Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


Enhance your financial institution’s cybersecurity with HITRUST

Aug 24, 2023

Effective cybersecurity is more important than ever. As work continues to move to the cloud and regulations around data security are increasing, it’s become crucial for financial institutions to strengthen their information security plan.

Typically, financial institutions rely on SOC 2 audits because of their familiarity and versatility. But while the SOC 2 is effective, it doesn’t always demonstrate the highest level of commitment to cybersecurity.

Instead, consider using HITRUST.

Although HITRUST is commonly associated with the healthcare space as the go-to security framework to keep patient data secure, the HITRUST framework can be applied to any industry and is particularly beneficial to financial institutions.

Here’s how your financial institution can benefit from — and successfully pass — a HITRUST-validated assessment:

The benefits of HITRUST certification

The main benefit of HITRUST is its rigor.

Like other security frameworks, you can assess the current state of your environment against it to demonstrate your compliance with identified security measures. However, HITRUST is different in that it takes the best of multiple frameworks and authoritative sources and combines them into a single, streamlined assessment.

Having to meet more controls than you would for a SOC 2 or similar engagement can be challenging. However, it can also help your financial institution:

1. Build client trust

If your financial institution can’t prove that the right data security controls are in place, you not only risk damaging your relationship with current clients, you also risk losing potential ones.

Larger clients, especially those interested in services such as treasury management, want to know that their information is secure. Pursuing HITRUST certification shows these clients that you’re willing to take extra measures when it comes to cybersecurity, helping you secure more business opportunities.

2. Minimize costs

HITRUST does require a cost commitment — not only for doing the assessment itself but also for implementing any controls you need to pass. But having HITRUST certification gives you the opportunity to save costs in other areas.

For cybersecurity, insurance providers may offer lower premiums for organizations that are HITRUST certified. It also helps you to both prevent and lower the costs associated with data breaches.

The average cost of a data breach in 2023 is $4.5 million, a 15% increase from the last three years. And breaches not only put your customers at risk, they can also cause significant damage to your institution’s reputation — the cost of which can be substantial.

Having HITRUST certification can demonstrate your commitment to preventing security incidents leading to breaches. It shows that you have raised the level of security you have in place protecting your and your customers’ data, thereby decreasing the risks of breaches taking place.

3. Grow your cyber defense

One of the key features of the HITRUST framework is that there are three different levels of assessments your financial institution can choose from: the e1, i1 and r2.

Each level builds on the next, meaning that if your institution obtains the e1 certification, you will have already started your path to the i1 and r2. It’s a walk-before-you-run approach: The e1 has a subset of requirements that are included in the i1, and the i1 has a subset of requirements included in the r2. 

These different levels help your institution create a clear path for strengthening your cybersecurity position over time (usually three years).

You can begin with the e1, which includes requirements addressing basic cybersecurity hygiene for critical cyberthreats. From there, you can use the added controls for the i1 certification to improve your program to include leading cyber practices. 

In this staged approach to HITRUST certification, you can then obtain r2 certification, which is a comprehensive set of security requirements based on your institution’s risk profile.

How to get HITRUST certified

Passing a HITRUST-validated assessment can be challenging, but there are actions you can take to help ensure the process goes smoothly.

Here are three steps you can take to help make your certification possible:

1. Choose the right assessor

To complete a HITRUST-validated assessment, start by choosing the right HITRUST Authorized External Assessor firm.

The right firm will help your financial institution understand the controls and offer guidance on how to remediate any gaps in your security. But more than that, they should also work with you to help streamline the process.

For example, a quality assessor firm can help save you time and effort by providing templates for key documents in your information security plan. They can also help you map out how your HITRUST certification aligns with the requirements for a SOC 2 engagement, so that you can demonstrate that your controls satisfy both.

2. Keep a narrow focus

Before completing your assessment, it’s critical that you define the correct scope. Isolating the environment where your clients’ financial data is stored will help you avoid either incorporating controls that you don’t need or failing to test the ones that you do.

You could also consider using HITRUST for targeted assessments to demonstrate compliance against regulations for frameworks such as PCI and CMMC.

3. Address the tone in your organization

Whether or not your organization views cybersecurity as a priority can have a major impact on your ability to pass. Oftentimes, organizations that struggle with HITRUST certification aren’t lacking in technical controls — they’re failing to train and educate staff.

If your financial institution hasn’t already, invest in cybersecurity trainings. Online options such as KnowBe4 are a convenient way to keep staff current on security threats and best practices for keeping data secure.

Many organizations are also adding cybersecurity professionals to their board to ensure that data security concerns are represented at the highest level of decision-making.

How Wipfli can help

As one of the first HITRUST Authorized External Assessor firms in the country, Wipfli has deep experience in helping organizations achieve their HITRUST certification. We help you with the tools and guidance you need at every stage of the process, including readiness assessments and evidence gathering, so that you can continue to improve your security program.

Learn more about how we can help you add value to your financial institution with HITRUST.

Sign up to receive additional financial institution content in your inbox, or continue reading:


Principal, Lead Auditor
View Profile