Accenture has described cyber risk as a top 10 challenge facing investment banks. Where would you rank cyber security, from 1 to 10?
I’d say it’s a top-3 risk for most investment banks. Firms face many risks, including operational, credit, liquidity and others. But cyber risk (and, more important, the ability to be cyber resilient) has emerged quickly. It has been hidden in the background because it sat primarily with the Chief Information Officer and was not on the Chief Risk Officer’s radar.
This is an area where investment banks aren’t always prepared. Their other risks are easier to model, quantify or hedge, but cyber risk involves a lot of unknowns, both internally and externally.
What are the most vulnerable cyber access points for capital markets firms?
It’s people. The human element—that’s the most vulnerable point of entry. People are emotional. They can be fooled. They are the easiest to manipulate.
Attacks can range from phishing to social engineering and many things in between. Hackers and fraudsters are looking for the path of least resistance; they’re shifting from brute-force attacks to profiling customers, clients or employees who can lead them to the “crown jewels.”
What happens in the aftermath of a cyber attack? Is a capital markets firm still exposed?
In the aftermath of an attack, there’s a lot of chaos. There are definitely a lot of ongoing costs incurred, both tangible and intangible. There’s an immediate need to build a work-around solution, clean up data, handle remediation, notify clients. Reputational damage can be quite painful, clouding the firm’s judgement on how to best respond while managing public perception.
At the same time, a cyber attack can be a catalyst for change. It allows an institution to ask, “How can I make sure I’m protected, end-to-end?” Or “where am I also vulnerable to attack?”
What more can businesses do to protect themselves and their customers?
Capital markets firms should build their resilience because attackers themselves are resilient. They are able to evolve rapidly to come up with new ways to attack. If a firm has modeled a scenario and thought about a way to execute an attack, the criminals have already thought of it too. They are constantly scanning for the next vulnerability, which makes most firms reactionary in protecting against the next attack.
Financial firms need to build controls, to detect where—internally and externally—issues may occur. They need to monitor, catch or prevent attackers in the process. We’ve seen firms start employee profiling, or using behavior-based analytics to keep tabs on internal gaps. Others are looking at social media behaviors and other pattern-based activities.
What excites you about working in risk management?
Risk management looks at the financial services business paradigm in a whole new light. The traditional paradigm is for firms to earn revenue—and to earn it profitably. But from a risk management standpoint, the goal is to protect revenue, and therefore to protect the assets that help generate revenue profitably. The most expensive control solution may protect the revenue, but may eleminate all profits. For me, this is a whole new opportunity to work on the complex issues facing financial businesses.
Coincidentally, I also face some risk in my personal life. I love flying—I’ve earned my private pilot’s license. It may seem like a dichotomy: I work in risk management, but I love to pilot my own plane. When you become a licensed pilot, that means identifying and addressing the risks proactively. A lot of learning and preparing goes into earning your license. Before you ever get off the ground you will have planned for and learned ways to identify and manage the risks you’ll face while in the air.
As I see it, when it comes to cyber risk management, the difference is that firms find themselves learning to manage this risk in mid flight.