This series has focused on cyber risk management, but what it’s really about is building cyber resilience. As we’ve seen in previous posts, in my RiskMinds International presentation and in Accenture’s paper, “Making Your Enterprise Cyber Resilient,” no financial firm will be 100 percent successful in preventing cyber attacks.
If complete prevention is not a realistic goal, then preparing the business to survive an attack, while also working to prevent most attacks, is the best way forward.
Businesses can take several steps to move toward a more robust, mature resilience model—one that seeks to reduce the inevitable cyber incursion. If I could recommend a map or a blueprint to follow, it would include these action steps:
- Design an operating model that brings the right IT, risk and business resources into the process. The model can vary, and can range from an IT-led approach to creating a dedicated cyber risk management function, to appointing a cyber czar. My presentation at the RiskMinds International conference covered the pros and cons of these options. But we believe the best solution is to create a risk-led function that positions the CRO as a leader among peers in managing cyber risk. This will need to fit with your firm’s culture. If not risk led, then another clear leader should be chosen who can help unify the defenses across people, process and technology.
- Taking the above item one step further, financial businesses could designate a chief cyber risk officer, empowering that person to monitor and manage cyber risk across all facets of the business. This person would work horizontally between the chief risk officer, the chief information officer and the chief operations officer to encourage proper investment, maintenance and control across multiple points of entry and attack.
- Operational risk has evolved from a “tick the box” exercise for each function to an approach focused on high risk processes and their controls. Sophisticated programs include scenario analysis. We believe cyber risk management should start with scenario analysis, and use that to flesh out the processes and controls that should be reviewed. Only then can you help to mitigate attacks that are looking for the cracks between your functions and processes.
- Each scenario requires a clear response plan in case the worst should happen. Companies that respond well following a breech seem to preserve their reputation and maintain share price. This is not an area to think about later—it should be included as part of the up-front analysis. As you draft the potential press releases, it becomes clearer which controls should be in place and which are less critical. Again, this emphasizes a scenario-driven approach. Response plans should not be drafted by control or by functional areas.
- As described in my previous post, firms should clearly identify the crown jewels—the most valuable pieces of content and data that must be protected at all costs. This prioritization step is critical when you acknowledge that 100 percent protection cannot be performed. Put your most powerful locks and your best cyber defenses around your most valuable information.
- Talent management, in a talent pool that is small and highly competitive, is vital to a good resilience program. Know what talent you need—and when you secure that talent, provide robust training and build a welcoming culture to retain this talent.
- Lastly, the cyber risk management function should formalize the framework—by building a series of processes and actions owned by the chief risk officer, chief compliance officer, business heads and the chief information security officer.
These steps are not all inclusive, and may not be completely applicable to every institution. But in essence, following these or similar steps can help a financial enterprise prevent cyber attacks where it can, and survive them where it can’t.