Cybersecurity Audits Explained

Today’s cyber risk landscape has both financial institutions and banking regulators on high alert. According to a survey of bank executives, more than 70% of CEOs say that technology risk is the biggest risk their bank faces, and 64% expect it to increase over the next two years.

Research from the Internal Audit Foundation also confirms that this risk category is top of mind for audit leaders, with cybersecurity ranking as the audit area posing the highest risk and requiring the most audit effort.

A cybersecurity incident is one of the few risk events that can shut down an institution’s operations on the spot. Internal audit executives typically rate the cybersecurity audit as “very high risk” in the audit plan, resulting in annual (if not continuous) audits and heavy scrutiny from examiners.

What is cybersecurity, and what are the risks?

To summarize cybersecurity from a financial services perspective, we’ll review its definition, objectives, program, and controls, and then discuss the basics of a cybersecurity audit.

Cybersecurity Definition: 

Per the FFIEC Information Technology Examination Handbook, “Cybersecurity is the process of protecting consumer and bank information by preventing, detecting, and responding to attacks.” (See: Information Security Booklet, II.A.3(a) Supervision of Cybersecurity Risk)

Cybersecurity Objectives:

Cybersecurity objectives focus on protection of digital assets.

Cybersecurity Program: 

As part of a cybersecurity program, institutions should consider management of internal and external threats and vulnerabilities to protect information assets and the supporting infrastructure from technology-based attacks.

Cybersecurity Controls:

Cybersecurity controls include the policies, processes, tools, and personnel for ensuring an organization’s information resources are adequately protected from many types of attacks, detecting when such attacks occur, remediating deficiencies as effectively as possible, and recovering from untoward events.

Cyber Risks:

Cybersecurity-related risks consist of three components: actor, threat, and vulnerability.

• Actor: An entity (individual, group, organization, or state) that seeks to exploit enterprise dependency on cyber resources.
• Threat: A possible danger that can harm digital data or assets. Threats can be human, environmental, technical, or digital in nature.
• Vulnerability: A weakness in a process or system that can be exploited by a threat.

What is a cybersecurity audit?

To perform a cybersecurity audit, an internal audit team will usually review their institution’s cybersecurity program against a well-respected framework, such as the NIST Cybersecurity Framework (CSF). Examination programs from financial institution regulators, such as the OCC’s Cybersecurity Supervision Work Program, provide internal auditors with guidance on how to structure a cybersecurity audit and map each step to the NIST framework. Regardless of the framework used, however, the protection of digital assets typically includes and addresses five areas: identify, protect, detect, respond, and recover.

To understand the cybersecurity audit in more detail, we’ll review the objective of the audit along with some notable aspects.

Cybersecurity Audit Objective

The objective of a cybersecurity audit is to assess the design and operating effectiveness of the control environment related to the institution’s cybersecurity program. The scope typically includes a review of available policies and procedures, tests of key controls, and compliance with applicable industry standards and regulatory requirements related to the topics below:

• Cybersecurity program governance, including cybersecurity reporting
• Cybersecurity self-assessment (including results and tools used to perform)
• Vulnerability assessment
• Penetration testing
• Threat intelligence / information-gathering processes
• Incident analysis processes
• Cybersecurity crisis management processes
• Cybersecurity training and awareness program
• Cybersecurity third-party risk management program

The auditor will also review the status of open issues related to cybersecurity.

Cybersecurity Audit Differentiators

There are some notable aspects of a cybersecurity audit that may make it somewhat unique in a financial institution:

• It is likely a stand-alone audit. Whereas many IT-related audit areas might be combined for efficiency, the cybersecurity audit is usually performed with a singular focus. However, if combined with other areas, caution should be taken not to shortchange resources focused on cybersecurity.
• It is likely staffed by either internal or co-sourced subject matter experts, or it is fully outsourced. Given the skill set needed to perform a cybersecurity audit, it is seldom conducted solely by the regular internal audit staff. Cybersecurity auditors require a background and knowledge base in information security and cybersecurity to understand an institution’s program and compare it to requirements.
• It differs from an assessment. It’s also important to understand that a cybersecurity audit differs from an assessment in that an audit is typically an assurance function that tests controls and is performed by the third line of defense. A cybersecurity audit will review assessments performed by the first or second line. A cybersecurity assessment and a cybersecurity audit have different objectives and scope.

Given the high-risk perception of cybersecurity by banking regulators, management teams at financial institutions can be certain that their cybersecurity audit will be heavily scrutinized during the next exam.  Chief audit executives will want to allocate adequate resources to the cybersecurity audit and ensure that it’s performed at a frequency that aligns with its risk level.

Read Next | Cybersecurity By Design →