Preparing financial firms for cyber security threats and protecting their reputation
November 2016 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
It is difficult to deny the impact of cyber security threats on businesses worldwide. In 2015, the average total cost of a data breach (including customer turnover, reputation losses and damaged goodwill) was $3.79m, up from $3.52m in 2014. In the first five months of 2016, more than 36 million records were compromised through security breaches in financial firms. Although 23 percent of the breaches that occurred through the first five months of 2016 were due to accidental loss, those are far outweighed by malicious acts by outsiders (58 percent), insiders (14 percent), nation-states and hacktivists (2 percent each).
As these statistics indicate, all businesses, including financial firms, must make a concerted effort to prepare for cyber security incidents. Strict attention to governance and business continuity is integral to organisational preparedness. This article provides insight into using governance to help financial firms prepare for cyber threats and mitigate reputational damage if and when an attack occurs.
Cyber security breaches are increasingly causing large-scale, detrimental business impacts throughout the world, including business disruption, revenue loss, damage to assets, reputational damage and information exposure. Financial firms (including broker dealers, investment advisers, etc.) rely heavily on the strength of their reputation, without which attracting significant investors would be nearly impossible. If client data is compromised, the firm might find it has a difficult time convincing clients that future breaches will not occur, which, in turn, undermines trust in the institution and potentially erodes future business.
It stands to reason, then, that financial firms should protect themselves from such breaches. A white paper entitled ‘Financial Firms Face Further Scrutiny of Their Cybersecurity Practice: Is Your Firm Ready?’ identified several areas where financial firms are not meeting the key requirements of the US Security and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE). In that paper, the OCIE found that 88 percent of broker-dealers and 74 percent of advisers had experienced a cyber attack and had numerous deficiencies in their cyber preparedness.
On 15 September 2015, the OCIE issued a risk alert that detailed expanded tests of procedures and controls that are focused on cyber security efforts. The areas of focus for these examinations are governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.
Historically, some financial firms have had little internal IT infrastructure, preferring to use third parties to provide the required IT capabilities. That can be a sound approach to risk management, along with insurance, so long as the ultimate accountability for incidents remains with the firms. Therein lies the rub. If IT resources are outside the firm, it becomes increasingly difficult for internal staff to keep abreast of what is happening and to understand the complexities. This leads to an ever-increasing lack of IT capability within the firm – potentially rendering it easy prey for cyber criminals.
Another issue publicly held firms will need to pay attention to is proposed US legislation to require disclosure of cyber security expertise on corporate boards. If this expertise does not exist, companies will need to explain why. The objective of the bill put forth by senators Reed and Collins is to strengthen and prioritise cyber security at publicly traded firms. Chief compliance officers (CCOs) would be personally responsible for damages resulting from cyber security breaches. Clearly, if this is passed and becomes US law, organisations will need to address the requirements by integrating cyber security into corporate governance structures. The bill is called the Cybersecurity Disclosure Act of 2015; presumably the name will be updated to 2016 if passed into law.
Integrating cyber security into corporate governance?
Fundamentally, governance is a systematic process of evaluating stakeholder needs, directing management and monitoring the results of management to ensure stakeholder needs are met. That is a bit of an oversimplification, of course, but the point is that, conceptually, governance is not that complicated.
A well-designed governance structure provides enterprise management with visibility into IT resources and their intended purpose. It also helps to identify what key practices can be put in place to ensure a comprehensive structure is operating within the firm. COBIT 5, the leading framework for governance of enterprise IT (GEIT), can be used as a model to describe governance elements pertinent to cyber security in a similar fashion to other IT activities. Accomplishing that is not rocket science, but it can be a useful way to ensure cyber security is addressed systematically and systemically.
The first step in designing a governance structure requires an analysis of stakeholder (e.g., management committee) requirements and a comprehensive risk assessment. This ensures that the governance structure created will accurately reflect the enterprise’s needs, opportunities and potential challenges. That structure will then aid in identifying business and IT-related goals. The use of a well-designed governance structure ensures effective creation and alignment of goals. COBIT 5 uses its goals cascade, which starts with stakeholder requirements and devolves them into organisation goals that, in turn, precipitate IT-related goals. Aside from stronger compliance and cyber security positioning, the organisation will likely find that it has greater efficiency and effectiveness in the utilisation of its resources as a result of using the goals cascade process to design its governance structure.
After the IT-related goals are identified, they must be supported by various resources, or enablers. Any activity that falls outside of this mapping can be called into question. COBIT 5 identifies seven categories of enablers. They are: (i) principles, policies and frameworks; (ii) processes; (iii) organisational structures; (iv) culture, ethics and behaviour; (v) information; (vi) services, infrastructure and applications; and (vii) people, skills and competencies.
Each of the enablers is used to provide resources to accomplish the IT-related goals, thus satisfying the organisation goals and contributing to the overall achievement of compliance and delivering value to stakeholders.
One of the outputs of performing the COBIT 5 goals cascade is the identification of roles against specific processes. This is where who is accountable for a process and who is responsible for it is determined. Organisations may also determine who needs to be informed or consulted in each process. This step creates immediate visibility into compliance issues and facilitates the rapid resolution of any imbalances identified between requirements and resources. The output of the goals cascade will go a long way toward generating evidence that written policies and procedures exist to reasonably protect the security and confidentiality of client personally identifiable information (PII) and preventing unauthorised access.
Global events can play into governance plans as well. One of the enablers financial firms use to deliver value to their stakeholders is people, skills and competencies. Many firms have intimate ties to banks and other firms in London. With the departure of the UK from the EU, there may be follow-on effects with respect to resources in London-based offices. The UK has long been dealing with a shallow resource pool for IT skills, the so-called digital skills crisis. Financial firms often have fewer IT resources than other services companies and will be hit particularly hard should key IT resources flee the country.
If IT professionals in London are compelled to leave the UK (if their visas do not permit them to stay in a non-EU country) then firms in London will be working to replace their skills and knowledge. This change in EU membership represents a potential increase in vulnerability to financial firms with UK-based operations. One aspect of preparing for cyber security threats for firms with operations in the UK will be to ensure their human resource plans account for potential turnover in key IT roles caused by Brexit.
A good governance structure can assist in identifying threats, actors and risk management activities to prevent, detect and correct issues resulting from cyber security incidents. An effective approach is to start with a risk assessment and then plan a governance structure that is designed to deliver value to stakeholders while simultaneously providing the firm with the capability to demonstrate its preparedness to defend against cyber security threats. COBIT 5 can assist at every stage of the process.
Peter Tessin is a technical research manager at ISACA. He can be contacted on +1 (847) 660 5704 or by email: firstname.lastname@example.org.
© Financier Worldwide