CIOs and CISOs are typically very good at identifying types of well-known attacks and attack methods, such as ransomware. But the industry needs to improve on addressing Black Swan scenarios that are very low likelihood but high impact, such as a persistent attack on database integrity, not seen yet but with the potential to cause “a significant outage…I would personally suggest that we need to think more about the impact a scenario has and not necessarily the likelihood.”
#2 Completeness of documentation
Records for policies, standards and procedures should be complete in terms of addressing all the scenarios and should be regularly reviewed, updated, and approved by management.
#3 Testing controls effectiveness against the risk scenarios
Tolbert called this the most important among the five. “I think we are reaching inherent limitations of what controls can and cannot do. So, it’s very important to understand can our controls actually stop certain types of attacks…and if preventative and detective controls are not effective, then [understanding] how effective are resiliency controls.” He added, “I know sometimes firms are concerned about divulging that they didn’t have a successful recovery test. As far as I’m concerned, it’s great the test was performed and if there were failures, that’s a good fail, because I have to believe the firm learned from that experience.”
# 4 Recovery time objectives (RTO)
Measuring and improving RTO is critical though difficult because, with advanced persistent threat (APT) groups, you may not know when a cyber incident is over.
#5 Incident Response Time
Tolbert recommended this as a constant process: Know how quick and how able the team is to respond to an attack, as well as the steps that need to be taken after an attack is detected, such as containment of the threat actors to an isolated part of the network to prevent any lateral movement.
“Even with the best-prepared firms out there, using the best tools with the best security teams may still not be able to successfully detect and deter the most sophisticated and determined types of cyber attacks,” Tolbert said. “I think therefore there’s a strong argument that resilience is the most important aspect of any institution’s cybersecurity capabilities.”