Communications Compliance is Taking Center Stage in the Boardroom

Within the modern governance landscape in financial services, communications compliance has emerged as a critical issue, spurred by the staggering fines for unmonitored communications that have surpassed $2 billion USD in the United States alone. In February 2024, an additional 16 firms faced SEC fines totaling $81 million, signaling a zero-tolerance stance by regulators against compliance violations.

The Cisco and Theta Lake partnership, established in 2018, reflects a strategic response to these challenges. Theta Lake enhances the security and compliance features of Cisco’s Webex collaboration suite. This joint solution ensures institutions can safely harness the power of Webex’s functionalities, while significantly reducing the risk of penalties, increasing user satisfaction, and enhancing ROI (return on investment).

Theta Lake’s “Digital Communications Governance, Compliance, and Security Survey” for 2023/24, sheds light on the evolving landscape. With independent responses from over 600 IT and compliance professionals, the Theta Lake report reveals that 40% of firms have now elevated communications compliance to a board-level concern, underscoring the pressing demand for a revamped compliance and security framework for Unified Communications and Collaboration (UCC) tools that are integral to the modern workplace.

Why Are Firms Reevaluating Their Communications Compliance Strategies?

The survey indicates a widespread reassessment of communications compliance strategies in financial services, with 77% of respondents revising their approaches, 17% planning to do so, and 45% considering a complete overhaul. Traditional methods often fail to seamlessly capture, retain, and supervise across diverse communication platforms, leading to inefficiencies and compliance lapses. To counter these challenges, organizations are restricting key features that users want and need, inadvertently pushing employees towards unmonitored channels.

Theta Lake, in partnership with Cisco Webex, offers a purpose-built compliance, supervision, and security solution that integrates seamlessly across the Webex Suite, whether content is displayed, shared, spoken, or written. This solution brings significant value to leading organizations, including some of Webex’s largest customers—six of the top ten North American banks.

Where Should Organizations Begin When Overhauling Their Digital Communications Strategy?

Addressing compliance complexities requires a structured, proactive approach. In a rapidly evolving digital landscape, organizations must anticipate regulatory expectations and strategically overhaul their digital communications governance.

Cisco and Theta Lake recommend a three-point strategy:

• Effective Data Capture: Accurate and reliable record keeping starts by capturing the correct data at its source, along with its context and time of origin. This step is crucial for reconciliation and reporting.
• Record Navigation: With comprehensive record keeping across various channels, searching and navigating records and their interwoven communications becomes both possible and efficient.
• AI-Enhanced Compliance Scaling: AI (Artificial Intelligence) technology, specifically tailored for compliance, helps manage and oversee vast amounts of communication records, enabling institutions to identify and mitigate risks and maintain robust compliance standards.

Theta Lake: A Cisco SolutionsPlus Partner

The Cisco SolutionsPlus program features tested Cisco Compatible products. As a SolutionsPlus partner focused on collaboration and security, Theta Lake’s solution for the Webex Suite is available for purchase through the Cisco price list. This includes fully compliant capture, archiving (in existing systems or Theta Lake’s SEC-17a-4 compliant environment), and built-in policy-based AI-enabled risk detection/remediation/redaction capabilities for:

• Webex Calling & Customer Experience Essentials (New!): Voice Recordings, Business Texts (SMS), and Call Detail Records.
• Webex Meetings & Selective In-Meeting Communications: Video recordings, and selective archiving of any or all meeting components including audio or in-meeting eComms (such as chat, polling, Q&A, transcripts, and closed captioning).
• Webex Messaging: All content, replies, and reactions—including files and rich media (like images and GIFs).
• Polling/Slido: All content including polls, Q&A, surveys, and more.
• Webex Connect: Archiving & supervision support of log exports via SMTP or Rest API for SMS and omnichannel content.

In an era of intense regulatory oversight, Cisco and Theta Lake’s joint solutions have transitioned from a strategic asset to an essential requirement for financial services organizations aiming to ensure robust communications compliance.

Source: cisco.com

Continue reading

Maintaining Digital Compliance with the PCI DSS 4.0

The Payment Card Industry data security standards have evolved since 2002 when the first version was released. The most recent update, version 4.0.1, was released in June 2024. This updates the PCI 4.0 standard, which  has significant updates to both scope and requirements. These requirements are being phased now and through March 2025.

Cisco has been involved with PCI since the outset, having a seat on the board of advisors and helping craft the development of PCI standards through different evolutions. Cisco has consulted extensively with customers to help meet the requirements and provided extensive user friendly documentation on how customers can meet the requirements, both in minimizing the scope of the assessment as well as in ensuring security controls are present. We have released systems that are PCI compliant in control aspects as well as data plane aspects, and have built-in out-of-the box audit capabilities in a number of infrastructure based, and security based, solutions.

The purpose of this blog is to walk into the PCI DSS 4.0 with a focus on architects, leaders, and partners who have to navigate this transition. We will discuss what is new and relevant with PCI DSS 4.0, its goals and changes. We will then explore products and solution that customers are actively using in meeting these requirements, and how our products are evolving to meet the new requirements. This will be targeted to teams who already have been on the PCI journey. We’ll transition to an expansion into PCI DSS in more detail, for teams that are newer to the requirements framework.

One thing that is important to note about the 4.0 update, is it will be a phased rollout. Phase 1 items (13 requirements) had a deadline of March 31, 2024. The second phase is much larger and more time has been given, but it is coming up soon. Phase 2 has 51 technical requirements, and is due May of 2025.

Implementation timelines as per PCI At a Glance

What’s new in PCI DSS 4.0, and what are its goals?

There are many changes in PCI DSS 4.0. these were guided by four overarching goals and themes:

Continue to meet the security needs of the payments industry.

Security is evolving at a rapid clip, the amount of public CVE’s published has doubled in the past 7 years (source: Statista). The evolving attack landscape is pushing security controls, and new  types of attack require new standards. Examples of this evolution are new requirements around Multi-Factor authentication, new password requirements, and new e-commerce and phishing controls.

Promote security as a continuous process

Point in time audits are useful but do not speak to the ongoing rigor and operational hygiene needed to ensure the proper level of security controls are in place in a changing security environment. This step is an important step in recognizing the need for continual service improvement vis-a-vis an audit. This means that process will be have additional audit criteria in addition to the application of a security control.

Provide flexibility in maintaining payment security

The standard now allows for risk based customized approaches to solving security challenges which is reflective to both the changing security environment, and the changing financial application environments. If the intent of the security control is able to be met with a novel approach, it can be considered as fulfilling a PCI requirement.

Enhance validation methods and procedures for compliance

“Clear validation and reporting options support transparency and granularity.” (PCI 4.0 at a glance).  Clarity in the measurements and reporting is articulated. This is important for a number of factors, you can’t improve what you don’t measure, and if you’re not systematically tracking it in well-defined language, it is cumbersome to reconcile. This focus will make reports such as the attestation report more closely aligned to reports on compliance and self-assessment questionnaires.

How Cisco helps customers meet their PCI Requirements.

Below is a table that briefly summarizes the requirements and technology solutions that customers can leverage to satisfy these requirements. We will go deeper into all of the requirements and the technical solutions to these.

PCI DSS 4.0 Requirement	Cisco Technology/Solution
1. Install and Maintain network security control.	Cisco Firepower Next-Generation Firewall (NGFW), ACI, SDA, Cisco SDWan, Hypershield, Panoptica, Cisco Secure Workload
2. Apply secure configurations to all system components.	Catalyst center, Meraki, Cisco SDWan, Cisco ACI, Cisco CX Best Practice configuration report
3. Protect stored cardholder data	Cisco Advanced Malware Protection (AMP) for Endpoints
4. Protect cardholder data with strong cryptography during transmission over open, public networks	Wireless Security requirements satisfied with Catalyst Center and Meraki
5. Protect all systems and networks from malicious software	Cisco AMP for Endpoints
6. Develop and Maintain secure systems and software	Meraki, Catalyst Center, ACI, Firepower, SDWan. Cisco Vulnerability Manager
7. Restrict access to cardholder data by business need-to-know	Cisco ISE, Cisco Duo, Trustsec, SDA, Firepower
8. Identify users and authenticate access to system components	Cisco Duo for Multi-Factor Authentication (MFA), Cisco ISE, Splunk
9. Restrict physical access to cardholder data	Cisco Video Surveillance Manager, Meraki MV, Cisco IOT product suite
10. Log and monitor all access to system components and cardholder data	Thousand Eyes, Accedian, Splunk
11. Test security of systems and networks regularly	Cisco Secure Network Analytics (Stealthwatch), Cisco Advanced Malware Protection, Cisco Catalyst Center, Cisco Splunk
12. Support information security with organizational policies and programs	Cisco CX Consulting and Incident Response, Cisco U

A more detailed look at the requirements and solutions is below:

Requirement 1: Install and Maintain network security control.

This requirement is will ensure that appropriate network security controls are in place to protect the cardholder data environment (CDE) from malicious devices, actors, and connectivity from the rest of the network. For network and security architects, this is a major focus of applying security controls. Quite simply this is all the technology and process to ensure “Network connections between trusted and untrusted networks are controlled.” This includes physical and logical segments, networks, cloud, and compute controls for use cases of dual attached servers.

Cisco helps customers meet this requirement through a number of different technologies. We have traditional controls include Firepower security, network segmentation via ACI, IPS, SD-Wan, and other network segmentation items. Newer technologies such as cloud security, multi cloud defense, hypershield, Panoptica and Cisco Secure Workload are helping meet the virtual requirements. Given the relevance of this control to network security, and the breadth of Cisco products, that list is not exhaustive, and there are a number of other products that can help meet this control that are beyond the scope of this blog.

Requirement 2: Apply secure configurations to all system components.

This requirement is to ensure processes for components are in place to have proper hardening and best practice configurations applied to minimize attack surfaces. This includes ensuring unused services are disabled, passwords have a level of complexity, and best practice hardening is applied to all system components.

This requirement is met with a number of controller based assessments of infrastructure, such as Catalyst center being able to report on configuration drift and best practices not being followed, Meraki, and SDWan as well. Multivendor solutions such as Cisco NSO can also help ensure configuration compliance is maintained. There are also numerous CX advanced services reports that can be run across the infrastructure to ensure Cisco best practices are being followed, with a corresponding report and artifact that can be used.

Requirement 3: Protect stored account data.

This requirement is application and database settings, and there isn’t a direct linkage to infrastructure. Analysis of how account data is stored, what is stored, and where it is stored, as well as cursory encryption for data at rest and the process for managing these, are covered in this requirement.

Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks

This requirement is to ensure encryption of the primary account number when transmitted over open and public networks. Ideally this should be encrypted prior to transmission, but the scope applies also to wireless network encryption and authentication protocols as these have been attacked to attempt to enter the cardholder data environment. Ensuring appropriate security of the wireless networks can be done by the Catalyst Center and Meraki in ensuring appropriate settings are enabled.

Requirement 5: Protect all systems and networks from malicious software

Prevention of malware is a critical function for security teams in ensuring the integrity of the financial systems. This requirement focuses on malware and phishing, security and controls, across the breadth of devices that can make up the IT infrastructure.

This requirement is met with a number of Cisco security controls, Email security, Advanced malware protection for networks and for endpoints, NGFW, Cisco Umbrella, secure network analytics, and encrypted traffic analytics are just some of the solutions that must be brought to bear to adequately address this requirement.

Requirement 6: Develop and Maintain secure systems and software

Security vulnerabilities are a clear and present danger to the integrity of the entire payments platform. PCI recognizes the need for having the proper people, process, and technologies to update and maintain systems in an ongoing basis. Having a process for monitoring and applying vendor security patches, and maintaining strong development practices for bespoke software, is critical for protecting cardholder information.

This requirement is met with a number of controller based capabilities to assess and deploy software consistently and at speed, Meraki, Catalyst Center, ACI, Firepower and SD-Wan, all have the ability to monitor and maintain software. In addition, Cisco vulnerability manager is a unique capability to take into account real world metrics of publicly disclosed CVE’s in order to prioritize the most important and impactful patches to apply. Given the breadth of an IT environments software, attempting to do everything at equal priority means you are systematically not addressing the critical risks as quickly as possible. In order to address your priorities you must first prioritize, and Cisco vulnerability manager software helps financials solve this problem.

Requirement 7: Restrict access to cardholder data by business need-to-know

Authorization and application of least privilege access is a best practice, and enforced with this requirement. Applied at the network, application, and data level, access to critical systems must be limited to authorized people and systems based on need to know and according to job responsibilities.

The systems used to meet this requirement are in many cases, shared with requirement 8. With zero trust and context based access controls we include identification in with authorization, using role based access controls and context based access controls. Some of these can be provided via Cisco identity services engine, which has the ability to take into account a number of factors outside of identity (geography, VPN status, time of day), when making an authorization decision. Cisco DUO is also used extensively by financial institutions for context based capabilities for zero trust. For network security enforcement of job roles accessing the cardholder data environment, Cisco firepower and Software Defined access have the capabilities to make context and role based access decisions to help satisfy this requirement. For monitoring the required admin level controls to prevent privilege escalation and usage of root or system level accounts, Cisco Splunk can help teams ensure they are monitoring and able to satisfy these requirements.

Requirement 8: Identify users and authenticate access to system components

Identification of a user is critical to ensuring the authorization components are working. Ensuring a lifecycle for accounts and authentication controls are strictly managed are required. To satisfy this requirement, strong authentication controls must be in place, and teams must ensure Multi-factor authentication is in place for the cardholder data environments. They also must have strong processes around user identification are in place.

Cisco ISE and Cisco Duo can help teams satisfy the security controls around authentication controls and MFA. Coupled with that, Cisco Splunk can help meet the logging and auditing requirements of ensuring this security control is acting as expected.

Requirement 9: Restrict physical access to cardholder data

“Physical access to cardholder data or systems that store, process, or transmit cardholder data should be restricted so that unauthorized individuals cannot access or remove systems or hardcopies containing this data.” (PCI QRG). This affects security and access controls for facilities and systems, for personnel and visitors. It also contains guidance for how to manage media with cardholder data.

Outside the typical remit of traditional Cisco switches and routers, these devices play a supporting role in supporting the infrastructure of cameras and IOT devices used for access controls.  Some financials have deployed separate air gapped IOT networks with the cost efficiencies and simplified stack Meraki devices, which simplifies audit and administration of these environments. The legacy proprietary camera networks have been IP enabled, and support wired and wireless, and Meraki MV cameras offer cost affordable ways to scale out physical security controls securely and at speed. For building management systems, Cisco has a suite of IOT devices that support building physical interface capabilities, hardened environmental capabilities, and support for IOT protocols used in building management (BACNET). These can integrate together and log to Cisco Splunk for consolidated logging of physical access across all vendors and all access types.

Requirement 10: Log and monitor all access to system components and cardholder data

Financial institutions must be able to validate the fidelity of their financial transaction systems and all supporting infrastructure. Basic security hygiene includes logging and monitoring of all access to systems. This requirement spells out the best practice processes for how to conduct and manage logging of infrastructure devices that allow for forensic analysis, early detection, alarming, and root cause of issues.

Cisco and Splunk are the world leader in infrastructure log analytics for both infrastructure and security teams. It is deployed at the majority of large financials today to meet these requirements. To compliment this, active synthetic traffic such as Cisco Thousand Eyes and Accedian help financials detect failures in critical security control systems faster to satisfy requirement 10.7.

Requirement 11: Test security of systems and networks regularly

“Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and bespoke and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.” (PCI QRG)

One of the largest pain points financials face is the management of applying regular security patching across their entire fleet. The rate of CVE’s released has doubled in the past 7 years, and tools like Cisco Vulnerability management is critical prioritizing an infinite security need against a finite amount of resources. Additional Cisco tools that can help satisfy this requirement is: Cisco Secure Network Analytics (11.5), Cisco Advanced Malware protection (11.5), Cisco Catalyst Center (11.2), Cisco Splunk (11.6).

Requirement 12: Support information security with organizational policies and programs

People, process, and technology all need to be addressed for a robust security program that can satisfy PCI requirements. This requirement focuses on the people and process that are instrumental in supporting the secure PCI environment. Items like security awareness training, which can be addressed with Cisco U, are included. Cisco CX has extensive experience consulting with security organizations and can help review and create policies that can help the organization stay secure. Finally, having a Cisco Incident Response program already lined up can help satisfy requirement 12.10 for being able to immediately respond to incidents.

Source: cisco.com

Continue reading

Four ways DORA compliance is an opportunity for financial services organizations to accelerate digital transformation

Digital services now play a key role in the European economy. The potential catastrophic consequences of these services being compromised has driven the European Commission to introduce The Digital Operational Resilience Act (DORA).

Supported by the right technology partner, financial service institutions (FSIs) can turn compliance into competitive advantage, while hardening operational resilience, across four key areas:

1. Business continuity in the event of ICT third-party provider disruptions (Multicloud Operations & Service Substitutability).
2. Business optimization with enhanced telemetry and insights so leaders can make the data driven decisions with confidence (Observability & Data Quality).
3. Improved operational experience by minimizing downtime through ICT and cyber recovery plans (Back to Health).
4. Delivering exceptional customer experience by improving service quality, availability, and robustness (Resilience by Design).

How will DORA impact your organization?

From January 2025 FSIs will be required to deliver to a set of criteria, templates, and directives to assure continued delivery of Important Business Services (IBS) to customers. These will check and prove their ability to maintain a proactive stance on security, and ensure they are able to endure, address, and recover from the impact of ICT incidents.

Why is DORA an opportunity to deliver greater resilience?

Cisco believe these regulatory requirements are an opportunity for the financial sector to further implement digital transformation across the enterprise. DORA is a catalyst to move from siloed, fragmented ‘best-of-breed’ approaches to a more holistic strategy driven by top-down cultural change. Supported with agile service delivery practices organizations can proactively and incrementally address evolving business continuity requirements. This marks an opportunity for FSI’s to rethink how they harden their operational resilience through capabilities such as IBS mapping alongside ICT and cyber operational transformation.

How can Cisco partner with you to achieve operational resilience?

Cisco’s portfolio is uniquely positioned to support FSIs in the journey to strengthen cyber resilience, ICT resilient operations, and to map important business services across four key areas:

Multicloud Operations & Service Substitutability to enable business continuity for FSIs in the event of ICT third-party provider disruptions (e.g. cloud provider services). We achieve this through:

• Multicloud service automation enabling the journey to any cloud
• Digital experience monitoring
• Third party risk management assuring ‘substitutability’ of cloud services

Observability & Data Quality by working with FSIs to define IBS entity dependencies. Helping to create dashboards and reports that provide the insights relevant to the different business stakeholders. Key solutions in this area are:

• Full-stack observability tooling
• Enhancing telemetry & insights, through best-in-class data management and AI generated insights
• IT asset management (including software and hardware) for improved accuracy and data hygiene

Back to Health by tailoring and executing ICT and cyber recovery plans. We do so through:

• Cyber security simulation (red and purple teaming)
• Maturity assessments for capability gap analysis
• Resiliency testing and validation as part of the CI/CD delivery pipeline and digital twins

Resilience by Design through driving ICT operational maturity, resulting in improved service quality, availability, and robustness. This can be achieved through:

• Improve operational effectiveness through better integration of people process technology and tools
• An end-to-end security platform for consistent policy orchestration and implementation. Remediating security related events fast and consistently
• Threat Intelligence & Modelling and include a ‘Shift left’ mentality in the development lifecycle.

Putting these key areas into a maturity journey context, we can assess where your organization is with regards to operational resilience. This will help with mutual understanding what is needed to take the next maturity steps as shown in the table below.

We have worked as a trusted partner in helping organizations globally across all verticals to achieve operational resilience. Our extensive experience of helping customers through our comprehensive portfolio of solutions and services can support each FSI’s unique journey to DORA compliance.

Source: cisco.com

Continue reading

Cisco Contact Center Delivering Visibility to Improve the Banking Experience

“If you don’t know what’s happening, you don’t know what’s happening” is powerful statement about the missing knowledge that can complete an ideal banking customer experience. It is a reminder of the critical role the contact center plays in the evolution of digital channels and modern cross-channel customer journeys in the financial services space. This is especially true in banking where the adaptability of contact centers ensured the continuity of financial services for consumers and small businesses in the early months of the Covid-19 pandemic.

Customer feedback

I realized a few weeks earlier that I was in the ‘you don’t know what’s happening’ camp after participating in BAI’s 2023 Banking Contact Center Executive Roundtable, sponsored by Cisco. Since 1924, BAI has helped financial services leaders prepare for what’s next through thought-leadership, training, business intelligence, and collaborative engagement including executive roundtables. This two day event was a great opportunity for me to learn from industry practitioners and I was particularly interested to hear how banking contact centers were supporting the increasing cross-channel customer journeys that result from ongoing digitization in financial services.

Listening to contact center leaders representing ten regional and super-regional banks raised my awareness of the unique value of contact centers, their challenges, and the ability of these leaders to manage what is possibly the most dynamic workforce and technology environment inside a bank.

‘Customer experience correlates with agent experience’ was a recurring theme throughout the roundtable, reflecting the importance of agent onboarding and training and the increasing significance of agent technology. The frequency and breadth of customer interaction often results in agents developing institutional knowledge faster than new bankers, but agent workloads also lead to high turnover. Leveraging technology to optimize agent workloads and providing advancement opportunities into other bank sales and service roles helps improve execution, talent retention, and growth. Notably, the roundtable institutions were satisfied with their ability to measure agent productivity whether agents primarily worked from home or are back in the office.

Contact center leaders are looking to take advantage of the next generation of self-service capabilities such as intelligent IVR’s, chatbots, and virtual agents to optimize customer experience, agent workload, and interaction costs.

Throughout the discussions, leaders highlighted the need for continued efforts and investments to reduce operational complexity, drive efficiency, and elevate the agent experience. The shared experience among these contact center leaders is that a world-class customer experience requires a world-class agent experience. To achieve this, a few north star objectives were identified:

• Streamlining the agent desktop – fewer discrete apps and better app data integration
• Extracting intelligent insights from full visibility of cross-channel customer journeys
• Providing agents with the best guidance and options in real-time
• Utilizing best-in-class workforce management and automation

Cisco expertise

The group also heard from my colleague Jono Luk – VP, Product Management for Webex who shared his knowledge about technology advances in contact center solutions that address these needs, notably the advantages of a unified CX platform, the flexibility of the cloud, and the power of AI across a broad scope of opportunities.

Jono highlighted the capabilities that agents need in order to support banking customer journeys that are increasingly personalized, cross-channel, and almost certainly involve the contact center at some point in the journey.

The banking industry, and safe to say most of financial services, currently have limited visibility of a customer’s journey prior to reaching a contact center agent. Part of the challenge is the need for more capable contact center platforms and continuing to consolidate the number of applications on the agent desktop.

Webex by Cisco

But it’s also clear the banking industry must continue to improve collaboration between LOB’s and the contact center to create awareness of the importance for holistic journey insights and to accelerate investment. Responsibility for the primary contact center is now with the Retail LOB, but many leaders cited the need for better coordination. Jono shared Cisco’s perspective on the benefits of a unified CX platform built specifically to support connected customer journeys across a customer lifecycle.

Webex by Cisco is designed for exactly that – a suite of integrated cloud-native capabilities that support a broader range of interactions (calling, video, messaging, SMS, Social, and more), with advanced AI functionality, business workflow integrations, mobile app integrations, and a robust contact center with a composable agent interface.

Financial institutions often have several contact centers supporting different LOB’s such as Credit Card, Wealth Management, and Mortgage, or even internal functions like the help desk. In my experience, it’s not that uncommon to find teams that still use spreadsheets to manage inbound and outbound calling. These represent good opportunities for institutions to quickly discover the transformative capabilities of a unified CX platform like Webex and to understand it’s potential for primary banking contact centers.

This year due to the ever increasing importance of contact centers in supporting cross-channel customer journeys we added it as a use case in the Cisco Portfolio Explorer for Financial Services. We annually review the use cases in it to make sure we are providing the latest trends and focuses we are hearing from our clients. As you have read the contact center is where it is at deliver exceptional client service and engaged and informative employees.

Source: cisco.com

Continue reading

An Introduction to Understanding FFIEC Regulations

Regulatory requirements are a key operational concern that we hear about from our financial customers. As a key provider of technology for mission-critical financial system infrastructures across the globe, Cisco is held to the highest levels of scrutiny in the financial services regulatory audit chain. We have helped customers navigate the complex requirements and landscape to help keep them protected, when 100% of their business, relies on our equipment in the value chain.

A key challenge is managing iterations of infrastructure in global financial enterprises which have spanned 50+ years of digitization. These systems are continually being updated with newer and better ones; however, it takes a long time to sunset the legacy technology.  This leads to many generations of installed technology sets with diverse hardware and software systems, all that need to be tracked and managed, secured, and audited. Regular external examination is a necessary challenge to ensure hygiene of these systems are maintained amidst a backdrop of increasing cyber risk.

Streamlining the IT audit process

The Federal Financial Institutions Examination Council—or better known as the FFIEC—is a formal U.S. government interagency body charged with helping streamline the audit process. A number of our financial institution customers are regulated by multiple, and different, regulatory bodies. In the U.S. a few agencies include the Federal Reserve (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller (OCC), and the Consumer Financial Protection Bureau (CFPB). Without consistency, if every agency had their own examination criteria for assessment it would be exceptionally difficult for financial institutions to get work done.

To help streamline audit, the FFIEC as an interagency body, creates uniform principles, standards, and report forms for federal examinations of financial institutions. Having a consistent set of audit criteria and forms, a financial institution can have one audit that satisfies numerous federal regulatory agencies and keeps it a level regulatory playing field. The FFIEC’s scope is much broader than simply the IT aspects of digital financials, as it includes credit markets, fraud, BSA/AML, liquidity, and other areas of interest for regulatory bodies.

IT Governance in Financial Services

Over the next few weeks and months we’ll be contributing blogs that will focus on the FFIEC’s requirements in the information technology space, covering the below distinct areas:

◉ The Cybersecurity Maturity Assessment and how to use it

◉ The 2021 Updates in the Architecture, Infrastructure, and Operations book

    ◉ Hardware and Software Lifecycles

    ◉ Common Risk Management Topics: Architecture, Data, IT

    ◉ Infrastructure Management

    ◉ Operations and Operational Processes

◉ Cisco tools that can satisfy regulatory governance requirements

The goal for this series of blogs is to help the IT teams of financial institutions be aware of the regulatory concepts dealt with further upstream in an organization, and to promote tools that simplify the hardening of systems and streamlining audits.

Source: cisco.com

Continue reading

FFIEC Cybersecurity Maturity Assessment Tool

Financial institutions have to be vigilant in the face of a continually evolving cybersecurity threat landscape. As these have attacks have evolved, regulatory bodies have updated their regulations to account for the increasing threat of cyber risk. In 2015, following a significant increase in nation state and hacktivist attacks on U.S. financial institutions, the FFIEC released new guidance and a Cybersecurity Assessment Tool for institutions to self assess their risks and determine their cybersecurity maturity. This was revised in 2017, and this consistent framework is intended to be able to help leadership and the board assess their preparedness and risk over time. This framework is especially relevant given the recent FFIEC Architecture and Operations update and the Executive Order on Cybersecurity from 2021.

The purpose of this blog is to assist our IT based customers and partners with a concise and high level understanding of the FFIEC Cybersecurity Assessment Tool and derivative impacts on their current and future day to day operations. It is part of a multipart blog series on financial regulations and how to manage them architecturally, geared towards IT leadership.

The Cybersecurity Assessment Tool is fairly intuitive to use and the exercise should not be arduous for an organization to complete. The assessment applies principles of the FFIEC IT Handbook and the NIST Cybersecurity Framework. The intention here was to be complimentary to existing frameworks and supportive of existing audit criteria. The FFIEC has released a mapping of the Cybersecurity Assessment Tool and the NIST Cybersecurity Framework to the FFIEC IT Handbook.

How the Assessment works:

The assessment itself involves two primary components: an institution first creates an inherent risk profile based upon the nature of their business, and determining cybersecurity maturity. The inherent risk profile is an institution’s analysis of its key technologies and operations. These are mapped into categories and include:

1. Technologies and Connection Types

2. Delivery Channels

3. Online Mobile Products and Technology Services

4. Organizational Characteristics

5. External Threats

The tool itself provides guidance on criteria to sell assess risk based on the different characteristics of an organization, which simplifies completion as well as consistency. By having explicit guidance on how to self assess into different risk categories, the leadership for the institution can ensure they have a consistent understanding of what the risk entails.

Below is a snippet of the inherent risk profile, of note is the intuitive and consistent guidance on how to classify risk within each domain.

The second aspect of the assessment is understanding cybersecurity maturity. This section can help leadership understand the risk and appropriate controls which have been put into place. It creates five levels of maturity, from baseline to innovative, and we use these to measure preparedness of the processes and controls for five risk domains:

1. Cyber Risk Management and Oversight

2. Threat Intelligence and Collaboration

3. Cybersecurity Controls

4. External Dependency Management

5. Cyber Incident Management and resilience.

The five domains include assessment factors and declarative statements to help management measure their level of controls in place. What this means is there are statements within each assessment factor that describe a state. If those descriptive statements matches a financial systems controls, then they can claim that level of cybersecurity maturity. Of important note however, as in the picture above, the levels are additive, like a hierarchy of needs. What this means is that if there is a statement in innovative that matches some of your organizations controls, but you haven’t satisfied the statements in the “advanced” guidance, you can not measure your institution as innovative in that domain. Likewise, an intermediate level of maturity assumes that all criteria in the evolving level, have been met.

The five domains each have various assessment factors. For example, in cybersecurity controls there are assessment factors for preventative, detective, and also corrective controls. Each of these assessment factors will have contributing components which are then measured. An example of this is within the preventative controls assessment factor, there is components such as “infrastructure management” and “access and data management”.

It becomes easier to envision when evaluating the assessment document and the corresponding components. As can be seen in the below cybersecurity guidance, there are a number of explicit statements that describe maturity at a particular level and mapping to regulatory requirements. Through satisfying these statements you can appropriately match your institution to its level of cybersecurity maturity.

The Next Step

Following completion of an inherent risk profile and cybersecurity maturity an organization can determine if they have the appropriate controls in place to address their inherent risk. As inherent risk increases, obviously a higher level of security controls should be positioned to provide a level of control around that risk. A conceptual guidance on how risk should map to maturity is outlined below. Where this becomes important is not only in determining a point in time deficiency, but understanding that as new projects, acquisitions, or the threat environment changes, leadership can understand whether increases in security controls need to be applied to adequately address a material change in risk level.

Derivative Impacts on Infrastructure and Security Teams

The Cybersecurity Assessment is a useful tool for financial institutions to consistently provide leadership a synopsis of the state of the institution. But how this translates downstream to day to day operations of architects may not be explicit. There are a number of areas in the Cybersecurity Maturity section where explicit guidance is given which we have seen undertaken as projects at our customers, as well as across the industry. Below are a few themes we have seen gain in prominence since the publishing of the assessment. These weren’t generated by the assessment itself, but are common themes across the industry. Through this blog, the intent is more to provide a high level synopsis of how these projects influence, and are influenced by, and measured through, the regulatory bodies.

1. Segmentation is explicitly called out with guidance given on how to measure. We have seen this translated across the industry as both Macro and Micro segmentation approaches, and both of these are complimentary. These have driven technologies such as SD-Wan, SD-Access, ACI, and VXLan based segmentation.

2. Managing infrastructure and lifecycle hardware and software versions are measured. This practice isn’t specific to just this assessment and it has become a common theme to be able to keep devices in patch management. It is a shift from some institutions “sweating their assets” to a proactive model for managing. What had been observed was “hackers love sweaty assets”, with most exploits targeting known vulnerabilities. This should translate into any new technology investment having a lifecycle that can ensure the full depreciation of the asset while maintaining patch management.

3. Analytics and telemetry have driven significant investments in cybersecurity operations team’s ability to understand and act upon emerging threats in real time. Leveraging existing assets as sensors or sources of meaningful telemetry is important as deploying dedicated appliances to the larger attack surfaces of campuses, branches, and wireless  nd can be prohibitively expensive plus operationally unsupportable.

The above is just a few of the many derivative impacts that affect our infrastructure and security teams. With increasing nation state guidance on security and privacy, to include the U.S. Executive order on Cybersecurity, additional tightening of conformance to address evolving security risks is happening. A lot of the increased focus aligns to areas which occur within existing domains that are included in existing frameworks. The FFIEC Cybersecurity Maturity Assessment is a simplified tool that can help a board member understand which security controls should be addressed first.

Source: cisco.com

Continue reading

“Powering Hybrid Work” in Financial Services

The question that I get asked most often by financial services CXO’s is “how do we move beyond just ‘supporting’ Hybrid Work to ‘powering’ Hybrid Work with the right technology stack so that we can address the challenges of attracting and engaging an evolving workforce and keep the organization moving forward in an agile and sustainable way.”

Throughout the pandemic, financial services firms have been prioritizing health and safety of their employees by implementing hybrid work whilst abiding by guidelines and regulations. However, not everyone has had success with their “hybrid work” deployments. Those that have got it right to some extent are realizing the benefits

A large number of financial services firms have struggled to implement “an optimum workable hybrid work model”. The challenge is they have tried to retrofit “remote work implementations” with technology upgrades and add-on’s as guided by their many different technology partners.

Hybrid Work in the context of financial services can be defined as an employee centric, business transformative approach that designs the work experience around and for the employee, wherever they are. It empowers employees to work onsite, offsite, and move between locations with uniform access to all the business tools and resources in a highly secure, compliant and efficient manner thus promoting inclusiveness, engagement, and well-being for all employees while driving employee performance, business productivity and talent retention.

While a future-proofed technology stack is a critical pillar of the hybrid work model, getting Hybrid Work to work also requires reimagining current and emerging operating models and optimizing them such that employee engagement, experience and well-being is enhanced while financial services delivery just keeps getting better with more delighted customers.

Financial services firms that have their operating models reimagined/transformed to support the hybrid work model have the first mover advantage of becoming fully resilient businesses, ready to weather any storm.

A “Hybrid Work Powered” operating model for financial services firms should at the least have the  following 5 characteristics :

1. INCLUSIVE – offering equal experiences for everyone. Enables firms to provide a work environment where every employee can participate fully and be seen and heard equally.

2. FLEXIBLE – adapting to any work style, role, and environment. Enables employees spread across different office locations, types (home etc.), time zones and even countries, working at different hours have access to flexible tools that can address their different needs while adapting to their work styles, roles, and devices.

3. SUPPORTIVE – focusing on safety, empathy, and well-being.  Enables firms to promote a supportive mindset throughout every level of the organization thus ensuring that employees are comfortable with ways of working and feel safe, secure, supported, included, and cared.

4. SECURE – being secure by design, private by default.  Enables employees to have worry-free access to reliable and secure connectivity and secure app experiences thus ensuring all team members can work and collaborate with confidence anywhere they choose to work and have consistent, uninterrupted access to the required applications.

5. MANAGED – delivering modern infrastructure, frictionless administration. Enables IT teams to operate and manage the complex and dynamic hybrid work environment, using an approach known as full-stack observability which delivers optimized user experiences and enhanced enterprise technology management.

To get “hybrid work to work”, financial services firms need to reimagine/transform their operating models to deliver the key characteristics mentioned earlier and not just depend on “retrofitting” their existing IT stacks with hybrid work enabled “siloed” products.

Investing in a “future-proofed hybrid work technology stack” such as Cisco’s “secure-by-design*” Hybrid Work Solution Technology Stack enables financial services firms to reimagine/transform their operating model thus moving past “supporting” to “powering” Hybrid Work in a highly secure and compliant manner by empowering workers to work from anywhere, at home or in the office while also providing a positive outcome for every business sponsor and stakeholder (HR, Facilities, IT etc.) who are involved in defining and implementing the financial services firms hybrid work strategy.

Source: cisco.com

Continue reading

Full Stack Observability Driving Customer Experience in a Multi-Cloud Environment

Application is the Business & Level of Digitalization is the Brand

In our ever-changing world, where the application represents the business itself and the level of digitization it provides is directly related to the perception of the brand; enterprises must ensure they stand differentiated by providing exceptional user experience – both for their customers as well as their employees alike. When the pandemic hit us, expectations by customers and employees initially were driven by empathy, with disruptions to services expected – but 18 months on, today everyone expects the same level of service they got pre-pandemic, irrespective of where people are working from. This drives a higher-level of expectation on the infrastructure and teams alike – towards providing an exceptional digital experience.

It is evident that application services are becoming increasingly distributed and reimagining applications through customer priorities is a key differentiator going ahead. A recent study on Global Cloud adoption by Frost & Sullivan has indicated a 70% jump in multi-cloud adoption in the Financial Services space. This is driven by a renewed focus towards innovation, along with the digitalization and streamlining of the businesses. On average, financial firms have placed more than half of their workloads in the cloud (public or private hosted) and that number is expected to grow faster than other industries over the next five years.

Digital Experience Visibility

In today’s world of applications moving to edge, applications moving to the cloud, and data everywhere – we really need to be able to manage IT irrespective of where we work, as well as where the applications are hosted or consumed from. It’s relatively easy to write up code for a new application; however, the complexity we are solving for in the current real-world scenario is that of deploying that code in today’s heterogenous environment, like that of a bank. Our traditional networks that we currently use to deploy into the data centers, predates cloud, predates SASE, Colo’s, IoT, 5G and certainly predates COVID and working from home.

In today’s world cloud is the new data center and internet is the new WAN – thereby removing the concept of an enterprise perimeter and making identity the new perimeter. To provide that seamless experience, IT needs to not just monitor application performance, but also enable application resource monitoring and application dependency monitoring – holistically. This should enable the organization to figure out the business impact of an issue – be that a drop in conversion rate or a degradation in a service, and decide almost proactively if not predictively the kind of resources to allocate towards fixing that problem and curbing the business impact.

Observability rather than Visibility

In today’s world operations are complex with various teams relying on different tools, trying to trouble shoot and support their respective domains. This visibility across individual silos still leaves the organization miles away; left to collate the information and insights via war rooms, only then being able to identify the root cause of a problem. What is required is the ability to trouble shoot more holistically – via a data driven operating model.

Thus, it is important to use the network as a Central Nervous System and utilize Full Stack Observability to be able to look at visibility and telemetry from every networking domain, every cloud, the application, the code, and everything in between. Then use AI/ML to consume the various data elements in real time, figure out dynamically how to troubleshoot and get to the root cause of a problem faster and more accurately.

A FSO platform’s end goal is to have the single pane of glass, that would be able to:

◉ Ingest anything: any telemetry, from any 3rd party, from any domain, into a learning engine which has a flexible meta data model, so that it knows what kind of data it’s ingesting

◉ Visualize anything: end to end in a unified connected data format

◉ Query anything: providing cross domain analytics connecting the dots, providing closed loop analytics to faster pinpointed root cause analysis – before it impacts the user experience, which is critical

AI to tackle Experience Degradation

AI within an FSO platform is used not just to identify the dependencies across the various stacks of an application, but also to correlate the data, address issues, and right size the resources as they relate to performance and costs across the full life cycle of the application.

It is all about utilizing the Visibility Insights Architecture across a hybrid environment that enables balancing of performance and costs through real time analytics powered by AI. The outcome to solve for is Experience Degradation which cannot be solved individually in each of the domains (application, network, security, infrastructure) but by intelligently taking a holistic approach, with the ability to drill down as required.

Cisco is ideally positioned to provide this FSO platform with AppDynamics™ and Secure App at the core, combined with ThousandEyes™ and Intersight™ Workload Optimizer, providing a true end to end view of analyzing and in turn curbing the Business Impact of any issue in real time. This enables the Infrastructure Operators and the Application Operators of the enterprise, to work closely together, breaking the silos and enable this closed loop operating model that is paramount in today’s heterogenous environment.

Download the report: Agents of Transformation: The Rise of Full Stack Observability, to learn more about Business Observability and the challenges technologists are facing.

Source: cisco.com

Continue reading

For Banks – The Contact Center is Your Best Friend

For years, the album that sold the most units was Carole King’s “Tapestry”. Estimates are that this record has sold more than 25 million copies. Rife with well-known songs, an interesting comment made by one of the initial reviewers in 1971 called the song “You’ve Got a Friend” the “core” of and “essence” of the album. It didn’t hurt that James Taylor’s version also became a monster hit. For banks, they too have a friend – in their contact centers.

The malls emptied, and the contact centers filled up

The last twelve months have initiated a renaissance in contact center operations. While the modernization of contact centers had been on a steady march, the realities of 2020 suddenly presented a giant forcing function changing the customer engagement landscape in a dramatic fashion. In one fell swoop, 36 months of planned investment in modernizing contact centers accelerated into a single 12-month period. As the physical world was shut down, the digital world ramped up dramatically. Banks saw branch visits slow to a crawl, and digital and contact center interactions increased by orders of magnitude. In addition, up to 90% of contact center agents were sent home to work, with estimates that a majority of them will stay there over time as indicated by this Saddletree Research analysis:

Prior planning prevented poor performance

Fortunately, banks and credit unions were one of the key vertical markets that were relatively prepared for 2020 and were able to lean into the challenges presented, though this was not to say things went perfectly. What was behind this preparation and what were these organizations doing prior and during the crisis? And what should they do in the years ahead?

The “Digital Pivot” paid huge dividends

At their core, banks and credit unions collect deposits and loan them out at (hopefully) a profit. With money viewed as a commodity, financial services firms were one of the first industries to understand the only two sustainable differentiators they possessed were the customer experience they delivered, and their people. It is interesting that these are the main two ingredients which comprise a contact center!

For many banks prior to 2010, the biggest challenge for contact center operations consisted of navigating mergers and acquisitions when combining operations. Normalizing operations during mergers often manifested itself in a giant IVR farms meant to absorb large amounts of voice traffic. Prior form factors for self-service were not know as “low-effort” propositions, and customer experience scores suffered for years. Banks as an aggregate industry dropped below all industry averages for customer experience, after leading for years.

The mobile revolution presented a giant reset for banking customer experience. Financial institutions by and large have done an excellent job of adopting mobile applications to the delight of their customers. In response, customer experience scores in banking have steadily risen the past 10 years, and banks are near the top quartile again, only trailing consumer electronics firms and various retailers.

Banks are more like a contact center than you think

Banks and contact centers have very common characteristics. Both wrap themselves in consumer-friendly self-service applications which automate formerly manual processes that required human assistance. These include popular customer engagement platforms such as mobile applications and ATMs. In the contact center this dynamic involves speech recognition, voice biometrics, and intelligent messaging.

As self-service has become increasingly popular, live interactions that are left over for both the branch and the contact center have become more complex, difficult to solve on the first try, and requiring collaborative, cross business resolution by the individual servicing the customer. These types of interactions are known as “outliers”. In this situation the contact center becomes in essence, a “digital backstop” where the consumer interacts with self service first and then and only then seeks live assistance.

Prior planning prevents poor performance part II

The digital tsunami started in 2010 via the mass adoption of mobile applications by banks, giving this industry in particular a significant head start on the “outlier” dynamic. Therefore in 2020 when the shopping malls emptied out and contact centers filled up, banks had already been operating tacitly in the “outlier” model for a number of years and were in a better position to succeed. Applications such as intelligent call back, integrated consumer messaging, work at home agents, voice biometrics, A.I. driven intelligent chat bots, and seamless channel shift from mobile applications to the contact center were already in place to some extent for leading financial institutions.

Thinking ahead

With much of the focus on contact center, automation in banking has been able to extend A.I. into the initial stages of customer contact. The road ahead will include wrapping A.I. driven intelligence to surround contact center resources during an interaction, essentially creating a new category of resources known as “Super Agents”. In this environment, all agents in theory can perform as the best agents because learnings from the best performers are automatically applied throughout the workforce. In addition, Intelligent Virtual Assistants, or IVAs, will act as “digital twins” for contact center agents – automatically looking for preemptive answers to customers questions, and automating both contact transcripts and after call work documentation and follow up.

Yes, if you’re a bank, you have a friend in your contact center

Banks made the pivot to delivering better customer experience in their contact centers during the “Digital Pivot” in the early 2010s. From there, banks made steady progress to reclaim their CX leadership and delivering excellent customer experiences. The realities of 2020 accelerated contact center investment by at least 36 months into a 12-month window. Banks which had established leadership utilized this forcing function to accelerate a next generation of customer differentiators, firmly entrenched in themselves as category leaders in the financial services industry. Other institutions can utilize these unique times to play rapid catch-up. Who benefits? Their customers.

Source: cisco.com

Continue reading

Cloud-based Solutions can Empower Financial Services Companies to Adapt While Cutting Costs

IT professionals in financial services have been instrumental to ensuring the integrity of global financial markets over the last year. Their hard work has helped keep the world’s largest economies working and financial aid flowing to those who need it most.

For them, few things remain unchanged from the pre-COVID world. Many network engineers had their hands full supporting large scale migrations to remote working. But aside from that, one constant during this time of change is that IT budgets are not increasing. “Do more with less,” “Reduce costs,” and “Extract more value,” are a few common mantras. The message is clear—each dollar spent on IT projects must have a tangible business benefit associated with it. With this increased focus on efficiency and cost, now is the perfect time for financial services companies to consider investing in cloud-based IT.

Benefits of cloud-based IT

Migrating IT infrastructure to a cloud-based platform can help improve efficiency and reduce costs for finserv companies by accelerating business processes, simplifying technology, and boosting operational efficiency. Today’s reality has required businesses to rethink how to help their employees collaborate safely while working from remote locations as they begin the return to work. By leveraging cloud-based solutions, workers and IT support teams are able to troubleshoot issues quicker, reduce downtime, and lower costs both for employees and for the end-customer.  

Supporting rapid change 

Before COVID, financial services companies were embarking on their cloud journey in pockets, with the primary focus on software development environments and connections to provide staff with secure connectivity. The rapid changes required for companies to function during the early days of the pandemic necessitated quick adoption of cloud-based technologies for enterprise voice, contact centers, remote access and network security. Projects that would have taken weeks or months were now being done in hours or days, driven by a need to get lines-of-business operational and keep companies viable. Now that the industry has successfully dealt with the crises of 2020, and have been operating in the new normal for several months now, a few trends have emerged that will drive IT decisions going forward— including preparing for a return to work and facilitating future growth.

Preparing for return to work

While bank branches never closed, most campuses and offices did. Optimistic news around vaccine development and distribution has led many companies to prepare for the return to work and reconsider the landscape for the office environment.  

For example, adding cameras could help ensure compliance around masks and social distancing policies. Access sensors could help track room occupancy and ensure timely and consistent sanitation practices. In a traditional environment, implementing such practices could take up to a year. However, by taking advantage of the ability to configure a network and add components to that network without configuration of individual components, we can continue to meet the accelerated timelines required for the return to work.

Scaling for the future

Traditional companies deal with mergers and acquisitions, but for financial services companies, growth is typically purchased. Network teams are not revenue generators, and as a result, mergers have historically been underfunded and understaffed. The inevitable outcome of years or decades of that reality is a patchwork quilt of networks that are all sort-of connected. Each legacy organization retains some idiosyncrasies, issues, and non-standard hardware that requires specialized support personnel. That complexity leads to lower velocity than what lines-of-business have come to expect throughout the pandemic.  With everything needed to deploy a branch, campus, or office network, cloud adoption takes advantage of the appetite that company departments have developed for speed. This emphasizes the critical need to scale for the future growth of financial services companies and the need for simplicity.  

All in all, the events of 2020 have been a catalyst for change and digital transformation within the financial services sector. Cisco Meraki offers solutions to address the challenges that come with such abrupt changes including facilitating the campus and client network, creating operational efficiencies, and reducing downtime and loss of revenue.

Source: cisco.com

Continue reading