6 minute read 1 Apr 2019
Photograph of man hunching over keyboard, hacker

Assessing cyber risk strategies the right way

By

Jeremy Pizzala

EY Global Financial Services Office Cyber Leader and Hong Kong FSO Advisory Leader

Cybersecurity leader in financial services. I’ve lived and worked in Hong Kong, London and Sydney, among other places. I enjoy sports, especially swimming.

6 minute read 1 Apr 2019

Show resources

Banks, insurers and asset managers are making million-dollar cyber investment decisions to mitigate threats. A fact-based and structured approach will help Asia Pacific institutions achieve the right ROI. 

As more regulators require businesses to take a structured approach to managing cyber risk, few financial institutions can demonstrate they are investing in the right cyber risk mitigation strategies. Since cyber threats first arrived on financial institutions’ risk registers, boards and management have been making mitigation decisions based on the collective experiences of internal security experts and external consultants.

This doesn’t necessarily align to the structured approach required by regulators. Financial institutions are now expected to approach cyber risk decisions in a similar manner to the way they would other risk domains, such as credit risk. The current approach sometimes results in a false sense of security, where boards may mistake action for effective protection, where managers rest easy because “we’re using the latest technologies,” and where strategies are considered successful if an institution simply avoids being “the slowest gazelle in the herd”.

A quick comparison with the strictly quantified procedures for allocating capital investment illustrates the dangers involved in continuing with this approach. If institutions cannot quantify the value at risk from a cyber threat and the quantum a particular set of cyber control investments will deliver, how can they meaningfully decide how much to invest and where? How do they know cyber investments are properly focused on their critical assets to mitigate their key threats? 

The below approach provides a structured method to measure an institution’s ability to defend against attacks. It also allows risk committees to forecast a return to appetite from the uplift program. Boards can identify which controls will deliver the greatest return on investment, allowing investment to be prioritised.

  • 1. Model:  Improve cyber understanding of the business value chain

    To measure cyber risk, institutions must define metrics and cyber risk indicators by:

    • breaking down cyber risk scenarios into modular cyber events mapping them to the threat and attack lifecycle (e.g., cyber kill chain), including the critical respond and recover actions;
    • identifying key controls in place to mitigate these actions for each step in the attack chain;
    • defining metrics and risk indicators that measure the effectiveness of these controls;
    • leveraging the critical information asset register and measuring the coverage of these key controls across critical information assets;
    • developing a structured model for how each control contributes to mitigating the threat (resilience or protective index)
  • 2. Quantify:  Translate cyber risks into business outcomes

    To provide management with the information and insights to enable effective and high-quality risk management, cyber risks must be quantified using a range of lenses, including at an aggregate organisational and more granular business unit level.

    By leveraging best practice in operational risk modeling, measures of resilience and their uplift can be translated in business terms, such as Value at Risk. This supports executives and boards to have a tangible “dollars and cents” discussion. Once directors know that a particular cyber threat is putting (for example) US$250m of value at risk, they have a much greater likelihood of deciding on an appropriate control action. 

  • 3. Ask: Are we investing enough in cyber?

    Modelling and quantifying cyber risk generates significant amounts of data, which stakeholders struggle to make sense of. Boards and executives need dashboards that provide real-time insights from aggregated risk, control and business unit views.

    Dashboards and other cyber risk reports are vital decision support tools. They help inform discussions about cyber risk, including identifying which risks to avoid, which to accept, which to transfer through insurance and which to mitigate by investing in specific control uplift.

We can and must improve our ability to support senior executives and the board in managing an institution’s cyber risk. We need to move from relying on opinion to using more quantified data to drive decision making. We need to recognise we can model cyber threats via structured scenarios and their associated controls to mitigate these threats. We must understand these models need to take account of both control effectiveness and coverage across the institution’s key assets. We must embrace the data aggregation challenge and make appropriate investments in technology to support this.

Answer the burning questions of the board, senior management, business and functional managers, service providers, control owners, and risk and compliance teams

How do we quantify the financial, reputational and customer impacts of a cyber attack?

How does cyber risk roll up into broader operational risk?

How are we protecting our critical assets in each business function?

Are our security initiatives enabling business capabilities and improving our overall security posture?

How effective are our controls?

Is the money spent on cyber security helping reduce value at risk?

Is our investment focused correctly?

Where can we invest to drive the best risk reduction?

  • Develop a top-down model to quantify cyber risk, enabling board and management to understand its quantifiable impacts
  • Define metrics and risk indicators that measure the effectiveness and coverage of controls on your key assets
  • Connect an integrate data sources to provide the facts to support these metrics
  • Automate data collection and use analytics tools to generate and communicate cyber risk insights via dashboards that support the range of views required by various stakeholders, including: executives, board and control owners
  • Understand how resilient you are to defend against your key cyber threats
  • Identify how much a major cyber incident could cost, how much to spend and how much this will buy down risk
  • Improve prioritization by recognizing when further investment provides diminishing returns
  • Better forecast when you will return to risk appetite

Summary

Financial institutions are now expected to approach cyber risk decisions in a similar manner to the way they would other risk domains, such as credit risk. The current approach sometimes results in a false sense of security. 

Instead they should be using a structured method to asses their strategies through modelling cyber risk within the business value chain, quantifying their risks into business outcomes and ask whether the level of investment is sufficient.

Without a structured, rigorous and data-led approach we will continue to make million dollar investments based on opinions — not facts. 

About this article

By

Jeremy Pizzala

EY Global Financial Services Office Cyber Leader and Hong Kong FSO Advisory Leader

Cybersecurity leader in financial services. I’ve lived and worked in Hong Kong, London and Sydney, among other places. I enjoy sports, especially swimming.