Cyber risk: It’s everyone’s business
Cyber is the number one operational risk faced by banks and each year it increases its lead at the top of the ranking. The industry isn’t waiting to see if there will be another cyber-attack, but rather when and how bad.
Regulators are increasingly harsh on cyber breaches and the introduction of the General Data Protection Regulation in May 2018 could result in fines of up to 4% of global turnover if data is breached in a cyber-attack. In addition, recent high-profile cyber breaches have meant that customers’ trust in their bank, one of the key tenets of loyalty, is at risk. Customers are now acutely concerned about the threat of fraudsters or cyber criminals emptying out their bank accounts or getting hold of their personal details. As it becomes easier and easier for a consumer to switch banks when trust does wane, organisations need to ensure that they have the tools and procedures to prevent an attack, or to adequately and swiftly resolve any problems that do arise.
However, when it comes to risk management in banks, in my experience cyber risk is too often seen as a ‘black box’.
Operational risks are typically owned by those focused on business activities, whilst most cyber-related controls are owned by the middle or back office. This can cause the business to ignore controls that they rely on because the controls are managed outside of their day-to-day experience; “The IT guys look after all that stuff”. As a result, the business may not be prepared to face the pervasive nature of cyber threats in the modern, digitally connected bank. This could lead to more cyber related risk events, regulatory censure and customer detriment.
How should banks overcome this and what is the right level of shared expertise across areas?
It is my view that banks need to work harder to connect the disparate teams that work to reduce cyber risk for the business. Whilst it’s right that banks’ cyber experts are ultimately responsible, operational risk owners need to engage more to understand how their risks are mitigated. It is these owners of risk, and also Senior Managers, that will have to answer for cyber failures.
Banks can improve cyber risk management in three key ways.
Firstly, business owners of risk need to be held accountable for losses relating to cyber risk in their area. This will help drive the correct focus and approaches to reducing risk. In my experience, where P&L owners are made accountable for losses they will drive their area to better understand the risk and how best to mitigate it with controls. Approaching risk across the business area, from front to back office, allows the business risk owners to stay abreast of the work done by cyber teams on their behalf.
Secondly, operational risk frameworks need to be fully reflective of the risks faced by the bank, encompassing cyber risks alongside more traditional operational risks. It can be tempting to adopt multiple specialist frameworks and to compartmentalise risk management approaches, but this prevents a clear and consistent understanding of the total risk the bank faces. Industry standard technical frameworks, such as COBIT and the ISO 27000 Series, should be adopted, but must not be seen as disconnected from the rest of risk management; the outputs from all assessments must be standardised across the bank’s risk and control landscape.
Finally, in an ever more digital world, banks need to address the new nature and scope of risks that are being opened up to staff and customer alike. Customers are increasingly demanding digital channels whilst internal initiatives to drive digital engagement, such as Bring Your Own Device policies, further expose the bank. Employees are now taking work laptops and iPads home or connecting them to unsecured networks, increasing opportunities for hackers to gain access. This relatively rapid shift has left risk management approaches behind, yet increased the level of cyber risk exposure. Banks should bring IT teams into business discussions much sooner and on more of a consultative basis, so that business strategies do not inadvertently open the bank up to cyber risks.
In order to effectively manage cyber risk today, banks need to increase accountability for cyber risks in the business, fully incorporate it in their risk management frameworks, and consult IT and cyber experts when defining digital business strategies. The costs of not doing so are rapidly mounting, as customers are more able to switch their business to a more secure and trusted bank and regulators are increasing pressure with the upcoming GDPR. The media are also applying pressure to banks that suffer outages or are vulnerable to cyber-attacks, with senior leaders expected to account for problems faced.
If banks don’t overhaul their management of cyber risk, they take the chance of hitting the headlines as tomorrow’s cyber victim.