Are your IT managed security services helping you meet evolving regulatory priorities? They should be.
Your choice of IT managed security services provider is critical for helping your organization meet regulatory priorities.
While the FFIEC Cybersecurity Assessment Tool (CAT) provides a reference for the controls required based on your inherent risk profile, the reality is that it hasn’t been updated since May 2017 — and cyberthreats have evolved significantly since then.
The OOC’s regulatory priorities for cybersecurity and operations in the Fiscal Year 2024 Bank Supervision Operating Plan reflect that, highlighting key areas, including incident response, data recovery and operational resilience.
To protect your financial institution, it’s essential to stay informed about developments in the cyberthreat landscape and the latest regulatory compliance priorities.
Here are six areas where your IT services should be helping you meet regulatory priorities and mitigate risk:
1. Incident response
Establishing and regularly rehearsing your incident response plan is a crucial part of addressing cyberattacks and business disruption.
When a cybersecurity incident occurs, the immediate reaction is to take steps to fix the situation — often by rebuilding the workstation or server that was compromised. However, these actions can delete all evidence, making it nearly impossible to conduct a forensic investigation.
Your IT managed security services provider should be aware of its role in your incident response plan, help you understand business continuity requirements and regulations and be an active partner in retaining evidence of an attack. Work with a team that’s willing to participate in helping you identify and act on opportunities to gather evidence or work with your digital forensic team during an incident.
2. Data recovery
Testing is vital to maintaining an effective business continuity plan program. In addition to monitoring your backup system, your IT services provider should be helping you perform monthly file-level recovery tests and annual full recovery tests as part of disaster recovery and business continuity testing and maintenance.
Make sure to also provide your IT managed security services provider with recovery time objectives and recovery point objectives (RTO and RPO) for the critical business functions, systems and applications they support and that their recovery strategies meet your requirements.
And if you’re uncertain of what your RTO and RPO should be, consider working with a provider or a business continuity planning specialist who can help you develop or improve your business impact analysis.
3. Operational resilience
Your IT managed security services should be supporting your vulnerability management program, including periodic vulnerability scanning, patching and updating computers and network devices to help ensure known vulnerabilities are addressed — even for non-Microsoft applications (e.g. Adobe, Flash).
Additionally, they should be assisting you with IT asset management resource management, including replacing deprecated, end-of-life equipment so that it doesn’t introduce security vulnerabilities.
4. Cybersecurity risks
Work with an IT managed security services provider who can provide managed advanced endpoint detection and response (EDR).
Traditional antivirus software checks files and programs to see if they’re “bad” based on a list it has. Advanced EDR watches everything happening on your device. It looks for how programs and files behave, allowing you to quickly detect and isolate ransomware and other malware before it infects other computers, minimizing the damage.
Your IT services provider should be using both to keep your institution safe as part of a comprehensive cybersecurity strategy.
5. Unauthorized authentication and access
A quality IT managed security services provider can assist you with authentication and access controls to support data protection and privacy. Their support should include multifactor authentication implementation, regular removal of users who are no longer within your organization and monthly reports identifying dormant accounts.
You also need to be aware of how your provider accesses your network and systems.
One of the baseline requirements in the FFIEC CAT includes encrypted connections and multifactor authentication for contractors and third parties. Managed IT teams service many clients, and this baseline requirement is commonly not met. In fact, many providers share passwords among employees or even use the same administrator password to provide convenient access to multiple clients. This practice, however, introduces risk to your institution.
6. Third- and fourth-party risks
As a third-party provider, your IT services provider should ensure that their own security practices are helping keep your institution safe. However, many providers commit to practices that may expose you to operational risk.
During your vendor due diligence process, make sure you not only understand your provider’s controls but also those of your provider’s vendors, such as cloud service, data backup and remote monitoring and management providers. Kaseya and SolarWinds are examples of how fourth parties used by providers led to breaches of their clients.
A new and rising threat vector is your vendors’ use of AI. Your vendor due diligence needs to include questions about how AI is used, what data is shared and how your security and privacy are protected with the large language models used by your IT service provider.
How Wipfli can help
Wipfli’s IT managed security services bring industry-specific experience and cybersecurity know-how to help make your institution more efficient and secure.
We understand the complex regulatory environment and unique business operations financial institutions face, making us capable of providing you with the targeted support you need. And we provide support at the level you need, whether you want to augment your current managed IT and security services with additional support or engage a new provider.
Our managed services can do more to protect your financial institution. Contact us today to learn how.
