SIFMA makes the first move
the journal of Michael Werneburg
twenty-seven years and one million words
Over the past couple of years, I've been watching for a "guidance note" from one of the regulators on cyber security. It seems that SIFMA has, too. And the Securities Industry and Financial Markets Association is the US industry has, on October 20th, effectively preempted the regulators by issuing a list of ten guiding principles on cyber security that does two important things:
- Calling for the industry to adopt the NIST Cyber Security Framework.
- Calling on the regulators to broaden their scope to include the information vendors that work in the industry.
In calling for a standard, I suspect that SIFMA wanted to beat the regulators to the punch. They've also made the call in the ideal fashion - calling for flexibility that respects both the nature and the size of the financial organization. For instance, not expecting the smallest shops to spend at the same level as the largest.
The tenth of the principles in the document is where the vendors come in. SIFMA calls on the regulators to start overseeing and "pressuring" service organizations in the industry:/
"Principle 10: The Management of Cybersecurity at Critical Third Parties is Essential for Firms
Many of the systems and data stores within the critical infrastructure sectors reside not in the firms themselves, but in third-party service providers that are typically unregulated. Protections must be promoted at these non-regulated entities that the financial sector relies on. Similar to financial firms, third parties that pose a systemic risk to the industry should be identified, evaluated more closely, and encouraged to provide more information on the status of their cybersecurity programs. Regulators should increase their coverage of third parties and put pressure on these third parties to meet the regulatory expectations of the financial services firms that they serve.
Small- and medium-sized firms are particularly reliant upon third-party service providers. Many smaller firms outsource many components of their infrastructure, but lack the negotiating leverage to require third parties to implement robust cybersecurity protections. Agency oversight in conjunction with market forces should work together to ensure that such third parties implement these protections and do not leave the financial sector vulnerable."
This is the day that I've been watching for - and frankly, hoping for. Having spent several years on both sides of the line between financial institutions and service organizations, I've observed that that line is more of a ragged suture than a neat straight line. It's often very difficult to understand where responsibilities lie, what the standards are, where the communication efforts should focus, and whether the counter-party has certain security capabilities. It's also clear that historically, service organizations were unfamiliar with the sorts of demands that come from regulators. I recently heard a remark, "but there are no standards!" Well, there are now.
My recommendations to both financial firms and their service organizations are:
- Ingest the NIST standard.
- Start to map out all of the data flows that span the "ragged suture". Determine the risks, and understand the required controls for each flow.
- And be ready for the day the regulators come knocking. This may mean preparing for a service audit, which is becoming the standard means of communicating a service organization's capabilities in information risk.
As a practitioner in this space, I welcome this move by SIFMA.