The Carnegie Endowment for International Peace wants to help make high-level cybersecurity simple for CEOs, CISOs and Board Members of financial institutions – that’s why they’ve released “Cyber Resilience and Financial Organizations: A Capacity-building Tool Box”.
One of the most significant barriers to success in cybersecurity is complexity. Especially when it comes to leadership from the top-down of an organization.
Think about it – those that are CEOs, executives and board members of a major financial organization have spent their lives gaining the experience and insight needed to properly execute their duties.
How likely is it that they would also become cybersecurity experts as well?
Nevertheless, understanding and promotion of cybersecurity best practices is their responsibility, which is why practical and effective resources for cybersecurity management are so valuable.
This is precisely what the many partners behind the “Cyber Resilience and Financial Organizations: A Capacity-building Tool Box” hope to offer.
In this article, we’ll answer the following questions about this set of cybersecurity resources:
- What Is Cyber Resilience and Financial Organizations: A Capacity-building Tool Box?
- What Does Cyber Resilience and Financial Organizations: A Capacity-building Tool Box Include?
- Cybersecurity Leadership (Board-Level Guide And Checklist)
- Cybersecurity Leadership (CEO-Level Guide And Checklist)
- Protecting The Organization (CISO-Level Guide And Checklist)
- Protecting Customers (CISO-Level Guide And Checklist)
- Protecting Connections To Third Parties (CISO-Level Guide And Checklist)
- Incident Response Guide
- Cybersecurity Leadership (Board-Level Guide And Checklist)
- How Can I Use Cyber Resilience and Financial Organizations: A Capacity-building Tool Box?
- Who Are The Organizations That Developed Cyber Resilience and Financial Organizations: A Capacity-building Tool Box?
- The Carnegie Endowment for International Peace
- The International Monetary Fund
- The SWIFT Institute
- Standard Chartered
- The Global Cyber Alliance
- The Cyber Readiness Institute
What Is Cyber Resilience and Financial Organizations: A Capacity-building Tool Box?
Cyber Resilience and Financial Organizations: A Capacity-building Tool Box is comprised of six, one-page guides that follow clearly defined goals, intended for a specific high-level perspective within a financial organization. The goal of the resource is to offer a simple way for CEOs, CISOs and Board Members to participate in and promote cybersecurity for their organization.
“The guides are designed to be practical, actionable, and easy-to-use to maximize their benefit and impact on financial institutions’ cyber resilience”, said Tim Maurer, Co-director of Carnegie’s Cyber Policy Initiative, in a press release. “When used properly, these tools will prevent dangerous hacks to financial systems across the world.”
This tool box is based on a year of collaborative work between many of the world’s most formidable cybersecurity experts. Made up of checklists and step-by-step guides, the six resources are also available in a range of languages, including Arabic, Dutch, English, French, Portuguese, Russian and Spanish.
What Does Cyber Resilience and Financial Organizations: A Capacity-building Tool Box Include?
For each of the six components, the tool box offers a guide and a checklist. The former offers a summary of what is expected of the role for which the guide and checklist are designed, and the checklist provides a simple method by which to ensure these expectations are being met.
Cybersecurity Leadership (Board-Level Guide And Checklist)
This guide and checklist are intended for use by board members of financial institutions, detailing the following expectations of such members:
The guide notes that the board is the highest level of the organization’s leadership, and as such, they are held responsible for cybersecurity governance. It is their duty to oversee strategies, policies, and activities relating to cybersecurity.
- Staying Informed
Understanding that it’s not enough to implement cybersecurity strategies and practices just once, the guide also notes that board members must stay informed of continually changing cybersecurity standards. As such, new members must demonstrate an understanding of effective cybersecurity policy, and the board as a whole must seek advice from management pertaining to updates to cybersecurity, and maintain awareness of ongoing systemic challenges (e.g. supply chain vulnerabilities).
- Setting The Tone
Again, as the highest form of leadership in the organization, the board must set an example for how a culture of cybersecurity is approached and maintained.
Cybersecurity Leadership (CEO-Level Guide And Checklist)
This guide and checklist are intended for use by the CEO of a financial institution, detailing their expectations as follows:
This guide notes that, in conjunction with the board, the CEO is responsible for governing an organization’s cybersecurity, which includes hiring and managing the right personnel (i.e. a Chief Information Security Officer [CISO])
- Risk Assessment And Management
The CEO must establish risk assessment and management as an ongoing priority in the organization’s cybersecurity efforts. This cannot be a one-time initiative – in order to maintain best practices and meet standards, CEOs must ensure risk is assessed on a regular basis.
- Organizational Culture
The CEOs perspective allows them to ensure that cybersecurity is considered in each and every business decision. It is their responsibility to promote the consideration of the organization’s cybersecurity by everyone in the leadership team.
Protecting The Organization (CISO-Level Guide And Checklist)
As the head of the organization’s cybersecurity, the CISO’s guides are the most extensive, detailing the many priorities they will have to balance to maintain cybersecurity:
The guide covers the many technical aspects of a financial organization that need to be secured, including mobile devices, Wi-Fi networks and devices, and data backup (both processes and storage devices).
The guide also notes how important employee cybersecurity awareness is, detailing ways in which properly trained staff members can contribute to the organization’s culture of cybersecurity.
- Threat Management
The guide covers both malware and phishing methodologies and how to protect against them.
Protecting Customers (CISO-Level Guide And Checklist)
The second of the tool box’s guides for CISOs, this resource explores how to promote secure practices on the customer’s part, and how to interact with customer data in a secure manner:
- Customer Cybersecurity
This includes both the security requirements for customers (e.g. standards for user ID and passwords, multi-factor authentication, etc.) and the need for secure web applications (i.e. customer portals must be hosted in secure, HTTPS web environments).
- Protection Of Customer Data
In addition to setting standards for data security (e.g. encryption while in transit), this portion also notes the importance of customer data management. It is vital for CISOs to determine what type of customer data it is necessary for the organization to collect and store, as well as to consider how it is retained and, eventually, disposed of.
- Customer Notification
In the event of a data breach, the CISO must have a clear policy in place for notifying customers that their data may have been compromised.
Protecting Connections To Third Parties (CISO-Level Guide And Checklist)
The last of three resources for CISOs pertains to third parties, whose cybersecurity is of the utmost importance:
- Identifying Risk Through Third Parties
It’s important for the CISO to ensure that third parties only have access to the data they require; that is, “least privilege”. The levels of access should be verified and managed on a detailed list for regular review.
- Managing Third Party Security
Despite not being a part of the financial organization the CISO manages, it is still their duty to verify third party security when it comes to shared customer data. This means ensuring they meet established cybersecurity standards and follow best practices.
- Sharing Information
Information about recent cybersecurity events and updates need to be shared among third parties in a timely fashion in order to make sure that vulnerabilities are jot left unattended.
Incident Response Guide
The last resource in the tool box provides a comprehensive guide for incident response. The guide covers every necessary aspect, from preparation and testing prior to an incident, to response during an incident, and recovery and review after the fact.
How Can I Use Cyber Resilience and Financial Organizations: A Capacity-building Tool Box?
This tool box has been designed to be as simple and effective as possible, offering each resource (no more than one double-sided page each) for specific members in your financial organization.
To make use of this resource, you could start by simply giving each guide and checklist to the relevant party for review, and then begin meeting to develop a roadmap to identify where your organization is in line with the checklists, and how you will go about implementing any remaining practices.
However, it’s important to note that, no matter how understandable and intuitive these resources are, the process of following them may not be. This is especially true when it comes to how much time your CEO, CISO, and board members can commit to this process. Depending on your current cybersecurity processes, it could take some time to bring them up the standards detailed in this tool box.
This is why it’s advised that you seek expert support – Kraft Technology Group can assist in the process. We have extensive experience in support financial organizations’ IT efforts – that’s actually how we began in the industry, working with our parent company, KraftCPAs.
Who Are The Organizations That Developed Cyber Resilience and Financial Organizations: A Capacity-building Tool Box?
As detailed in the press release, the partners behind the project are as follows:
The Carnegie Endowment for International Peace
The Carnegie Endowment for International Peace is a unique global network of policy research centers in Russia, China, Europe, the Middle East, India, and the United States. Our mission, dating back more than a century, is to advance peace through analysis and development of fresh policy ideas and direct engagement and collaboration with decision-makers in government, business, and civil society. Working together, our centers bring the inestimable benefit of multiple national viewpoints to bilateral, regional, and global issues.
The International Monetary Fund
The International Monetary Fund (IMF) is an organization of 189 countries, working to foster global monetary cooperation, secure financial stability, facilitate international trade, promote high employment and sustainable economic growth, and reduce poverty around the world. Created in 1945, the IMF is governed by and accountable to the 189 countries that make up its near-global membership. The IMF’s primary purpose is to ensure the stability of the international monetary system—the system of exchange rates and international payments that enables countries (and their citizens) to transact with each other. The Fund’s mandate was updated in 2012 to include all macroeconomic and financial sector issues that bear on global stability.
The SWIFT Institute
The SWIFT Institute, set up by SWIFT, funds independent research, supports knowledge-led debate and provides a forum where academics and financial practitioners can learn from each other. The primary focus of the SWIFT Institute’s work is transaction banking, covering the areas of payments & banking, securities, cybersecurity, technology & innovation, regulation & compliance, and leadership. To date, more than 40 research grants have been issued and ten conferences held. All of the Institute’s research is freely available to download and share at www.swiftinstitute.org.
The Financial Services Information Sharing and Analysis Center (FS-ISAC) is an industry consortium dedicated to reducing cyber-risk in the global financial system. Serving financial institutions and in turn their customers, the organization leverages its intelligence platform, resiliency resources, and a trusted peer-to-peer network of experts to anticipate, mitigate and respond to cyberthreats. FS-ISAC has nearly 7,000-member firms with users in more than 70 countries. Headquartered in the US, the organization has offices in the UK and Singapore. To learn more, visit fsisac.com.
Standard Chartered is a leading international bank, working across some of the world’s most dynamic markets including Asia, Africa, and the Middle East, driving commerce and prosperity through its unique diversity. With more than 86,000 employees and a presence in 60 markets, Standard Chartered’s network serves customers in close to 150 markets worldwide. The Bank offers services that help people and companies to succeed, creating wealth and growth across its footprint.
The Global Cyber Alliance
The Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to eradicating cyber risk and improving our connected world. We achieve our mission by uniting global communities, implementing concrete solutions, and measuring the effect. GCA, a 501(c)3, was founded in September 2015 by the Manhattan District Attorney’s Office, the City of London Police and the Center for Internet Security. Learn more at www.globalcyberalliance.org.
The Cyber Readiness Institute
The Cyber Readiness Institute is an initiative that convenes senior business leaders from across sectors and geographic regions to share resources and knowledge that inform the development of free cybersecurity tools for small and medium-sized businesses. The Institute seeks to advance the cyber readiness of small and medium-sized businesses to improve the security of global value chains. The free, self-guided Cyber Readiness Program for small and medium-sized businesses was launched in December 2018.
Like this blog? Check out the following articles to learn more: