Evaluating Threats: Should Financial Institution CEOS Be Concerned About Cybersecurity in Banking?
Cybersecurity-related attacks on the financial sector are increasing at an alarming rate, and a recent IMF estimate suggests that “…average annual potential losses from cyber-attacks may be …around $100 billion”. Another study indicates that “…financial services firms also fall victim to cybersecurity attacks 300 times more frequently than businesses in other industries.” These two metrics make cybersecurity a critical issue for banks and credit unions, and in fact, we consistently find this issue in the top 3 concerns for financial institution CEOs, boards, and senior management.
What is the best way to approach this critical issue? We think there are three important questions the CEO and senior management should be asking about cybersecurity:
- How much cyber risk is “acceptable” to my institution?
“Acceptable” risk levels are also referred to as “risk appetite”, because if management determines that residual risk levels are within their pre-established risk appetite, those residual risks are, by definition, acceptable.
Risk appetite is broadly defined as the amount of risk an entity is willing to accept in pursuit of its strategic mission. According to the FFIEC Cybersecurity Assessment Tool (CAT), the Board and senior management should establish a risk appetite level consistent with their strategic goals and objectives. Risk appetite is clearly an important concept to regulators, as the term is repeated 17 times in the CAT.
But is it reasonable that a single risk appetite level should apply to the entire enterprise? Institutions offering products and services online are willing to accept a higher level of cyber risk then those who don’t. Even among online services, some might be riskier than others. For example, offering simple online access to account information vs. offering funds management services like investment accounts. For this reason, we recommend risk appetite levels be established at the business process level. These individual levels can then be rolled up to an overall composite risk appetite.
- How do I determine my current level of cyber risk?
To determine an institution’s cybersecurity posture, the CAT provides a regulator designed and approved, repeatable methodology that utilizes a two-step process. First, establish an Inherent Risk Profile, and second, determine your Cybersecurity Control Maturity. The Inherent Risk Profile identifies the institution’s inherent risk before implementing controls. The Cybersecurity Control Maturity includes domains, assessment factors, contributing components, and individual declarative statements across five maturity levels to identify specific controls and practices that are currently in place.
By reviewing your institution’s inherent risk profile and control maturity levels across the enterprise, management can conduct a gap analysis to determine whether its maturity levels are acceptable in relation to its risk. In other words, are our residual risks within pre-established risk appetite levels? If they’re not, the institution must either reduce the level of risk, or (more commonly) increase the levels of control maturity.
One more thing about cyber risk; of the 3 categories of controls (preventative, detective, and corrective/responsive), often preventive and detective controls aren’t applicable, leaving only corrective/responsive measures. That’s why testing is so critical, which brings us to the final question…
- When was the last time we conducted a cyber incident response test?
The answer should be recently. Here’s why: Not all traditional disasters have a cyber element to them, but many cyber events have a system recovery element that may impact your ability to deliver products and services to your customers. Cyber incidents can also often indicate a violation or deviation from your security policies and best practices, for example if an employee or third-party either intentionally or inadvertently caused the incident. This may lead to policy changes, or at least the need for additional internal training.
Senior management must ensure their institutions have adequate incident response capabilities so they can detect incidents (whenever possible), contain and control the impact, and ultimately recover. Testing is the only way to definitively verify that your institution has effective cyber incident resilience and recovery capabilities. Periodic testing also helps to ensure an incident response plan is being maintained in a state of constant readiness so that you can react quickly. Unlike a natural disaster which will often provide at least a short window of warning, a cyber event typically does not. In fact, recent studies indicate that more often than not, it is the customer that first detects a cyber event, not the institution.
Lastly, financial institutions should conduct testing based on the probability and impact of the event or incident being simulated. Since it is far more likely that you’ll be impacted by a cyber event as opposed to a catastrophic natural disaster, incident response capabilities should be tested at least as often as your BCP, or at least annually.
New types of security-related incidents are constantly emerging. Consequently, CEOs and senior management of financial institutions must be prepared to keep IT resources ahead of the current threat environment. When we address Boards on cybersecurity matters, we often get asked why cybersecurity spending should increase even if our risk profile hasn’t. The threat environment is increasing and evolving, so even if your inherent risk profile isn’t changing you must still increase control maturity levels over time to maintain your residual risk within your risk appetite levels. As the FFIEC IT Handbook’s Information Security Handbook states,
There are many other areas related to cybersecurity that CEOs and senior management should be considering. To gain more insight into those areas, as well as other key topics for CEOs to be aware of, download our white paper, Top IT Areas Where CEOs of Financial Institutions Should Focus: Important Questions and Answers.