Enterprise Risk Management and Cyber Security
By Monica Khurana, CIO, RS Investments
Cyber security has today emerged as the largest threat confronted by every organization. Cyber-attacks continue to increase in number and the impact of these incidents is also increasing in severity with every new attack. Financial services industry faces these cyber-attacks with alarming regularity, as financial motivation is the primary driver for these attacks. The total cost of cybercrime to the global economy ranges from$375 billion to $575 billion (source: McFee Center for Strategic and Intelligence Studies).Given the rapidly evolving nature and pervasiveness of the cyber-attacks, the related enterprise risks have also gone up significantly. It has become imperative that firms take a risk based approach to cyber security to identify gaps and address these threats. An effective practice for firms is to evaluate relevant industry frameworks as they develop their cyber security guidelines. There are a variety of frameworks to draw from including the ones from National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO) and Information Sharing and Analysis Centers (ISACAs). The NIST framework has received considerable attention since it was published in February, 2014. The NIST framework has a risk based approach for prioritizing firms’ cyber security activities to effectively manage its cyber security risks.
"The total cost of cyber crime to the global economy ranges from $375billion to $575billion"
An active practice is for firms to develop and maintain a governance framework for the cyber security risks management in accordance to the organization’s size. The governance framework should enable firms to become aware of relevant cyber security risks, estimate their severity and determine how to manage such risks. Traditionally, Enterprise Risk Management has been a function of Compliance, Internal Auditor Risk Management. Cyber security has been a strength of technology with cyber risks historically being mitigated and managed by technology team. In the current environment of heightened cyber risk, technology should partner with Compliance and Risk Management teams to categorize and manage cyber risks effectively. This new cyber security structure will allow technology to place mitigating controls and compliance to manage the inherent risks adequately. The firm’s executive leaders and board should be involved to address cyber security threats. These leaders should understand and approach cyber security as an enterprise wide risk management issue and not just an IT issue. Discussions on cyber risk management should be given adequate time on the executive updates and board meeting agenda. These leaders should be educated on cyber risks and kept abreast of the changing landscape and associated risks.
Cyber security Oriented Culture
Cyber security risks are inherent throughout every organization with phishing attacks and malicious software inadvertently being downloaded on an employee’s computers. Even the best technical controls on a firm’s systems can be rapidly undermined by employees who are inattentive to cyber security risks. Technology, Compliance and Risks Teams cannot alone mitigate and controls such risks. The entire organization has a role to play in defending the firm from cyber attacks. This requires that the organization has a strong culture where every employee is aware of cyber risks and plays an active role as a gatekeeper to ensure there is no penetration through machines. Hackers and data criminals target firms’ employees and many data breach situations have occurred in the recent years through this channel. Employees need to be trained adequately to be aware of the risks that cyber threat places and their role in mitigating these risks. Technology needs to constantly train employees and ensure that these training programs are effective. The executive management should build a cyber security oriented culture in the firm.
Third Party Diligence
Third party vendors that carry the firm’s sensitive information need to protect the company’s data the same way the firm would. It is important to conduct a “risk based-due-diligence” on all third party providers and ensure that they follow the industry best practices on cyber security. This due diligence provides a basis for the firms to evaluate whether the third party providers meet the firms cyber security standards. This can include discussions with the vendor to remediate a weakness relative to the firm’s cyber security standards. Firms should avoid using vendors that do not at least meet the firm’s cyber security standards. It is important for firms to establish robust contractual language to govern vendor relationships covering ongoing oversight, obligation to protect firm’s information, and breach notification procedures.
Cyber Threat Intelligence
Sharing The importance of cyber security threat intelligence and information sharing is increasing as cyber security threats proliferate and advance in complexity. To assist with sharing of cyber security information amongst firms, US federal government helped establish industry based information sharing and analysis centers (ISACAs). The fundamental goals of the ISACAs is to expose security vulnerabilities and identify solutions to prevent and correct these security breach situations. ISACA provides a network through which firms can take the information shared by their peers and proactively reduce the vulnerability threats.
Having adequate cyber insurance coverage that provides at least partial coverage for cyber security incidents could be a major factor in recovering from a cyber security incident. In an environment, where there are hosted solutions, cloud platforms and other third party providers, it is important to understand what coverage is available from these providers and what exposure the firm faces. A good understanding of the existing cover will help make informed decisions about risk transfer and determine which cyber liability insurance products best suits the organization’s risk profile and needs.
Cyber security is a key risk that will likely continue to grow in the coming years. Firms should continuously assess their cyber security risks and ensure that the risks are continuously being updated. Firms should make the implementation of controls to address cyber security challenges an important practice of sound business infrastructure. A risk based approach to cyber security will allow firms to adapt to changing landscape and adapt to a model that fits best with the firm’s culture. Risk assessment can help firm’s identify and prioritize their next steps to mitigate and reduce cyber threats.
Monica Khurana is the Chief Information Officer for RS Investments. The viewpoints listed above are those of Monica Khurana and not those of RS Investments.