RegTech and cyber security compliance
The latest buzzword to emerge from FinTech is RegTech, which brings with it the promise of technical solutions that ensure organisations remain compliant in raising financial risk management to an effective business process.
Most organisations need to meet certain regulatory obligations set by the government, even if it’s just filing a tax return or submitting an annual report. Yet on top of those requirements, certain industries such as financial services also have their own rules that must be adhered to.
In the financial services sector, there are strict rules as to how organisations operate and behave (covering people, processes and technology) and the rules are clear about what they should and should not do. In many cases, if organisations do not meet these requirements they could be fined or lose their license to operate. For example, organisations who take and process credit card payments have an obligation to meet the security guidelines published by a consortium of credit card companies, known as the Payment Card Industry Data Security Standard (PCI DSS). If an organisation fails its annual PCI DSS audit or is breached and found to be lacking in areas of the standard’s implementation, they could have their credit card capabilities revoked until the appropriate fixes have been implemented.
It is for these reasons that the promise of RegTech is getting the attention of the C-suite. With so many obligations to fulfil, organisations are now looking for solutions that give their business a current view of their security status and highlight any residual risk for investigation and response.
Governance versus management: understanding the difference
It’s easy to hand a compliance requirement such as PCI DSS to the head of IT and expect them to implement and maintain it, but IT teams are not always equipped to understand the nuances of governance requirements. Governance is the framework of organisational behaviours, processes and technology systems that direct, enable and monitor the organisation’s ability to comply with regulatory requirements. Governance does not cover management activities, nor does it ensure that requirements are being met, rather it sets the standards that must be adhered to, leaving the doing to managers in day-to-day operations.
Looking at PCI DSS, again as an example, any organisation adhering to those rules has a strict set of requirements to meet to keep credit card information safe and secure. The governance model adopted by a PCI DSS organisation lays down the processes and practices that should be adopted to meet those requirements. However, security managers and operations managers don’t always have the underlying knowledge and capability to monitor compliance, especially as ICT systems frequently change – patches, upgrades, complex system integration and external influences such as changes in cloud systems can contribute to a loss of compliance.
Managers need to find a way to implement the requirements of a compliance standard, so the governance aspect of their organisation is satisfied and they remain on the right side of an audit, and that is the promise of RegTech.
So let’s look at how a scorecard approach to security can help managers monitor compliance and react in time to fix issues before they get out of hand.
Continuous monitoring of security compliance
PCI DSS requires certain underlying requirements are met, such as how security log events are collected and stored, how credit card processing networks are kept separate from corporate networks, and how customers’ personal information should be stored and transferred over the corporate network or Internet. A security manager’s role is to take these requirements and ensure they are addressed in the systems they protect, typically beginning with an audit or technical assessment of system architectures, running tests and implementing security controls to meet their needs. A governance audit at this stage, once the control is implemented, would hopefully pass, since the project has delivered a working solution to meet the requirements set out in the regulatory standard.
The security manager can now move on to other activities, safe in the knowledge that this requirement meets the needs of the governance model the originations adheres to (since the duties of that role as security manager demand it). Three months later, the firewall vendor who provides the system that maintains separation between the payment card network and the corporate network provides the network team with an update containing a whole new set of features for remote management. The network team, understanding the value this will bring to their team, follow the internal technical change process and get the update implemented and everyone is happy.
Now, fast forward to the next PCI DSS audit, and a serious issue is uncovered, whereby the new management software on the firewall has allowed the network team remote access to the PCI DSS compliant network from outside of the organisation, over the Internet. A technical issue in the connection means the browser interface is leaking information. Until this issue is fixed, the company are told they must switch off their firewall management interface, causing major operational issues for the business. The question is, how can these issues be avoided by the security manager to ensure they remain compliant with all governance requirements, without spending every minute of every day looking at each control? The answer is RegTech.
Using scorecards for compliance management
Security scorecards are designed to monitor and report on the efficacy of important security controls. They give security managers peace of mind that technology implementations remain compliant and maintain the desired strategic security alignment (can pass the audit). Scorecards that operate within an organisation’s environment give customers visibility of the security controls status. Some technologies even alert upon any changes and reflect those changes in a security dashboard.