Weathering the storm

A methodology for building cyberesilience

Cyber Risk: A matter of when, not if

Cyber risk is becoming more severe

Threats are frequent and varied—attackers are nimble and adapt quickly. It’s time for financial services firms to think differently about managing this risk.

One million new threats

  • In 2014, nearly a million new threats were released into the digital world each day.1  

Costing $20 million

  • Successful cyber attacks cost financial firms an average of $20 million annually.2 

In 20141

  • Five of every six large companies were attacked


  • More than 317 million new pieces of malware were created


  • Data breaches increased by 23 percent


  • Firms with >2,500 employees had 40 percent more attacks than in 2013.

What is Cyber Resilience?

Cyber resilience:

A business’s ability to identify, prevent, detect and respond to process or technology failures and recover—minimizing customer harm, reputational damage and financial loss.

The average annual cost of cyber attacks for financial services firms is $20 million. How many $20 million dollar attacks can you afford?

Chris Thompson

Senior Managing Director

Accenture Finance & Risk Services

Three Pillars of Cyber Resilience

Cyber risks are multi-dimensional

To be well positioned, we believe cyber resilience should focus on managing three types of risks in particular. To know if your business is managing all three, ask yourself these questions.

Building Cyber Resilience

We believe a strong approach to cyber resilience means building holistic capabilities across risk and security. Our methodology targets every entry point and angle at which financial organizations should build readiness.

Cyber Resilience Methodology


Event Response Plan:
Structure to identify and manage action plans

Crisis Management:
Structure to manage incidents and notify impacted parties


Risk Identification:
Aggregated set of typical risk associated with Cyber Risk

Risk Events:
Scenarios which can impact the organization


Detection and Identification:
Tools and metrics to identify and log aspects to manage operations

Operational Monitoring:
Aligning the tools to identify and detect threats along with their escalation and oversight


Business and IT Controls: 
Oversight of the controls and their testing programs

Operating Model:
Specifying the structure with people, organization, roles, tools and processes to govern

Source: “How to Make Your Enterprise Cyber Resilient,” Accenture, October 2015

Avoid these stumbling blocks

Few businesses have truly mastered their approach to cyber risk. Why?

We see firms stumble in these areas:

  1. Organizational silos: Cyber risk is often viewed as a technology concern to be handled by the Chief Information Security Officer. Chief Risk Officers may not be involved as they should.  
  2. Insufficient business involvement: Information security is a business issue, not only a technology one. Companies should manage cybersecurity risk from a business-centric, enterprise-holistic perspective.
  3. Over-reliance on training and communications: Most cyber risk mitigation programs rely too heavily on controlling risk by changing human behavior. Cyber resilient organizations can contain attacks without relying solely on people as the way to mitigate the risk. 
  4. Talent shortfalls: With high demands for technology-savvy resources, available talent to build a resilient business may be limited.

Follow the conversation


11. “Internet Security Threat Report,” Symantec, April 2015, Volume 20. Access at:
22.  “Cyber Attacks on U.S. Companies in 2014,” The Heritage Foundation, October 27, 2014. Access at: