How Will NIST Framework Affect Banks? Assessing the Pros, Cons of the Security Best Practices Guidance
Bill Stewart
The NIST cybersecurity framework will help U.S. banking institutions assess their security strategies, but some institutions fear the framework could trigger unnecessary regulations, says Bill Stewart of Booz Allen Hamilton.

In its new list of the top financial services cybersecurity trends for 2014, the consulting firm says cyber-attacks are the "new normal" for the industry. But the National Institute of Standards and Technology's cybersecurity framework, slated for release in February, could play a role in helping banking institutions obtain cyber-insurance to help offset the liability for these pervasive threats, Booz Alen Hamilton points out.

The framework will help banking institutions by providing "a much more standard way to measure what institutions are doing [on security] and measure exposures once they do occur," says Stewart, senior vice president at Booz Allen Hamilton. And by developing a better understanding of their risks, banking institutions may be better able to qualify for cyber-insurance, he says.

"Part of what you need to have insurance in any area is an understanding of what the risks are and a framework for understanding and evaluating the exposure," he points out in an interview with Information Security Media Group.

Although the NIST cybersecurity framework, which is designed to provide best practices for protecting the nation's critical infrastructure, will prove helpful to the financial services industry, "There also, quite frankly, are concerns on the part of the banking industry around potential new regulation that could emerge from the NIST framework," Stewart says. That's why it's important for financial services organizations and associations to work together to "make sure we don't get overregulation or cumbersome standards" that are difficult to implement, he says.

Information Sharing

During this interview, Stewart also discusses other top trends noted in Booz Allen's list, including:

  • The need to identify and share actionable threat intelligence. "The government has an intent around sharing more information, and we all recognize that process needs to improve," Stewart says.
  • Emerging mobile malware attacks and why most banking institutions are ill-prepared to defend themselves;
  • The use of big data to improve fraud detection, as well as the need to ensure security of data stored in the cloud;
  • The increased security risks that smaller and regional institutions face as larger institutions become harder targets for fraudsters as a result of ramped-up security.

Stewart has more than 25 years of professional experience in designing, developing and deploying cybersecurity solutions. At Booz Allen Hamilton, he leads the firm's Cyber Technologies Center of Excellence. Before joining Booz Allen, Stewart worked for a major electronics firm, where he developed communications security and key management devices.




Around the Network