×
Blogs

What are IT and Cyber Controls and How to Achieve Control Harmonization?

blog-banner-1931787956
5 min read

Introduction

In our previous post on this series, What are Cyber Frameworks and How Should You Choose the Right One?, we walked through understanding IT/cyber frameworks and how they are used to manage IT & cyber risks. In this second part, we will review IT/cyber controls, choosing them effectively and harmonizing them across frameworks.

What are Controls?

Controls can be defined as safeguards, mechanisms, or countermeasures, implemented by organizations, to avoid, detect, counteract, or minimize security risks (threats/attacks) to protect the confidentiality, integrity, and availability of data and information assets.

Implementing the right set of controls can better protect the organization from attacks, breaches, and threats, and if done intelligently, may result in resource and cost savings.

Types of Controls

Controls can be segregated by their type/nature and by the specific function they play.

TypesFunctions
Administrative/Managerial Controls are policies and procedures that provide structure and guidance to individualsPreventative Controls prevent/restrict certain activities, such as unauthorized system access, data altering
Physical Controls limit the physical access to systems and act as offline barriers Detective Controls alert deviations from the status quo, such as video surveillance, intrusion detection systems, honeypots
Technical/Logical Controls limit access to systems or data on a hardware or software basis, such as encryption, fingerprint readers, authentication, AuthCodesDeterrents are controls that discourage threats from attempting to exploit a vulnerability, such as policy punishments, law/order
Operational Controls involve people conducting processes on a day-to-day level, such as awareness training, asset classification, reviewing log files Corrective Controls help take an action from one state to another, such as patching a system, quarantining a virus, terminating a process
 Recovery Controls help get something back from a loss, such as the recovery of a hard drive

Controls types and functions can overlap as well as we can see from the examples below:

  • To implement appropriate risk controls, an organization might implement administrative and preventive controls together. This can be done by defining and rolling out an asset usage policy (preventive) along with regular security awareness training (administrative).
  • To implement appropriate security controls, an organization might implement technical and detective controls together. This can be done by installing an antivirus tool (detective) along with an intrusion detection system (technical).
  • To implement appropriate access controls, an organization might implement physical and technical controls together. This can be done by restricting access to premises through guards and access control systems (physical) along with two-factor authentication to use any IT systems (technical).

There can be numerous combinations of control types and functions. Many are provided for across the various frameworks, and yet more can be conceptualized and implemented by organizations themselves.

How Can Controls be Harmonized?

As we can infer from the above, organizations and specifically security and risk teams need to deal with hundreds of controls across multiple frameworks. With certain frameworks prescribing near identical controls, this can lead to duplication and possibly errors, in implementing and monitoring compliance. Certain frameworks may have conflicting controls. This can cause confusion and makes the collective management of security, risk, and compliance a Herculean task. The best practice is to harmonize controls across various frameworks.

In essence, harmonizing controls follows the principle of “ask once, answer many”. Instead of asking multiple teams, multiple times, simplify the process. The goal is to group same or similar controls/requirements across frameworks together, run tests, and complete compliance through a single instance, and then update the status for all such controls/requirements, collectively with a single action.

A common example of this would be the requirement to change user passwords every 90 days. This is a control prescribed by NIST 800-63b and ISO 27001, among others. In this case, the test or compliance would be carried out once, but the updating and reporting would need to be done twice, if not more.

Another common example is the need to perform risk assessments prescribed by any intermediate maturity framework. If there is no variation in the assessment scope, the assessment can be carried out only once and then updated once as well, instead of multiple, disparate updates.

Controls can be harmonized in the following ways:

  • Creating a custom framework that collates and eliminates duplicate controls. According to UCF, the best way to do this would be to
    • Extract Mandates: Define rules to extract mandates from various applicable frameworks.
    • Map Mandates to Common Controls: Map mandates from such frameworks to common controls and when necessary create new common controls.
    • Report Mapping Accuracy: Calculate the percent of match accuracy when tagging mandates and mapping them to common controls.
    • Standardize Audits: Leverage a standardized structure for auditing the implementation of the common controls.
  • Implementing a ready-made common controls framework
  • Using a GRC solution that includes control harmonization

[To learn more about using a common controls framework, download our eBook, Simplify and Accelerate Your IT Compliance by Leveraging a Common Controls Framework.]

Ideally using a GRC solution will be complementary to creating a custom framework or implementing a common controls framework (CCF), as it breaks down silos and simplifies and consolidates the compliance and reporting activities.

MetricStream’s CyberGRC, IT Risk, and IT Compliance products come with built-in features for populating and harmonizing controls across over 100+ different cyber frameworks. To learn more, please click here to schedule a personalized demo.

On a different but connected note, at MetricStream, we anticipate Regulatory Reporting to increase significantly as a top cyber risk trend in 2023. To ensure compliance, organizations must assume the responsibility of being updated on the proposed regulations and viewing them in conjunction with frameworks and standards. Harmonizing controls as explained here, can be an essential and beneficial activity for organizations to tackle this challenge.

Check out 2023’s other Top Cyber Risk Trends. Download our eBook now.

Agnishwar Banerjee

Agnishwar Banerjee Product Marketing, MetricStream

People call me AB and I am part of the CyberGRC Product Marketing team at MetricStream, where I handle the messaging, product go-to-market plans, and analyse market trends. Having witnessed the transition from offline to online firsthand (80’s child), for most of my life, I have been an avid enthusiast in the domain of technology and cyber security including personal cybersecurity. Over the last 10 years, I have been involved in developing and marketing risk-focused, SaaS products. I have a good mix of right brain and left brain and love reading, learning new things and am generally a big believer in the power of looking inward, effective processes and people.

 
Blogs

Defending the Digital Landscape with Effective Vulnerability Management

blog-banner-2033447216
6 min read

Introduction

With the growing sophistication, severity, and magnitude of cyber attacks, CISOs and security teams are under immense pressure to protect their IT assets. As organizations increasingly rely on web applications to address specific business requirements, discovery and remediation of vulnerabilities have become a top priority for organizations across industries.

According to a graph released by the National Institute of Standards and Technology (NIST), a record-breaking 20,158 vulnerabilities were reported in 2021. Remediating 20,000 new vulnerabilities in a year is a daunting proposition for organizations of any size.

Organizations need robust vulnerability management programs to proactively address vulnerabilities before they can be exploited by threat actors.  

The Challenges

Many organizations still rely on manual and siloed approaches to vulnerability management, which are prone to errors and inefficiencies. Often multiple scanners are used – for network vulnerabilities, application vulnerabilities, etc. – without a centralized repository. With vulnerabilities being discovered and handled in siloes, it becomes very difficult to track them effectively.

The challenges are further exacerbated due to a lack of a structured, updated, and complete inventory of assets. Creating and maintaining an inventory of all organizational assets is foundational for an effective vulnerability management program. It provides the required visibility to identify the assets that are more vulnerable to exploits and take preventive steps as needed.

Many organizations also approach vulnerability management only periodically. A sporadic approach will inevitably result in a “vulnerability debt” as teams struggle to control the flurry of vulnerabilities. As new, and possibly more exploited, vulnerabilities continue to emerge, organizations would find it difficult to address these while working with a growing backlog.

Ideally, an organization would want to patch all vulnerabilities when they’re discovered. However, the growing number of new vulnerabilities makes it difficult for even well-resourced security teams to remediate all. In a recent survey conducted by the Ponemon Institute, 54% of respondents said that they were able to patch less than 50% of the vulnerabilities in the backlog – hence, the need to effectively prioritize vulnerabilities.

Inaccurate prioritization is a major deterrent to an effective vulnerability management approach. Failing to prioritize vulnerabilities into, say, critical, high, medium, and low, categories, and not contextualizing them with critical assets can result in security teams wasting time and effort to address vulnerabilities that may not pose any real risk.  

Vulnerability Management Best Practices

There are several measures that organizations can take to manage vulnerabilities proactively and efficiently:

  • Create a Centralized Repository of Critical Assets

With an organization dealing with thousands of vulnerabilities, creating and maintaining a centralized repository of critical assets, mapped to associated threats and vulnerabilities, risks arising from API connections, areas of compliance, controls, and other business functions, is crucial. It not only enables quick access to critical data but also delivers comprehensive visibility into vulnerabilities across the enterprise.

  • Identify Vulnerabilities Using Diverse Scanners

Vulnerability scanners are tools that simplify and automate the process of identifying vulnerabilities present in an organization’s IT infrastructure. There are various types of vulnerability scanners, including database vulnerability scanners, cloud vulnerability scanners, network vulnerability scanners, web application scanners, etc. It is recommended to use a combination of vulnerability scanners to ensure full coverage of all organizational assets and gain a complete and accurate picture.

  • Prioritize Vulnerabilities in the Context of Critical Assets

It is imperative to prioritize vulnerabilities in the context of critical organizational assets to ensure the optimum utilization of resources. This could be done by combining an asset’s vulnerability severity rating with its business criticality rating to provide a consolidated risk rating. Security teams can then prioritize and trigger vulnerability remediation strategies depending on the combined risk rating.

  • Implement a Continuous Approach with Well-Structured Workflows

Vulnerability management is not a one-time activity; it is a continuous process of identifying, assessing, and remediating vulnerabilities. Establishing well-structured and systematic workflows is essential to track vulnerabilities, right from their identification until their remediation and closure, and then to repeat the process at a pre-defined frequency, the more frequent, the better. It is also important for organizations to clearly define the roles, responsibilities, and accountabilities of the security team. Tying everything together is an effective and open communication channel.

  • Automate to Patch Vulnerabilities

With the number of new and critical vulnerabilities trending upward, adopting automated patch management tools has become a business necessity. These tools seamlessly and automatically deploy patches to the identified vulnerabilities, eliminating the manual process of scheduling a scan and addressing the vulnerabilities. Automated patch management tools help to take a proactive and continuous approach to managing vulnerabilities and significantly improve the security of an organization.  

How MetricStream Helps with Vulnerability Management

MetricStream CyberGRC products provide native integration with industry-leading vulnerability scanners, such as Tenable, QualysGuard, and Rapid7, to help organizations streamline the process of investigating and remediating vulnerabilities. CyberGRC’s open API capabilities allow organizations to effortlessly import vulnerabilities from any source. The built-in common data structure, available as an API, allows receiving vulnerabilities when sent via the API.

Today, organizations use more than one vulnerability scanner to reduce false positives. CyberGRC provides the ability to combine vulnerabilities from multiple scanners and produce a combined risk rating for a combination of the critical asset and vulnerability.

Importantly, CyberGRC provides a framework to define rules based on vulnerability and asset attributes to automate the creation of remediation tickets. Organizations can leverage the framework to develop one or more rules. For example, by selecting the asset severity as ‘critical’ and vulnerability severity as ‘critical’, a rule can be created to trigger a task with an SLA of 7 days to remediate.

With MetricStream, organizations also have the option to create remediation tickets either within CyberGRC or on external ticketing systems like BMC, ServiceNow, and JIRA.

With MetricStream CyberGRC, you can:

  • Stay on top of vulnerabilities with early warning notifications and proactive remediation strategies
  • Leverage industry standards, best practices, and technology to establish a robust and automated approach to vulnerability management
  • Drive efficient decision-making with actionable and timely intelligence on vulnerabilities
  • Enhance cyber risk preparedness through a consolidated view of vulnerabilities across systems  

Looking Ahead

Vulnerability management has become central to a robust IT and cyber risk management program. In the future, vulnerability management is expected to merge with configuration management. As the cyber risk landscape and security requirements continue to evolve and increase in sophistication, organizational expectations would soon be for tools and software solutions to directly resolve a vulnerability with a patch in one click, with minimal human intervention.

Contextual prioritization of vulnerabilities, combined risk ratings from multiple scanners, tagging assets to critical business services and processes, and more are expected to gain more prominence not only from an organizational security perspective but also from a regulatory requirement standpoint.

Moreover, with the ongoing digital transformation in organizations worldwide, automated, autonomous tools are expected to take center stage.

Learn more about MetricStream Threat and Vulnerability Management.

Anil Kumar MetricStream

Anilkumar GK Senior Director & Head of CyberGRC Product Management, MetricStream

Anilkumar GK leads cyber risk product management for MetricStream, the leader in Governance, Risk and Compliance (GRC) software. As Senior Director, Anil is responsible for product strategy, requirements, product planning and delivery to meet the needs of clients. Anilkumar has been at MetricStream for more than a decade and has nearly 20 years of experience in GRC implementation, product management, supply chain and business consulting, spanning product development, planning, design, delivery and quality assurance. His areas of expertise include Internal Audit, Risk Management, Compliance (including SOX and IT Compliance) Issue Management and Cyber/IT Risk.

Anilkumar is currently leading MetricStream’s cyber risk and compliance product efforts, including user experience optimization, quantification, use of security frameworks and more. He lives in Plano, TX and holds a Bachelors of Engineering in Mechanical Engineering.

 
Shampa-mani

Shampa Mani Assistant Manager – Marketing

Shampa Mani, Assistant Manager - Marketing, at MetricStream, has over 7 years of experience in content writing and editing. Prior to joining MetricStream, she worked in the news and media industry, covering news on fintech, blockchain technology, and digital currencies. Academically, she has an MBA in Business Economics and an MA in Economics. In her free time, she loves to cook, read, and delve into the world of UFOs and extraterrestrials.

 
Blogs

What are Cyber Frameworks and How Should You Choose the Right One?

IT and Cyber GRC
3 min read

Introduction

Cyber risk and resilience are among the top concerns for businesses today. An organization’s cyber defense infrastructure is only as strong as its weakest link. The fast-evolving cyber risk landscape is keeping CISOs and security teams on their toes. It is imperative to adopt the right cyber framework and establish strong controls to actively manage cyber risks and build cyber resilience. But, where to start?

To help you better understand cyber frameworks, controls, and making the right choice, we present a two-part blog series:

  • Understanding IT/cyber frameworks and how they are used to manage IT and cyber risks
  • Understanding IT/cyber controls, choosing them effectively, and harmonizing them across frameworks.

What are Cyber Frameworks?

Using and adapting a term borrowed from the construction industry, a cyber framework can be loosely defined as a system of standards, guidelines, and best practices to manage risks that arise in the digital world. The intent is to give IT/cyber risk and security managers a reliable, systematic way to identify, prioritize, and mitigate cyber risk no matter how complex the environment might be. A framework also provides the guide rails and the boundaries of any program so that desired objectives are met without taking on activities out of scope.

Frank Kim, Ex-CISO, SANS Institute, has intelligently classified the multitude of cybersecurity frameworks into these 3 categories, of which cyber risk management forms one dedicated category:

Cyber GRC

Some frameworks may completely fit into one of the above categories, while others may have overlaps between the three categories.

Frameworks can also be classified by their applicability, as follows:

  • Mandatory – These frameworks must be compulsorily implemented and complied with depending on the region or sector of operations. They are split further into:

    • a. Regulatory: These are mandated by local laws/regulations
    • b. Industry-Specific: These are mandated by regulators or service receivers

    Examples 
    GDPR mandated for all companies operating in the EU region,
    SAMA mandated for all companies operating in the Republic of Saudi Arabia,
    HIPAA mandated for all healthcare providers in the US.

  • Optional – These are frameworks that are provided as guidelines but are not necessarily mandatory to implement or comply with.

    Examples
    ISO 27001, CIS, FAIR

Choosing Frameworks

With the plethora of frameworks available, it can get confusing to choose the appropriate ones. Even for seasoned cyber risk management professionals, this issue can cause confusion. The best way to start is by determining these three aspects first:

  • Which regions are operations carried out in?
  • Which industry(ies) is the business involved in?
  • What is the current maturity level of the cyber risk management program?

This will help determine a baseline framework to implement. After this, specifics such as business objectives & goals, potential threats & vulnerabilities, existing policies and treatment procedures, and budget resources should be considered to determine additional framework requirements. The infographic released by NIST provides a good place to start.

Cyber GRC 2

It is always advisable to start simple with the most basic of the applicable frameworks and ensure that the frameworks are aligned with business goals & objectives. And it is imperative to continuously assess and review the success of implemented frameworks. Once there are mature processes in place, the organization may consider gradually scaling up in sophistication and complexity.

To learn more about cyber frameworks, click here. Watch this space for the second part of the series, “What are Controls and How to Achieve Control Harmonization?”.

Agnishwar Banerjee

Agnishwar Banerjee Product Marketing, MetricStream

People call me AB and I am part of the CyberGRC Product Marketing team at MetricStream, where I handle the messaging, product go-to-market plans, and analyse market trends. Having witnessed the transition from offline to online firsthand (80’s child), for most of my life, I have been an avid enthusiast in the domain of technology and cyber security including personal cybersecurity. Over the last 10 years, I have been involved in developing and marketing risk-focused, SaaS products. I have a good mix of right brain and left brain and love reading, learning new things and am generally a big believer in the power of looking inward, effective processes and people.

 
Blogs

Insurance Industry. Strengthen Cyber Resilience Now!

Cyber Risk as a Business Risk
4 min read

Inroduction

The recent cyberattack on an Australian health insurer’s patient data has made global headlines. The release of personal data including names, addresses, dates of birth, phone numbers, and email addresses and the treatment they received for personal health issues, on a dark web forum has once again brought the spotlight on the cyber vulnerabilities in the sector. However, this is not an isolated incident. The number of cyberattacks on insurers in the past couple of years has increased significantly. A survey conducted by the Financial Services Information Sharing and Analysis Center (FS-ISAC) among financial institutions, found that insurers are among the top affected sectors.

Digitization, Data, and More—Insurance Faces Unique Cyber Challenges

Companies in the insurance industry are moving toward greater digitization in an effort to create seamless customer relationships. Like the rest of the financial services industry, insurance consumers demand services 24/7/365 via smartphone apps. To provide this real-time experience, companies are increasing investments in IT systems and platforms that can provide myriad services from online policy applications to web- and mobile-based apps for filing claims. However, these new digital capabilities bring new cyber risks that companies are often not equipped to deal with.

Insurance companies collect massive amounts of both structured and unstructured data. It’s necessary for coverage, to analyze fraud, and more. The huge volumes of data generated by the insurance industry have however made the industry attractive to cybercriminals. Insurance companies store highly sensitive personal data including Personally Identifiable Information (PII) such as Social Security Numbers (SSN), bank account or digital wallet details, health records, phone numbers, and addresses. In the case of health insurance companies, Personal Health Information (PHI) is also at stake. And they are more likely to pay the ransom if attacked, as seen in numerous cases in the past.

Cyber attacks and breaches can result in an insurance company facing significant and far-reaching damages--from material damages such as fines, legal costs, and fraud monitoring costs which add to the ‘cost per record’ to loss of customer trust, operational disruption, and devaluation of brand name which contributes to the hidden ‘below the surface costs’. Loss of reputation can be especially damaging when it comes to insurance as the entire business is based on trust.

Making Cyber Resilience a Priority

When it comes to risk, the insurance industry is best placed to understand risk better than any other industry. In fact, risk-averse enterprises across all markets transfer a portion of their cyber risks to insurance companies to minimize their exposure in the case of a significant cyberattack.

This deep understanding of risk within this sector should be channeled by insurance companies to make informed decisions about how much cyber risk to avoid, mitigate, transfer to another insurance company, or simply accept. For example, cyber risk management should include both technology and policy. Leaving a database exposed in the cloud because of an unclear policy will undermine any sophisticated access control or perimeter protection technology. Similarly, user training is equally critical. Most importantly, cybersecurity must be embedded in new software and applications when launched, as the common practice of choosing to patch up legacy systems opens up cyber vulnerabilities.

Manage and Mitigate Cyber Risk with MetricStream

To combat the unique challenges, insurance companies will need to move from manual, point-in-time cyber risk assessments to a robust cyber risk program that leverages technologies such as AI and automation which can process and analyze large amounts of data. Additionally, Continuous Control Monitoring (CCM) and automation are essential because the ability to work all the time and identify and flag anomalies.

MetricStream’s ConnectedGRC provides insurance companies with an integrated solution on a single platform. Purpose-built to manage, measure, and monitor cyber, risk, and compliance demands for the insurance industry in real-time, the platform is powered by AI, enabling the capture, assessment, and processing of diverse, complex, and voluminous risk and data at scale across your entire organization. This enables you to:

  • Gain a single view of your risks with a centralized library of risks, controls, regulations, policies, and issue management to drive risk intelligence and actionability
  • Actively monitor and adapt to applicable regulatory changes from around the world
  • Map policies to regulations, and ensure employee and third-party attestation

Proactively manage cyber risk and build cyber resilience with MetricStream CyberGRC by:

  • Reducing the risk of breaches with active risk management
  • Prioritizing cyber risks and measuring risk exposure with quantification
  • Leveraging automation for greater efficiency
  • Continuously monitoring controls and processes for improved compliance and security
  • Gaining a single view of your cyber risk

Want to learn more about how MetricStream can help your insurance company build resilience by leveraging award-winning AI, analytics, and automation technologies? Request a demo now.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 
Blogs

5 Reasons to Take the State of CyberGRC Survey

5 Reasons to Take the State of CyberGRC Survey
3 min read

Introduction

Year endings are a time for reflections and resolutions, or as we call them in the corporate world – reviews and forecasts. It’s no different at MetricStream. With 2023 just around the corner, we’re looking to get a pulse on what’s happening with industry leaders in cyber risk and compliance management.

We’re doing that with our annual State of CyberGRC Survey: Looking into 2023. The purpose of this short survey (which takes approximately 5 minutes to fill out) is to better understand the challenges you as CISO or IT compliance and cyber risk leader are facing and the strategies being adopted, to resolve them. The focus is on cyber governance, risk and compliance – CyberGRC.

It is our mission to understand:

  • How the responsibilities of cyber risk and compliance management are evolving
  • The primary strategies and tactics being used to identify and mitigate cyber risks
  • The biggest cyber risks and GRC trends anticipated for year ahead

Data from our last year’s survey had interesting findings:

  • 45% lacked visibility into cyber risks across the organization
  • 41% had manual processes for cyber GRC
  • 39% faced increased regulatory compliance requirements

But a lot has changed over the past year. With the pandemic now in the background, businesses are looking beyond recovery to growth. Are manual processes still being used or has the shift been made? Does visibility still continue to be an issue? Only you can tell us.

Here are five more reasons why you should take the survey.

1. The Cyber Risk Landscape is Changing

Rapid digitization has led to organizations facing several new challenges including increased attack surfaces, sophisticated attack methods, ever-evolving threats, IT vendor risk, compliance pressures, cloud & API security gaps, and more. It is undoubted that cyberattacks continue to rise year after year—both in number and sophistication.

You tell us: In today’s interconnected risk landscape, what are the unique cyber challenges you face?
 

2. Cyber Risk is Now a Board Level Priority

As per the 2021 Gartner Board of Directors Survey, 88% of boards now view cybersecurity as a business risk—up by 30% since 2017. Leaders are well aware that cyber risk can no longer be viewed as merely an ‘IT problem’. In the connected ecosystem, a cyber incident can lead to financial losses, operational disruption, reputational damage, legal issues, regulatory fines, and even business closures.

You tell us: How are you communicating cyber risks to your Board and what steps are you taking to prioritize cyber risk at your organization?
 

3. Cyber is a Highly Demanding Field

The urgency to build cyber resilience has resulted in an acute lack of cyber resources. As per data from McKinsey, 3.5 million global cybersecurity positions remained open at the end of Q1 2022. Budget is a perennial issue. Added to this are legacy software, cyber tools and technologies operating in silos, and several other challenges that are unique to cyber.

You tell us: In relation to cyber risk and compliance, where does your organization plan to invest in 2023?
 

4. AI, Automation, and Cyber Risk Quantification is Creating New Advantages

New cyber use cases leveraging cutting-edge technologies are creating new advantages. For instance, Continuous Control Monitoring, Automated Compliances, now enables organizations to proactively identify risks and improve cybersecurity and compliance posture by monitoring IT controls in real-time. AI/ML are driving reports away from dashboards and heat maps to predictive analysis and insights. Similarly, cyber risk quantification, helps assign a monetary value to cyber risks, thus enabling better informed decisions of investment and insurance.

You tell us: How is technology helping you build cyber resilience?
 

5. Your Opinion and that of Your Peers Matter

As a leader in the domain, managing cyber risk and strategizing to build cyber resilience, your opinion provides valuable insights for the future of cyber risk and compliance management - CyberGRC. Your expertise is needed! Your Voice Matters!

So we request you to spare the 5 odd minutes and encourage you to fill out our survey. In appreciation, we will share a copy of the research report when published in Q1 2023.

Take the Survey now. And do share with your CISO and cyber risk community!

Want to learn more about how MetricStream CyberGRC can help build cyber resilience?

Request a customized demo to see how our product works.

Jump to Topic
Agnishwar Banerjee

Agnishwar Banerjee Product Marketing, MetricStream

People call me AB and I am part of the CyberGRC Product Marketing team at MetricStream, where I handle the messaging, product go-to-market plans, and analyse market trends. Having witnessed the transition from offline to online firsthand (80’s child), for most of my life, I have been an avid enthusiast in the domain of technology and cyber security including personal cybersecurity. Over the last 10 years, I have been involved in developing and marketing risk-focused, SaaS products. I have a good mix of right brain and left brain and love reading, learning new things and am generally a big believer in the power of looking inward, effective processes and people.

 
Blogs

Staying on Top of Crypto Regulatory Landscape with AI and Automation

Regulatory Landscape with AI and Automation
6 min read

Introduction

In January 2009, the first cryptocurrency, Bitcoin, entered the market. The concept of a digital, encrypted currency has been on the minds of innovators and entrepreneurs for decades. As designed, Bitcoin and the nearly 10,000 additional cryptocurrencies that have entered the market in the last 13 years operate via blockchain technology. Blockchains help ensure transactional anonymity, encryption, decentralization, and distribution of synced, duplicate records around the world.

Cryptocurrencies are means of completing digitally facilitated transactions around the world, in a global currency with no third parties, like banks and governments, involved. Because cryptocurrencies are typically ‘minted’ a determined number of times (either ever or annually), their value grows as demand for them increases. This is why many have acquired coins with the purpose of increasing their value rather than spending them in the marketplace. With no financial or governmental third parties involved in transactions, those who advocate for cryptocurrency promise little to no delay in processing payments at little to no cost. In theory, this model has the potential to revolutionize some elements of common financial transactions, on a global scale.

In the last few years, interest in cryptocurrencies has crescendoed, with both investment professionals and laypeople purchasing coins. Reportedly, nearly 20% of Americans have invested in cryptocurrencies. In the last six to nine months, however, many to most cryptocurrencies have experienced significant losses in value. There have been multiple accusations of fraud, misrepresentation, and dishonesty as well. Especially as cryptocurrencies had gradually broken through from a small group of technorati to almost the mainstream, these sudden and massive drops in value and integrity are causing concern among cryptocurrency advocates, established investors, and governments.

Even while investors and the public pressure governments to step in and reduce some cryptocurrency market volatility, regulators have been cautious in moving forward with cryptocurrency regulations. The first hurdle is an agreeable definition of what is and what is not a cryptocurrency and how it may fit within a government’s authority. The anonymity, encryption, and decentralization of cryptocurrencies purposefully make them opaque. Further, as there are multiple blockchains that don’t share data, defining data rules is also elusive. Finally, governments typically cannot claim oversight over businesses and transactions outside of their jurisdictions. Because there is no central bank for a cryptocurrency and records may live in nodes and personal wallets across the world, jurisdictional claims can be hard to assert. That said, central banking authorities, such as the U.S. Federal Reserve, the Bank of Canada, the Monetary Authority of Singapore, and others, are considering issuing their own central bank digital currency (CBDC), which could alleviate this regulatory blocker but may not be accepted by the market.

While some governments are moving forward with extending existing financial regulations on money laundering and financing terrorism, there remain questions of applicability. Do financial or technology regulations apply to cryptocurrencies? Much of this is being determined now, and multiple governments are working together to create similar legislation that could in effect reach farther around the world. Either way, cryptocurrencies are here to stay. With the recent adventures in value, it is wise to expect that more comprehensive, sticky, and global cryptocurrency regulations are not far off.

The Deluge of Crypto Regulatory Change

I recently hosted a webinar with Jennifer Clarke, Senior Editorial Manager, Regulatory SME, CUBE, Alex Royle, Head of Compliance and Regulatory Affairs, EMEA, Galaxy Digital, and Suneel Sahi, Marketing, Europe, MetricStream, to discuss how to best manage the deluge of new cryptocurrency and digital asset regulatory change.

Jennifer made an interesting observation – CUBE captured nearly 10,000 pieces of regulatory data in 2021 that were related to crypto or crypto-related keywords. And, the volume of crypto regulations is only going to increase going forward.
 

Here is a look at some of the recent regulatory activity in the crypto space:

  • In the U.S., the Infrastructure Investment and Jobs Act, which was signed into law by President Biden in November 2021, extends information reporting requirements to digital assets. In its Financial Institution Letter 2022, the Federal Deposit Insurance Corporation (FDIC) said that FDIC–supervised institutions that engage or intend to engage in crypto-related activities should notify the agency and provide information that will allow it to “assess the safety and soundness, consumer protection, and financial stability implications of such activities.”
  • European regulatory authorities are drafting crypto rules not just for ensuring consumer protection and preventing financial crime but also to reduce the carbon footprint of cryptocurrencies.
  • The Bank of England is also not lagging behind. Earlier this year, the central bank published a paper highlighting the potential risks of cryptoassets to UK financial stability. “Where crypto technology is performing an equivalent economic function to one performed in the traditional financial sector, the FPC [Financial Policy Committee] judges this should take place within existing regulatory arrangement, and that the regulatory perimeter be adapted as necessary to ensure an equivalent regulatory outcome,” it read.


Likewise, regulatory authorities in Canada, Singapore, Japan, India, and other countries are also coming up with crypto-focused regulations and frameworks.

Leveraging AI and Automation

Another key takeaway from the webinar was that while regulators are increasingly working on crypto regulations, there remains too much of a lack of collaboration across borders. So, while we will be seeing more regulations, it is likely to be fragmented and piecemeal, without any real harmonization across borders for some time. Needless to say, it will only add to the challenges of compliance teams to keep up.

So, how can you manage this growing number of crypto regulations? The answer lies in AI and automation in regulatory compliance. When legislatures propose and enact cryptocurrency regulations, understanding how, where, and when they apply to digital coins and their markets may be critical knowledge.

Artificial intelligence (AI) can be a real game-changer here. It is almost impossible to manually monitor and track the ever-evolving regulatory environment for updates, especially when dealing with a global financial and technology environment. An AI-based system can deliver alerts and initiate an applicability assessment based on your requirements, triggering automated workflows to ensure compliance with regulatory changes and greatly enhancing the efficiency of your compliance team.

With organizations today looking at achieving compliance with thousands of regulatory requirements, having an AI-based system with automated workflows is an absolute must. It can help you automatically capture new regulations and regulatory updates, map them to corporate policies, adapt your systems, and test your controls. Ultimately, AI and automated workflows can alert you to urgent needs or necessary adjustments to your policies, employee training, attestations, and other compliance, ethics, and behavioral standards.

Where companies apply AI to initiate regulatory assessments and alignment, compliance professionals can apply more resources to and better focus on the human intelligence required to adapt specific business processes to those regulations. When regulations relevant to crypto payments, donations, exchanges with third parties, and anti-money laundering/combating the financing of terrorism (AML/CFT), come into effect, you can more quickly and easily adapt your policies and rules to specific requirements.

Regulatory change management is, of course, a part of governance, risk, and compliance (GRC). We, at MetricStream, believe that AI and automation is central not just to compliance but all things GRC – risk management, third-party engagements, ESG, cyber compliance – in relation to cryptocurrencies. When the use of cryptocurrencies inevitably becomes more commonplace, the full range of GRC functionality will need to adjust to new, unanticipated, and emerging vulnerabilities and threats. At that time, organizations will need to adapt their approach to GRC and adopt next-gen technologies to stay ahead of the new risks, regulations, and challenges that a cryptocurrency world will create.

In any situation, it is incumbent on all of us to understand what we’re investing in. There has been a lot of hype in cryptocurrencies – complete with celebrity-endorsed commercials at highly viewed sporting events – in the last few years. There have been promises made and promises invested in that have come crashing down in the last six months. The market is going through a cycle of excitement to instability and – hopefully – to a more secure and dependable long-term status.

The way I see it, cryptocurrencies as a concept are here to stay. Much of the market has embraced the concept of purely digital currency, along with the benefits of the rapid exchanges and processes cryptocurrencies offer. What’s missing is stability, governmental assurances (ironically), and mass adoption. In the end, I assume we will all be using some degree of cryptocurrencies in the not-too-distant future. Whether we will be using an existing coin or an offspring from the current market remains to be seen. Until then, keep an eye on the regulations and their impact on the market.

To explore the 5 best practices for successful compliance management, click here. To request a personalized demo, click here.

Blogs

The Criminal, The Regulator, and The Hero

Criminal, Regulator MSI Blog
4 min read

Introduction

Did you hear the story about the entire cyber security team disappearing, only for people to find out that they ‘ran-some-ware.’

Ok, maybe not my best joke, but neither is the one about the rock band called 1023MB - they are yet to play a gig. Even if you managed a half smirk, which I very much doubt, I don’t need to remind you of the sheer shudder and fear that cyber breaches are causing across all industries.

Cyber risk has been the number one risk for a few years for Chief Information Security Officers (CISOs), and now this risk has visibility across the entire organization. It has become much more than just an IT risk and the CISO’s problems. It’s been elevated to conversations in the boardrooms. It has everybody’s attention, with the entire C-suite sitting up and taking note. Cyber risk is now both a strategic and business risk. According to the 2021 Gartner Board of Directors Survey, 88% of boards now view cybersecurity as a business risk. Interesting to note is that this number has gone up by 30% since 2017.

Research shows that it is not only companies that are falling prey to these criminal minds, countries too are being targeted by these intrusion masterminds.

Criminals

Cyber criminals continue to expand their capabilities and look for weaknesses in the organization’s networks. Like a tiger ready to pounce, attackers are never far away. They are becoming more sophisticated and it is questionable how many organizations are truly prepared for an attack. On average there are 270 attacks on a company in a year as per Accenture's State of Cybersecurity Resilience 2021 study. Alarming to note is that this is a 31% increase compared to the previous year!

Being able to quantify your losses, seems like a hard task. How do you put a price on leaked and missing data which inevitably will cause reputational damage? This damage which might take decades to earn and seconds to lose.

The most common types of attacks are email fraud, ransomware attacks, theft of personally identifiable information, and financial fraud. Oh, and there are virus attacks, phishing attacks, password hacks, etc. I could go on and on.

What’s worrying is that as new technologies bring a wealth of opportunities, criminals with limited technical knowledge are learning how to attack one computer and then use the infrastructure to infiltrate the entire network, sometimes looking at multiple entry points.

Similar to how we have pivoted our working environment over the last few years, and have the ability to work remotely, criminals can also be located anywhere in the world. They may be sitting in countries halfway across the globe and still cause a cyber fatality.

Regulators

Regulation is evolving and almost every major country is issuing some guidelines or legislation on data protection. In March this year, under the proposed cybersecurity regulation, all European Union (EU) institutions, bodies, offices, and agencies were required to have cyber security frameworks in place for GRC.

The Computer Emergency Response Team (CERT-EU) has extended its mandate to include threat intelligence, information exchange and incident response coordination hub, a central advisory body, and a service provider.

The Council of the European Union highlighted the importance of a solid and consistent security framework to protect all EU personnel, data, communication networks, information systems, and decision-making processes.

And in the UK, as part of the £2.6 billion National Cyber Strategy 2022, the government is actively working to improve the cyber resilience of individuals and organizations across the economy. 

The UK’s National Cyber Security Centre (NCSC) published guidelines on strengthening cyber security and part of this consideration was of third parties associated with companies and their ability to stand against a cyber threat.

In the United States, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law in March 2022. Critical infrastructure companies, including financial services, will now be required to report cybersecurity incidents, such as ransomware attacks, to the Cybersecurity and Infrastructure Security Agency (CISA).

In March 2022, the US Securities and Exchange Commission (SEC) has also proposed a rule which will require publicly listed companies to report to the SEC the occurrence of cybersecurity incidents, cybersecurity capabilities, and the board’s cybersecurity expertise and oversight.

Ensuring your business continuity and incident management provisions are up to date is high on the list as you need to meet your regulatory obligations.

MetricStream—the Hero

With criminals causing havoc and regulators working to increase oversight of cyber incidents, what if your organization could stay one step ahead of the game and thrive with its cyber risk program?

What if you could:

  • Quantify your cyber risk
  • Adopt a cybersecurity framework like ISO 27001 or NIST
  • Use automation and artificial intelligence
  • Protect your critical assets
  • Reinforce visibility into the overall compliance profile
  • Access intuitive real-time dashboards
  • Perform third-party risk assessments and monitor your risk exposures
  • Save costs by harmonizing controls across multiple IT regulations
  • Test once and comply many times with Continuous Control Monitoring

Well, with MetricStream CyberGRC you can do all the above and more. You can focus on your most critical controls across your entire organization and improve your risk posture, visibility, and efficiency.


To learn more, request a demo now.

Read our eBook on Five Critical Capabilities for Effective Cyber Risk Management

Stay up-to-date with the trending discussions and insights in the risk community. Subscribe to the Instagram of Risk Blog Series authored by Suneel Sahi, VP, Product Marketing at MetricStream.

Check out Suneel’s other ‘Instagram of Risk’ ’blogs:

Insurance Industry: We Have You Covered

OMG, It’s ESG

Be Resilient, I Whispered to My Car

If You Think Compliance is Expensive, Then Try Non-Compliance

An Ounce of Prevention is Worth a Pound of Cure

Don’t Aim To Be Perfect, Aim To Be Anti-Fragile

Enforcements Will Come in All Directions

There is One Way Traffic – Downhill

Related Resources

Blogs

Is Your Organization Treating Cyber Risk as a Business Risk?

Cyber Risk as a Business Risk
4 min read

Introduction

You may think of cyber risk as a technology risk – but it’s also a top business risk! Consider these recent headlines:

  • The BBC announced that the Swiss airspace was closed for hours and flights in and out of Switzerland were suspended because of a computer failure at air traffic control service Skyguide.
  • The New York Times published a news story of how a cyberattack on a supplier to the auto giant Toyota stopped production in Japan.
  • CBS News reported how a ransomware attack that prevented Lincoln College, Illinois, from accessing data used for student recruitment, retention, and fundraising efforts was one of the major reasons for the 157-year-old educational institution to shut down.

All of these news stories point to how the impact of cyber incidents today leads to serious business consequences. Cyber risk can no longer be viewed as merely an ‘IT problem’. Cyber incidents in the connected ecosystem can lead to financial losses, reputational damage, legal issues, regulatory fines, and even business closures. Leaders are well aware of this. As per the 2021 Gartner Board of Directors Survey, 88% of boards now view cybersecurity as a business risk—up by 30% since 2017.

Top Reasons Why Cyber Risk is Now a Business Risk

Multiple reasons have led to cyber risk being increasingly viewed as a business risk. Here are the most important that top the list:

  • Software insecurities in critical infrastructure: To drive innovation and time-to-market demands, software has migrated from internally written code to a combination of software components including custom code, open-source software, third-party proprietary libraries, and external APIs. This has increased the scope of cyber risk. The recent Log4j vulnerability, discovered in December 2021, which resulted in 100 new hacking attempts every minute, is a prime example.

    Chris Inglis, National Cyber Director, commented on the situation saying that the Log4j vulnerability "has highlighted the need to improve our software security and the transparency of our software supply chain." The vulnerability still has the potential to be exploited today and still requires vigilance.

Read the blog: The Ripple of Effects of Log4J: How You Can Stay Prepared and Resilient

  • IT vendor risk: Headlined by the discovery of the SolarWinds attack in December 2020, supply chain attacks have steadily risen through 2021 and 2022. In Third-Party Risk: A Turbulent Outlook Survey Report 2022, the survey findings highlight an accelerated threat from IT vendors and third parties. 60% of respondents experienced an IT security incident in the past two years due to a third-party partner with access privileges.

    More alarming to note was that the same number was also the most likely to have sensitive data stolen or suffered some type of business outage.

Download the report: Third-Party Risk: A Turbulent Outlook Survey Report 2022

  • Cloud security gaps: With almost every organization having adopted cloud computing to some degree, the gaps in cloud security continue to increase cyber risk. The September 2021 OMIGOD vulnerability, remained a critical vulnerability until the patch was released. Organizations too are concerned.

    Check Point’s 2022 Cloud Survey report found that 66% of organizations are concerned about cyber risk involving the exposure of sensitive data on the cloud, while 42% were concerned about legal and regulatory compliance with data protection regulations like PCI DSS and HIPAA.

    An emerging way to address cloud security and compliance requirements is continuous control monitoring, or CCM. CCM automatically tests security controls and collects evidence of effectiveness, improving compliance and lessening reliance on outdated manual testing protocols.

Learn more about CCM: Improve Your Cyber Risk Posture and Compliance with Continuous Control Monitoring from MetricStream

  • Increase in cyberattacks and ransomware: Cyberattacks continue to rise—both in number and in sophistication. Accenture's State of Cybersecurity Resilience 2021 study found that there were on average 270 attacks per company over the year, which was a 31% increase compared to the previous year.

    Ransomware continues to be a constant threat affecting organizations across sectors. As per the State of Ransomware in the US study, an estimated 77 state and municipal governments and agencies, 1,043 schools, and 1,203 healthcare providers ended up as victims in 2021.

Read the eBook: Five Critical Capabilities for Effective Cyber Risk Management
 

Build Cyber Resilience with MetricStream CyberGRC

MetricStream’s CyberGRC, built as an interconnected, intuitive, and intelligent GRC product set, empowers your organization to connect cyber risk data from across the enterprise and leverage actionable business intelligence to make data-driven decisions to build cyber resilience.

MetricStream CyberGRC further enables your organization to effectively manage and mitigate cyber risk by:

  • Quantifying of cyber risks in monetary terms to assess risks more accurately, communicate the risk more effectively, and make better-informed cyber investment decisions
  • Leveraging intelligent issue and remediation to document, investigate, and resolve IT compliance and control issues in a systematic, automated manner
  • Strengthening visibility into the overall compliance profile with intuitive dashboards and real-time reports
  • Harmonizing controls across multiple IT regulations and frameworks, improving compliance and saving effort and costs
  • Proactively managing and mitigating IT and cyber risks by continuously monitoring controls for effective cyber risk management

Want to learn more about how MetricStream CyberGRC can help build cyber resilience? Write to me at pmcparland@metricstream.com. You can also request a customized demo to see how our product works.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.

 

Related Resources

lets-talk-img

Ready to get started?

Speak to our experts Let’s talk