If your company responds to market forces and security incidents with cat-like reflexes, chances are you may already have performed a self-assessment using something like the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool (“CAT”).
The average cyber breach costs a company about $4 million with the cost per record estimated at $150 each, says Chris Couch, a cybersecurity expert with McGlinchey Stafford.
Couch, speaking at AFSA’s Law and Compliance Symposium last week, continued AFSA’s series of presentations on the CAT, which offers a framework that “non IT pros” can follow to assess a company’s current risk and identify opportunities to improve cybersecurity preparedness.
This session focused on the inherent risk assessment portion of the CAT. Couch explained the importance of measuring risk and outlined the CAT’s methodology including assessing the profile of the company, its policies and procedures, and its current exposure to technology risks.
Couch discussed elements of the CAT like knowing the number of internet providers your company has; whether or not your IT system is hosted internally or by third parties; if your company allows access from wireless devices; if it uses cloud services for data storage; if it allows access from personal devices like Apple and or Android; and if it requires dual factor authorization.
“Know your company’s delivery channels,” he said. “For example: are they online or mobile or both; what is the number of daily transactions; does it provide payment services; debit card access; or allow ACH payments?”
He says if companies perform an internal risk assessment, they would fall into one of the following five categories of risk.
· Least inherent: no technology and a small geographic footprint
· Minimal inherent: limited technology and systems outsources
· Moderate inherent: some complex technology and outsourced critical systems
· Significant inherent: complex use of technology and high-risk products such as accepting mobile payments and offering services directly
· High level inherent risk: cross-border transactions; in-house developed technology; lots of third-party access to company systems.
“To do this effectively, you must bring together all of the relevant stakeholders,” Couch said. “Identify the networks, the device details and the status of third parties and how they access the institutional systems.”
The final presentation in this series, which will cover the CAT’s measurement of Cybersecurity Maturity, is planned for a meeting later in 2019. In addition to the deep dive into the CAT, AFSA has presented several other sessions on cybersecurity issues in an ongoing effort to share information on this critical issue.