Global regulators are producing a steady flow of operationally-intensive rules focused on new digital risks in 2022. Amongst them, cybersecurity is emerging as a top pain point as more persistent attacks threaten banking supply chains. New, deeper and aligned controls are now the order of the day.
In this article we summarise the main components of a globally-aligned cyber control framework and how JWG is working to tame technology controls prescribed by global regulators.
Europe’s cyber watchdog estimates that there were four times as many supply chain attacks in 2021 than 2020 – half of which are more serious, persistent threats. While the majority of losses are not disclosed, estimates made by IBM exceed $3m on average in 2020.
As JWG third party risk research has shown, the problem is that whilst an organisation may have strong cyber defences, its supply chain may not. Even the tiniest of weaknesses can cause breaches for thousands of businesses and customers and is a costly effort to repair.
The key to overcoming threats is the due diligence process for suppliers / partners as well as any shared infrastructure. JWG’s Q421 research showed how global regulations like operational resilience and operational risk are being adjusted accordingly.
In the past 3 months alone, JWG have catalogued dozens of papers on cyber policy from Australia, Europe, Hong Kong, International, Singapore, UK and US agencies.
The US, NIST Cybersecurity Framework, the EU with the Digital Operational Resilience Act (DORA) and Singapore’s MAS Technology Risk Management Guidelines, demand that controls are adapted to meet evolving threats.
NIST’s Cybersecurity Framework is probably the most extensive and widely used cybersecurity framework. It covers a broad range of controls that have been integrated into institutions across multiple jurisdictions, despite its American origin. As with other regulatory topics of a technical nature, cybersecurity compliance is complex, and intertwined with other technology and data control statements.
Cybersecurity is a topic of critical interest to regulators. Though there is no globally agreed definition, it is broadly understood by industry SMEs as the management of threats to critical technology infrastructure. It often involves protecting services, devices and information from threats and hazards.
More and more as technological service dependency deepens, and our systems and processes become increasingly reliant on the supply chain underpinning them, cybersecurity is becoming a growing area of concern for all institutions.
The threats posed can be seen as belonging to two distinct categories: Technology Attacks and Technology Hazards, with a different type of management required of the areas.
Technology Attack: These are threats that come from intent, a cyber-attack that intends a negative consequence for the institution, such as denial of service attacks; espionage; malware; key logging, etc.
Technology Hazard: These are threats that occur without intent, such as outages; data corruption; malfunctions; compatibility issues.
Why is the distinction important? Even within a single framework, the concepts involved can be complex and challenging to implement in a comprehensive and efficient manner. Disambiguating the regulatory language is critical to having a more complete understanding between types of threat, vulnerabilities, solutions, controls and target states. This is the first step towards a clear and stable foundation of compliance, allowing for the avoidance of costly errors and duplication of effort.
NIST and other cyber controls
The NIST Cybersecurity Framework provides controls, guidance and standards for the protection of critical technology infrastructures, which are critical to institutions’ security and continuity. The framework helps in the management of a wide range of regulatory risks. It organises the guidance into key families of controls covering topics such as access control, configuration, monitoring, program management, supply chain management, incident response, training, risk management, authentication physical protection and system integrity.
Because NIST’s cybersecurity framework is one of the most extensive and widely used frameworks, it is sensible to use this as a baseline for comparison to frameworks from other jurisdictions. While it does not cover every area that may be included in other jurisdictions, it is arguably one of the most complete.
However, the NIST cybersecurity framework is still only one of many frameworks for managing cybersecurity/ technology risks from around the globe. There are several key cybersecurity regulations, including the UK’s NCSCs frameworks and Singapore’s Technology Risk Management Guidelines from MAS. We find the NIST framework has important deltas with these other structures and that the gaps and overlaps must be aligned against one another.
It is not only that the topics covered are different, but that the language used can change from framework to framework, despite identifying similar issues. This happens extensively but examples include data security and information security, take MAS, using “Information Security” as reference to the functional role, versus “data security” to reference the protection of information/data, differing again from NIST using “data security”, differing again from DORA’s and the NCSC CAF’s “data protection” use. Another simple example is authentication and identification controls, such as in “User Access Management” from MAS, “Access Control” from the NCSC CAF, DORA’s “Access Rights”.
Terms such as “cryptographic protection” versus “encryption”, and “DLT” definitions can result in different regulators often conflating and encompassing various concepts into the scope of different language labels. Even the multitude of ways to talk about third party risk management, or the supply chain, can provide an example of how multiple labels can describe the same, or worse similar, concepts.
These small, but important differences can leave institutions struggling to reconcile frameworks either falling short or overcompensating; either way a costly mistake. This is not the end of the conflicts, however, as controls may also be on the same topic, but be above or below the requirements from another jurisdiction, take one of thousands of examples of the Access Control issue of device locking, in which NIST requires the control that prevents access after a defined period of time, with other frameworks having no such defined control requirements. This adds yet another layer of complexity to an already challenging situation. Adhering to one framework may be sufficient in one jurisdiction, but fall short elsewhere, and vice versa. This can vary from topic to topic; from control to control.
Getting controls under control
Institutions need to align their global infrastructures to local laws to effectively protect themselves, and their supply chain, from cybersecurity threats.
Duplication of effort will ultimately increase the cost and complexity of compliance. On the other hand, is the risk of non-compliance and costly fines.
Even unravelling the linkages and interdependencies for a cyber control framework can be a huge resource drain that many institutions could do without.
How do institutions manage their cybersecurity risk in this complex, overlapping and uneven landscape? The answer is to create a comprehensive framework to manage obligations for Cyber across jurisdictions, and then into other regulatory themes.
JWG has laboured for a year to produce a set of comparative control ontologies, which harness years of industry experience to make sense of IT Infrastructure controls.
We have linked controls to risks, jurisdictions, legislative initiatives, issuing bodies to create a logically-defined, conceptually-disambiguated 3-dimensional view of the cybersecurity control frameworks in context of each other as well as the wider landscape of regulation.
Cyber is just one of many other regulatory techology pain points affecting the entire supply chain including ESG scope 3 disclosures, Data Privacy, Operational Resilience, APIs, PETs and more.
For further details on how you can join us in developing an integrated view of the regulatory landscape, contact Corrina.firstname.lastname@example.org.