Weathering the storm
A methodology for building cyberesilience
Cyber Risk: A matter of when, not if
Cyber risk is becoming more severe
Threats are frequent and varied—attackers are nimble and adapt quickly. It’s time for financial services firms to think differently about managing this risk.
One million new threats
- In 2014, nearly a million new threats were released into the digital world each day.1
Costing $20 million
- Successful cyber attacks cost financial firms an average of $20 million annually.2
In 20141
- Five of every six large companies were attacked
- More than 317 million new pieces of malware were created
- Data breaches increased by 23 percent
- Firms with >2,500 employees had 40 percent more attacks than in 2013.
What is Cyber Resilience?
Cyber resilience:
A business’s ability to identify, prevent, detect and respond to process or technology failures and recover—minimizing customer harm, reputational damage and financial loss.
The average annual cost of cyber attacks for financial services firms is $20 million. How many $20 million dollar attacks can you afford?
Chris Thompson
Senior Managing Director
Accenture Finance & Risk Services
Three Pillars of Cyber Resilience
Cyber risks are multi-dimensional
To be well positioned, we believe cyber resilience should focus on managing three types of risks in particular. To know if your business is managing all three, ask yourself these questions.
-
Risk 1: IT/technology risks
Technology systems and infrastructure are often “ground zero” for cyber attacks and other breaches.Are you conducting systems and data surveillance?
Are you doing penetration testing?
Is your tech risk management program integrated with operational risk efforts?
-
Risk 2: Operational risks
These risks are tied to the potential failure of a firm’s business processes or technology infrastructure.Have you defined your operational risk appetite?
Does your program include controls to detect or prevent cyber attack?
Do you have an end-to-end framework that connects horizontally between the CRO, CIO and COO?
-
Risk 3: Fraud and financial crime
Fraud or financial crime might be a large, one-time event or a series of small, harder-to-detect, low-cost events.Do you engage in industry sharing of attack data to improve detection and response?
Is your surveillance program able to monitor and detect anomalies inside the institution?
Have you incorporated detective business processes to spot criminal activities?
Building Cyber Resilience
We believe a strong approach to cyber resilience means building holistic capabilities across risk and security. Our methodology targets every entry point and angle at which financial organizations should build readiness.
Respond
Event Response Plan:
Structure to identify and manage action plans
Crisis Management:
Structure to manage incidents and notify impacted parties
Identify
Risk Identification:
Aggregated set of typical risk associated with Cyber Risk
Risk Events:
Scenarios which can impact
the organization
Detect
Detection and Identification:
Tools and metrics to identify and log aspects to manage operations
Operational Monitoring:
Aligning the tools to identify and detect threats along with their escalation and oversight
Prevent
Business and IT Controls:
Oversight of the controls and their testing programs
Operating Model:
Specifying the structure with people, organization,
roles, tools and processes to govern
Source: “How to Make Your Enterprise Cyber Resilient,” Accenture, October 2015
Avoid these stumbling blocks
Few businesses have truly mastered their approach to cyber risk. Why?
We see firms stumble in these areas:- Organizational silos: Cyber risk is often viewed as a technology concern to be handled by the Chief Information Security Officer. Chief Risk Officers may not be involved as they should.
- Insufficient business involvement: Information security is a business issue, not only a technology one. Companies should manage cybersecurity risk from a business-centric, enterprise-holistic perspective.
- Over-reliance on training and communications: Most cyber risk mitigation programs rely too heavily on controlling risk by changing human behavior. Cyber resilient organizations can contain attacks without relying solely on people as the way to mitigate the risk.
- Talent shortfalls: With high demands for technology-savvy resources, available talent to build a resilient business may be limited.
Follow the conversation
Source:
11. “Internet Security Threat Report,” Symantec, April 2015, Volume 20. Access at:http://www.symantec.com/security_response/publications/threatreport.jsp
22. “Cyber Attacks on U.S. Companies in 2014,” The Heritage Foundation, October 27, 2014. Access at: http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014
SUGGESTED CONTENT
Comment submitted
Submitted comment may not display automatically.