Up until the near collapse of Silicon Valley Bank (SVB), few people were familiar with the concept of duration risk. Duration risk is a form of interest rate risk that can alter the value of a bank’s long-term assets (e.g., loans) and short-term liabilities (e.g., deposits). SVB and other banks recently became highly vulnerable to duration risk because they had invested a large share of their deposits into long-term government bonds. While these bonds were considered highly conservative at the time, the management of these financial institutions failed to factor in the risk of rising interest rates at some point. Once the federal reserve dramatically increased rates, the value of these bonds began to plummet in value and the bank became insolvent.
Don’t Underestimate Cybersecurity Risk
So, what does the story of SVB have to do with cybersecurity? An awful lot. In the same way that these banks underestimated their exposure to duration risk, many organizations fail to do the same when it comes to cybersecurity. Every enterprise is exposed to risks in the form of contained exploitable vulnerabilities that threat actors can act upon and these risks can bring down an organization.
In the case of SVB, it’s not that the management did anything “wrong” per se. They did, however, fail to recognize the changing interest environment. Similarly, many organizations fail to recognize the dynamic evolving nature of cybersecurity. Many companies are still relying on password protection alone to secure their user accounts or continue to host high-value data on unencrypted storage repositories. While these practices may have sufficed years ago, they create gaping risks today for any enterprise, because new attack strategies, threats and malicious technologies are constantly being introduced.
Last year, the PCI Security Standards Council (PCI SSC) issued version 4.0 of the PCI Data Security Standard (PCI DSS). The updated version includes new stringent enforcement of MFA and new password requirements amongst other things.
The Necessity of Compliance
Many are wondering, how could this crisis in the banking sector have happened given the 2008 financial crisis? Didn’t the government establish regulations and compliances to prevent future such events? Unfortunately, SVB is yet the latest example of regulatory oversight. Not only did the bank’s governance framework including its board of directors, executive management, internal auditors, and risk management teams fail to identify the now obvious risks percolating within its financial framework, the risk remained unchecked by state and federal regulators during routine examinations. Only when depositors started withdrawing their money at record pace did regulators step in to intercede and realize the significant gulf in duration between assets and liabilities, in addition to a total lack of client diversity.
Like those regulators, some companies fail to bring proper attention and resources to data protection until an incident occurs. Then unfortunately, it is too late. Should your organization ever find itself in litigation for a data breach, it will not matter what you did after the incident. The only relevant fact will be if you fulfilled your “due diligence” in protecting your systems from plausible risk. This is the purpose of security standards such as PCI DSS, CCPA and HIPAA. In the case of PCI DSS, compliance helps ensure that companies implement the accepted security measures deemed necessary to protect cardholder data from theft of misuse. Not only does PCI DSS compliance provide proper guidance in protecting the personal data of your customers, but it also provides an insurance policy in the event of a breach. Documented vigilant attention to these types of security standards illustrates that your company was not asleep at the wheel. It proves that your management fulfilled its internal responsibilities to take cyberthreats seriously and executed the proper security measures that a reasonable person would have applied in a similar situation.
The Time to Prepare for PCI DSS v4.0 is Now
PCI DSS v4.0 was published roughly a year ago, and in over a year, its standards will be enforced. Are you aware of the new mandates you will be responsible for? For instance, requirement 6.4.3 requires companies to implement a method to confirm that all payment page scripts are authorized, their integrity is assured, and an inventory of is maintained. Also, requirement 12.3.1 requires organizations to perform and document targeted risk analysis for each requirement within the DSS that uses a periodic cadence, in order for companies to justify their specific control cadence.
These are just 2 examples of the many changes that have been introduced. Don’t risk non-compliance with the upcoming standards. The time to begin addressing these changes is now. The mishap involving SVB could have been prevented with proper attention to risk management and compliance a year ago. Don’t make that mistake when it comes to securing your business. Review your current compliance needs for the upcoming changes. Schedule your PCI 4.0 preparedness assessment.
PCI Webinar Series
PCI DSS v3.2.1 expires on March 31, 2024. Organizations should now be planning their transition to PCI DSS v4.0. With 64 new requirements in PCI DSS v4.0, companies have a lot to consider in preparation for the coming deadline. In our PCI Webinar Series, learn about the general changes to 4.0, new requirements, how to conduct targeted risk analysis using DoCRA (Duty of Care Risk Analysis), and SAQ version comparisons to help organizations strategically plan their transition to PCI DSS 4.0.
Preparing for Your Transition to PCI DSS v4.0 | April 27, 2023, Thursday | 11am Central
A Deep Dive into the New 4.0 DSS Requirements that are Applicable Immediately | May 11, 2023, Thursday | 11am Central
A Deep Dive into the Emerging New 4.0 DSS Requirements that are Due by March 2025 | May 18, 2023, Thursday | 11am Central
How to do Targeted Risk Analysis using a Duty of Care Risk Analysis method | May 25, 2023, Thursday | 11am Central
SAQ Comparison Summaries | June 1, 2023, Thursday | 11am Central