Caught on the defensive: why the financial sector needs to reevaluate its approach to cyber risk

James Henry is consulting practice manager at Auriga

Contrary to popular belief, the financial sector is now far more aware and better prepared for cyber attacks. The Bank of England’s Financial Stability Report, issued 1 July, states that threat awareness has grown exponentially and the sector is leading efforts to combat cybercrime. Perhaps this isn’t surprising given 90% of large businesses across the sector had suffered a malicious attack over the past year. But what is worrying is that the financial sector is falling into a familiar trap: by focusing so much on defence, it has failed to make provisions for an effective recovery, writes James Henry

The Financial Policy Committee (FPC) itself refers to the “inevitability of attacks” but the financial sector is clearly only focused on fending off such attacks rather than facing the reality that some attacks will succeed. Having a strategy in place that allows the organisation to rally and recovery is therefore just as vital as defensive resilience. Indeed, such is the urgency of the matter that the FPC has replaced its existing recommendation with a new one, calling for the regulators to conduct “a regular assessment of the resilience to cyber attacks of firms at the core of the financial system” with a report on the outcome of these assessments due to be published in summer 2016.

So what should financial organisations be doing to assume a state of readiness that facilitates rapid recovery? There are of course both technical and strategic considerations but by far the best place to start is with risk management. Risk frameworks vary buthave common methods of approach. Essentially all are driven from the top, to promote a pervasive methodology that embraces all aspects of the business, with risk assessed, quantified and categorised according to the risk appetite of the business to determine if the level of exposure is acceptable. Management of the process is assigned to an individual Chief Risk Officer (CRO) who is then responsible for the implementation, monitoring and reviewing the strategy.

All well and good. Except the changing threat landscape and increasing attack surface created by multiple digital technologies is making many CRO’s feel considerably overwhelmed. A recent consultancy survey found only 41 percent of the 450 senior risk management respondents surveyed felt they had the skills needed to understand the impact of these technologies and those polled said they had sought to recruit the expertise they felt they lacked by bringing onboard cyber risk, fraud experts and even hackers. This crisis in confidence is born out by the BoE report which found that cyber risk was commonly perceived as an IT issue by many organisations when threats can of course equally be attributable to people and process.

In order to be effective, risk management also needs to combined with other strategies, such as business performance management, to faciliate better decision making. That simply isn’t happening, with only 17 percent of those polled reporting that their companies have a framework that supports major strategic decision-making with input from risk management. The vast majority are making risk recommendations that aren’t being taken into consideration when other business decisions are made, making it very difficult to create a pervasive risk management culture.

Without an enterprise-wide risk management culture that has board-level involvement financial organisations will find it nigh on impossible to achieve the state of readiness and recovery advocated by the FSR. What’s often needed is some perspective and external testers and risk management consultants can bring this to the table and make it practical to embed the risk management policy across the organisation. The risk management strategy then becomes an integral component of the business, with risk being continually appraised and included in the decision making process, rather than simply being paid lip service.

In the event of a breach, a truly pervasive risk management culture creates a more alert, readily responsive organisation that isn’t reluctant to sound the alarm. Processes should be in place that allow the organisation to rally and focus resource on breach mitigation. Once triggered, the Incident Response plan comes into play, with support provided by HR, legal and communications teams to limit the impact of the breach, while critical business processes are maintained, enabling the organisation to continue to function. The enemy here is time, and the sooner the organisation can respond, the higher its chances are of containing the breach and limiting the damage to the business.

In the future, digital technology will continue to make the CRO’s position even more challenging, with big data, device diversification  and the Internet of Things all adding complexity and increasing attack vectors. In addition, supply chains will become more convoluted, with data shared between multiple organisations. As a result, threats will become manifold, making detection and defence more difficult. The only way to prepare for this will be to become more responsive making it easier to recover more quickly. But the CRO cannot be expected to do so alone and the sector will need to look at how it will address the skills gap by obtaining external expertise, preferably not from a hacker, but from specialists from within the security sector that know the business and can be called on like the emergency services to aid recovery.