The National Institute of Standards and Technology (NIST) Cybersecurity Framework is the gold standard for cybersecurity – and it’s undergone its first major update since it was released in 2014. What does NIST 2.0 mean for financial institutions that rely on NIST’s framework to reduce cybersecurity risk?
We’re here to break it down for you.
Table of Contents
Major differences between NIST and NIST 2.0
NIST 2.0 goes all in on governance
Governing third-party risk
Major differences between NIST and NIST 2.0
The update to NIST comes down to two major changes.
1. NIST 2.0’s new focus on governance. For years the NIST framework has been defined by five key pillars: Identify, Protect, Detect, Respond, and Recover. In a groundbreaking change, NIST added a sixth pillar: Govern.
This new pillar is a significant update that addresses the necessity of integrating cybersecurity into a financial institution’s broader enterprise risk management strategy.
2. Third-party risk. Compared to NIST 1.0, the updated version of NIST pays much greater attention to third-party risk: “Importantly, organizations should use the framework both internally and to oversee third parties.”
Let’s examine what these changes mean and how financial institutions can embrace the new NIST framework for a more holistic approach to managing cyber risk.
NIST 2.0 goes all in on governance
NIST 2.0 makes governance central to cybersecurity risk management. The Govern pillar emphasizes the importance of clear governance structures – including the roles, responsibilities, policies, procedures, and oversight necessary – to ensure risk is managed comprehensively and effectively. The goal is for an institution to make wise decisions, ensure accountability, improve efficiency, and safeguard its reputation when it comes to cybersecurity.
Clearly defined policies based on risk assessments are an essential part of the NIST 2.0 Govern pillar. This involves aligning the cybersecurity strategy with the organization's mission, business goals, risk tolerance, and overall risk management framework.
FIs operating under NIST need leadership to define and assess the cyber risks unique to their institution, craft policies to mitigate these risks, and oversee processes for Detection and Protection from threats.
Here are the steps bankers can take to enhance cyber risk governance:
1. Keep your policies current: Cyber threats are a moving target, and your FI’s cybersecurity policies require consistent review and revision.
With the rise of Banking-as-a-Service (BaaS), financial institutions rely more than ever on sound risk management policies. Take the example of an FI introducing a platform for opening online accounts.
Do your current policies reflect the risk associated with this new product? Do you need enhanced monitoring to detect unauthorized users on the platform?
Many financial institutions don’t revisit policies often enough. How frequently you review cybersecurity policies depends on many factors, including the products and services you offer, third-party relationships, your institution’s risk appetite, etc. Sound governance means making policy changes that align with the current cybersecurity environment and your institution's strategic objectives.
2. Prioritize risk assessments: Risk assessments translate into policies that are the basis for your institution’s cybersecurity control environment.
These assessments determine the likelihood of a cyber incident. Do you have adequate safeguards in place to protect your institution? Risk assessments also reveal the potential ramifications of a cyber incident. The Detection Pillar under the NIST framework calls for institutions to assess the impact and scope of adverse cyber incidents.
Assessing cybersecurity risks may fall on the shoulders of IT managers, but banking leadership is ultimately responsible for devising and executing policies based on solid risk assessments. Mature cybersecurity risk management programs rely on governing policies derived from risk scoring and assessments.
Related: Risk Assessments 101: The Role of Probability and Impact in Measuring Risk
3. Focus on employee training and access management: Under the NIST framework, employee training and access management are included under the Protection function. But these risk mitigants begin with governance. You’re jeopardizing your institution if you lack policies outlining cybersecurity training programs and access control.
More than 90% of all cyberattacks occur because employees aren’t adequately trained to identify common hacker tactics, from phishing emails to phone scams.
While regularly updating employee cybersecurity policies is a fantastic start, leadership must also ensure employees follow these policies. This may seem obvious, but even multi-billionaire dollar corporations such as MGM Casino and Resorts have fallen prey to costly cyber breaches because employees didn’t adhere to policy.
FIs need to ensure:
- Employees have received updated policies
- Have read and understand them
- Take the necessary action, such as training
- Implement policies into their daily workflow
Institutions sometimes run into the issue of tracking employee policy acknowledgments and training completion. When financial institutions rely on manual processes to track these, it’s far too easy for policy updates to slip through the cracks.
The same goes for access control. Managing permissions is key to security, but you need policies on user authentication and procedures for monitoring access to devices and systems.
Investing in a dedicated employee management platform improves operational efficiency across the board – and it’s imperative to cybersecurity governance.
4. Communicate cybersecurity policies and practices: Cybersecurity policies and practices must permeate your institution. The institutions that are most successful in managing cyber risk create a culture of risk management, document and communicate changes, empower employees to offer feedback, and inspire stakeholders to make informed decisions.
5. Monitor cyber risks: NIST’s updated framework confirms that governance demands regular cyber risk monitoring. Cybersecurity monitoring enables financial institutions to oversee potential threats and detect vulnerabilities before they become full-blown incidents.
Cybersecurity monitoring helps you:
- Discover cybersecurity issues that require resolution before they become a problem
- Identify risks in real time, enabling your institution to Respond with greater speed and efficiency
- Adjust policies, procedures, and processes to reflect current cyber threats
Monitoring cyber risks is easier said than done. Many financial institutions lack adequate systems for cybersecurity monitoring, and those that use the NIST 2.0 framework may need to upgrade their cyber monitoring capabilities soon.
Governing third-party risk
NIST 2.0 strongly emphasizes governing supply-chain risk. There’s a good reason for this: cyber risk has grown as organizations become more reliant on third-party partnerships.
This is especially true for financial institutions.
Recently, the ransomware group LockBit hacked into the systems of Infosys McCamish, a financial software provider, compromising the personally identifiable information (PII) of 57,000 Bank of America customers. Earlier this year, 60 credit unions experienced extended service outages following a data breach at a third-party business continuity/disaster recovery provider.
You could write an entire book on all the third-party data breaches, hacks, and system outages that have adversely impacted financial institutions over the past several years. In fact, NIST published a book on this very subject in 2022.
NIST 2.0 concludes that third-party cyber risks cannot be addressed through ad hoc and piecemeal efforts. Financial institutions require robust governance to build an effective third-party risk management program.
The direct link between managing vendor risk and banking governance was also solidified last year with the release of the Interagency Guidance on Third-Party Relationships: Risk Management.
The agencies expect a bank’s board of directors to identify its institution’s risk appetite and craft third-party risk policies appropriately. Boards and bank leadership must integrate third-party risk management policies and controls within the bank’s overall risk management system, according to regulators.
Considerations for addressing third-party cyber risk might include:
- Due diligence and cyber risk assessments
- Ensuring vendor security standards that comply with regulatory law and industry benchmarks
- Mechanisms for monitoring third-party cyber risk
- Employee access to critical banking systems, including onboarding and employee termination
- Vendor cyber incident response times and continuity plans
- Legal protections and contract indemnity provisions for failures
The above list is not exhaustive. Third-party cybersecurity policies should dictate how your institution plans to mitigate vendor risks outside its risk tolerance thresholds.
Banking governance 2.0
NIST 2.0 identifies governance as a cornerstone for enterprise-level cybersecurity. Embracing the new NIST framework means embracing integrated risk management with governance at its core. As financial institutions move towards better incorporating governance into their cybersecurity programs, they will require more advanced solutions and technologies.
Governance and management go hand in hand. Learn more in our webinar: "The ‘M’ in CAMELS: The Role of Risk Management"
Subscribe to the Nsight Blog
Share this
How to Manage Cyber Risk Like a Boss
From Risk Assessments to KPIs: Managing Credit Risk as Student Loans Payments Resume
