NAFCU Services Blog

By Steve Soukup, Chief Executive Officer, DefenseStorm 

Risk assessments. Tedious, compulsory, and painful. Just some of the words used to describe a process that is critical to your institution’s cybersecurity and compliance efforts. Yes, the risk assessment process can be daunting, but mostly because of an outdated perspective that disconnects it from the ever-evolving changes in risk and compliance. Some credit unions look at risk assessment as a 'check the box' task instead of a valuable exercise that significantly enhances the completeness of their security program and ability to satisfy regulatory requirements. Some credit unions still manually gather data from disjointed systems, resulting in a stale and ineffective risk assessment.

So, while your institution is under constant pressure to remain cyber risk ready and compliant, how can you effectively tackle the critical task of risk assessment without suffering through the process?

The first step is to adopt the new mindset that risk assessment is a living document, not something that gathers dust on a shelf. It must constantly be amended to address emerging threats and changing regulations. Credit unions who update their risk assessment infrequently, e.g., annually, miss the opportunity for modifications that will positively affect their cyber readiness and compliance efforts.

The second step is to utilize industry-specific resources and technology. Move beyond the typical two-person manual approach used to aggregate and evaluate data for risk assessments by using the right technology. If your CFO runs a financial report, would they use an abacus? Of course not! Technology enables it to be done in a manner that accounts for all the unique operating requirements of a financial institution. So, why are FIs that use modern technology for other functions still using a static and inefficient approach for such an important process as risk assessment? Yes, we’re talking to you – the one still using Excel for risk assessments. Are you ready to reevaluate your approach?

DefenseStorm touts the “Four C’s” when grappling with the challenges of risk assessment. The assessments must be Continuous, Consistent, Centralized, and Clear. A one-and-done approach to risk assessment is simply insufficient. Real-world cyber threats don’t happen on an infrequent basis, so your assessments can’t either. Identification and assessment of potential threats must be done continuously and exercised in real-time as they materialize. Implementing a consistent plan for evaluating risks — as well as uniform application, scoring, and evidencing of internal controls within a centralized platform — ensures data accuracy and integrity. Lastly, gain a clear picture of how your institution’s risk profile has evolved over time by leveraging robust audit logs, dashboards, and reporting.

As you prepare for 2023, consider how you can get more value out of your institution’s approach to the risk assessment process. Remember, the point of the exercise is to continuously identify and measure risk so you can apply the correct controls and allocate the right resources in order to mitigate risks to a tolerable level. And acknowledge the value in using technology to centralize your risk measurement and control effectiveness evidence, which in turn provides a cohesive picture of your program. Ask yourself these questions,… how difficult was our process this year? What would my life be like if we improved our approach? And how would my institution benefit?

To learn more about the steps you can take to improve your risk assessment process, please join our informational webinar “More Benefit, Less Burden from Your Risk Assessment Process” on Thursday, December 1, at 2:00 pm EST.