Benefiting from our hindsight as we look back to 2011, do you believe the Supplemental Guidance was effective in updating the original guidance in a meaningful way?
The upgraded version of the Supplemental Guidance is undoubtedly more effective than the variant of 2005. First and foremost, it is evident that the previous guidance was no more capable of ensuring proper risk management due to the fact that new technologies have been developed within these six years, and, thus, new ways of cyber fraud performing have been invented.
The new guidance has a series of distinguishing features that make it more effective than that of 2005. It puts a particular emphasis on the need for the layered security control that ensures a multi-level protection. Moreover, the guidance points out the essentiality of the regular risk assessment that is critical in the context of the rapidly changing environment (FDIC, 2011). The last but not the least meaningful change in the updated version is the differentiation between the affected stakeholders: consumer and business accounts.
However, experts express some doubts regarding the usefulness of the guidance’s update. Hence, for instance, Avivah Litan (2011) shares his concerns about the efficiency of the new version. He notes that as well as the previous guidance, the new variant does not describe any particular methods or alternative solutions that can be employed to ensure consistent security.
What are potential indicators regulatory bodies should consider when evaluating the need for new regulations?
One of the key responsibilities of a regulatory body resides in a timely assessment of the current state of the IS system and implementing new regulations when it is necessary. Thus, the question arises concerning the indicators that might assist a regulatory body in evaluating the need for change.
First and foremost, it should be noted that ideally, new regulations should be implemented every year. New technologies create new risks putting existing IS systems under a threat notwithstanding their reliability. As a result, a system might fail to manage risks not because of its invalidity but due to the changes in the environment. Secondly, regulatory bodies should necessarily consider the changing character of cyber fraud. Hence, the management of the related risks now requires the implementation of a layered IS system that comprises a multi-factor authentication and effective layered controls (FDIC, 2011). It can, likewise, be recommended that the cost-effectiveness of the existing IS system is assessed – it might turn out that the market can offer some alternative solutions that ensure the same security level at a lower cost.
Describe the pros and cons of including specific implementation guidelines within guidance.
On the face of it, the Supplemental Guidance of 2011 lacks some clarifications regarding the ways in which the outlined strategies can possibly be implemented. Thus, for instance, some peculiar guidelines could have been included in order to clarify how “active consumer awareness” can be reached. In addition, the guidance points out that some kinds of device identification are no longer effective (FDIC, 2011). Hence, it would be reasonable that these kinds were enlisted in the appendix. From this perspective, the addressee of the appeal would be grateful if the guidance provided some concise instructions regarding particular implementations.
However, it should be realized that the guidance attempts to provide a universal outline for ensuring security – it points out the most critical problems and offers some general solutions. As long as the guidance admits that the cyber fraud environment is constantly changing, developing new methods and techniques, it would be illogical if it offered peculiar guidelines – the latter would become out-of-date in half a year after the guidance’s release. From this standpoint, the inclusion of peculiar guidelines would very soon make the entire guidance irrelevant.
Again, benefiting from our place in the future, critique the interpretation of the Gartner analyst (Avivah Litan, 2011) linked above
It has been five years since Avivah Litan offered his interpretation of the guidance. Nevertheless, it should be admitted that the expert was highly accurate in his assessments. Thence, for instance, he pointed out that the guidance of 2011 focused solely on the PC-related risks, neglecting such threat as mobile banking attacks (Litan, 2011). A year ago, the latter was included in the top critical security risks by Kaspersky’s Laboratory (Kaspersky Lab, 2015). On the whole, Litan was right in his assumption that the guidance would become out-of-date within a couple of years. Meanwhile, it does not signify it comprised misleading guidelines – it is just that the environment changes too rapidly for guidance to consider all the risks and threats.
What can internal Governance, Risk, and Compliance staffs do to anticipate the release of new regulations related to technology changes?
The internal Governance Risk and Compliance staff should constantly increase its awareness of the relevant environment in order to anticipate the risks associated with the rapid changes. Hence, it is supposed to track and adopt the best practices and deploy multiple controls that ensure risk prevention at different levels. In addition, the governance should not neglect audit procedures that can assist in providing guidelines for the improvements in the control architecture. Lastly, regulators are recommended to carry out system tests in order to identify its flaws timely and avoid unexpected system failures. In other words, IS should be regularly evaluated and examined on its compliance with the existing standards.
Whitman and Mattord (2011) also recommend that the governance carries out consistent contingency planning that can help companies get prepared to the most likely threats and ensure some stability notwithstanding potential environmental changes.
Reference List
FDIC. (2011). FFIEC Supplement to Authentication in an Internet Banking Environment. Web.
Kaspersky Lab. (2015). Kaspersky Lab: mobile banking threats among the top 10 malicious financial programs for the first time. Web.
Litan, A. (2011). FFIEC finally releases new Guidance on Internet Banking Authentication; Better Late than Never. Web.
Whitman, M.E., & Mattord, H.J. (2011). Roadmap to Information Security: For IT and Infosec Managers. Boston, Massachusetts: Cengage Learning.