Case Study: How Washington Trust Improved Understanding of their Security Risk
CHALLENGE
With financial institutions facing increasing cyberattacks and heightened regulatory scrutiny, Washington Trust Bank decided to take extra measures with their most recent annual IT risk assessment. Their goal was true transparency into the state of their information security risks, and to be better prepared for upcoming FDIC and State of Washington examinations.
SOLUTION
GMI Senior Risk Advisor, Greg Smith, worked with Washington Trust on their assessment.
“Banks are encouraged to do internal reviews, but by nature that means they can be biased. In this case, the head of Washington Trusts’ risk department sought independent validation — and a very honest look at their IT risk.” They chose GMI for both our experience and uniquely informed approach.
Using the FFIEC standards as a jumping off point, GMI worked diligently with Washington Trust to develop a more complete assessment of security controls and program maturity than they would have created on their own. The team began by expanding the banks’ documentation on how they were meeting requirements, answering almost 500 declarative statements within a single assessment and adding explanations where prudent. “Providing a line of sight into this level of detail allows every stakeholder to get a broader view of the banks’ security landscape.”
FFIEC CAT & QUANTITATIVE RISK ASSESSMENT
- Grades controls against prevalent financial cyberattacks and FFIEC standards
- Clearly identifies risk, providing a reliable range of potential financial losses
- Provides independent program validation through the lens of prevalent industry attacks
- Enables strategic spend against where your financial risk is greatest
GMI then used the FFIEC cyber assessment tool (CAT) to verify the level of the bank’s inherent risk. The results of this standard and helpful process could be used as the basis of evaluating the maturity of the IT security program.
Next, GMI implemented the Quantitative Risk Assessment, an approach that models current security against industry threat data to give context that helps more accurately quantify risk. “This step allowed us to prioritize the controls that protect against those specific types of attacks. It’s a unique approach that enables us to focus on the controls that will really make a difference in protecting the institution. It also informs where we recommend putting budget and resources to do the most good.”
Very quickly, GMI was able to identify some gaps in the banks’ current program, and help them address those gaps swiftly to reduce the most critical risks. GMI then created a reasonable timeline of security recommendations to be implemented within 3, 6, and 12 months to reduce risk over a relatively short amount of time. The resulting, improved security plan was able to be shared with federal and state examiners.
Finally, GMI put the risk assessment into a report that the banks’ leadership and board could understand: cost, investment, and objective risk data. “Few institutions that we work with have an unlimited budget. We not only clearly identified the security risk, but also helped leaders put their budget towards what will have the most impact.”
Outcome
Washington Trust has clearer visibility regarding their IT risk. The quantification of their risk is grounded in a closer, impartial assessment of their program and informed by the current threat landscape. “They can now model — at a granular level — how the changes they’ve made have created an environment more resilient to attacks. This is important to every stakeholder of the institution.” The bank’s overall risk management strategy is better informed, allowing leadership to make stronger enterprise decisions. They have all of the documentation for when the examiners come. Plus, they now have a playbook for future FFIEC assessments, enabling them to run the same model in a year and track changes.
Greg Smith
They can now model — at a granular level — how the changes they’ve made have created an environment more resilient to attacks. This is important to every stakeholder of the institution.