Espionage and criminal heists have enduring popularity whether as news or cultural entertainment. However, it is not just big business for reporters, authors and producers. In the digital era, some reports place losses from cybercrime and cyber-espionage in the hundreds of millions of dollars.
Nevertheless, there is a gap between perceived risk and action. A 2013 report by KPMG LLP (Canada) and The Gandalf Group demonstrated that Canadian executives understand that cybersecurity issues are an important overall organizational risk, only 24% surveyed are confident in their cyber-security efforts. Perhaps more disturbing, Canadian executives also believe that it will be someone else that will be attacked.
Yesterday, the Office of the Superintendent of Financial Institutions in Canada (OSFI) released Cyber-Security Self-Assessment Guidance for federally regulated financial institutions (FRFIs). The Guidance stated that the "increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile for many organizations around the world." OSFI also stated that the reliance on technology and the interconnectedness of the financial sector means that threats due to cyber-attacks may affect the overall economy. Therefore, senior management of FRFIs must assess and adapt preparedness.
To assist organizations, OSFI has published a template risk assessment tool. However, unlike the US National Institute of Standards and Technology draft Cybersecurity Framework (developed at the direction of the US President's Executive Order on critical infrastructure cyber-security), OSFI is less prescriptive and states that it does "not currently plan to establish specific guidance for the control and management of cyber risk." Rather, the Guidance provides a template for organizations to measure their level of maturing in addressing cyber-security risks. OSFI did say that it may request that FRFIs use the assessment tool or "otherwise emphasize cyber-security practices during future supervisory assessments."
The OSFI self-assessment tool is comprised of six components. Each component contains numerous cybersecurity preparedness principles. FRFI's are meant to rate themselves from 1 to 4 with "1″ being not implemented and "4″ being fully implemented. The following is a brief orientation to the six components.
- Organization and Resources. In this component, the FRFI assesses whether it has clearly defined roles and accountability for cybersecurity issues as well as appropriately trained personnel and resources to implement threat intelligence, threat management and incident response.
- Cyber Risk and Control Assessment. This component contains principles that are focused on whether the FRFI has processes to assess and respond to cyber-security risks, including those arising from its critical IT service providers. For example, one question relates to whether the FRFI conduct regular cyber-attack and recovery simulation exercises.
- Situational Awareness. The principles in this component relate the FRFI's self-knowledge of its own infrastructure and cyber-security events and its knowledge of cyber-security risks in the industry generally.
- Threat and Vulnerability Risk Management. This component involves principles relating to data loss detection and prevention, cyber incident detection and mitigation, software security, network infrastructure security, network access control and management, third party management, and other vulnerabilities.
- Cyber-security Incident Management. Under this component, the FRFI assesses itself against principles relating to the maturity of the FRFI's cyber-security incident management framework.
- Cyber-security Governance. The principles in this component include whether the FRFI has an enterprise-wide cyber-security policy or strategy, conducts internal audits, identifies and manages cyber-security risks as part of the overall risk management processes of the organization, has established senior management and board reporting and oversight, and benchmarks against the industry.
The OSFI guidance can be found here.
For more information, visit our Data Governance Law blog at www.datagovernancelaw.com
Dentons is a global firm driven to provide you with the competitive edge in an increasingly complex and interconnected marketplace. We were formed by the March 2013 combination of international law firm Salans LLP, Canadian law firm Fraser Milner Casgrain LLP (FMC) and international law firm SNR Denton.
Dentons is built on the solid foundations of three highly regarded law firms. Each built its outstanding reputation and valued clientele by responding to the local, regional and national needs of a broad spectrum of clients of all sizes – individuals; entrepreneurs; small businesses and start-ups; local, regional and national governments and government agencies; and mid-sized and larger private and public corporations, including international and global entities.
Now clients benefit from more than 2,500 lawyers and professionals in 79 locations in 52 countries across Africa, Asia Pacific, Canada, Central Asia, Europe, the Middle East, Russia and the CIS, the UK and the US who are committed to challenging the status quo to offer creative, actionable business and legal solutions.
Learn more at www.dentons.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.