Is Your MSP Helping You Meet Evolving Regulatory Priorities? It Should Be.
By Jeff Olejnik
The cybersecurity threat landscape is constantly evolving. And while the FFIEC Cybersecurity Assessment Tool (CAT) provides a reference for the controls required based on your inherent risk profile, the reality is that it hasn’t been updated since May 2017 — and a lot has changed since then.
To protect your financial institution, it’s essential to stay informed about developments in the cyberthreat landscape and the latest regulatory priorities.
The OCC identified regulatory priorities for cybersecurity and operations in its Fiscal Year 2024 Bank Supervision Operating Plan, highlighting key areas, including incident response, data recovery and operational resilience.
Most financial institutions use a managed service provider (MSP) to help provide IT and security support. They can also help address the talent shortage gap by accessing specialized expertise at a lower cost.
However, your choice of MSP is also critical for helping your organization meet regulatory priorities. The right MSP can help you respond to regulatory and cyberthreat updates, while inferior service can introduce operational risk and compliance concerns.
Here are six areas where your MSP security services should be helping you meet regulatory priorities and mitigate risk:
- Incident response
Establishing and regularly rehearsing your incident response plan is a crucial part of addressing cyberattacks.
When a cybersecurity incident occurs, the immediate reaction is to take steps to fix the situation — often by rebuilding the workstation or server that was compromised. However, these actions can delete all evidence, making it nearly impossible to conduct a forensic investigation.
Your MSP should be aware of its role in your incident response plan as an active partner in retaining evidence of an attack. Help ensure that your MSP is informed and willing to participate in helping you identify and act on opportunities to gather evidence or work with your digital forensic team during an incident.
- Data recovery
Testing is vital to maintaining an effective business continuity plan program. In addition to monitoring your backup system, your MSP should be helping you perform monthly file-level recovery tests and annual full recovery tests.
Make sure to also provide your MSP with recovery time objectives and recovery point objectives (RTO and RPO) for the systems and applications they support and that the recovery strategy meets your requirements.
And if you’re uncertain of what your RTO and RPO should be, consider working with an MSP or a business continuity planning specialist who can help you develop or improve your business impact analysis.
- Operational resilience
Your MSP should be supporting your vulnerability management program, including periodic vulnerability scanning, patching and updating computers and network devices to help ensure known vulnerabilities are addressed — even for non-Microsoft applications (e.g. Adobe, Flash). Additionally, your MSP should be assisting you with IT asset management, including replacing deprecated, end-of-life equipment so that it doesn’t introduce security vulnerabilities.
- Cybersecurity risks
Work with an MSP who can provide managed advanced endpoint detection and response (EDR).
Traditional antivirus software checks files and programs to see if they’re “bad” based on a list it has. Advanced EDR watches everything happening on your device. It looks for how programs and files behave, allowing you to quickly detect and isolate ransomware and other malware before it infects other computers, minimizing the damage.
Your MSP should be using both to keep your institution safe.
- Unauthorized authentication and access
A quality MSP can assist you with authentication and access controls. Their support should include multifactor authentication implementation, regular removal of users who are no longer within your organization and monthly reports identifying dormant accounts.
You also need to be aware of how your MSP accesses your network and systems.
One of the baseline requirements in the FFIEC CAT includes encrypted connections and multifactor authentication for contractors and third parties. MSPs service many clients, and this baseline requirement is commonly not met. In fact, many MSPs share passwords among employees or even use the same administrator password to provide convenient access to multiple clients. This practice, however, introduces risk to your institution.
- Third- and fourth-party risks
As a third-party provider, your MSP should ensure that their own security practices are helping keep your institution safe. However, many providers commit to practices that may expose you to operational risk.
During your vendor due diligence process, make sure you not only understand your MSP’s controls, but also those of your MSP’s vendors, such as cloud service, data backup and remote monitoring and management providers. Kaseya and SolarWinds are examples of how fourth parties used by MSPs led to breaches of the MSP’s clients.
A new and rising threat vector is your vendors’ use of AI. Your vendor due diligence needs to include questions about how AI is used, what data is shared and how your security and privacy are protected with the large language models used by your MSP.
How Wipfli can help
Wipfli’s MSP services bring industry-specific experience and cybersecurity know-how to help make your institution more efficient and secure. We understand the complex regulatory environment and unique business operations financial institutions face, making us capable of providing you with the targeted support you need.
Our MSP services can do more to protect your financial institution. Contact us today to learn how.