Banks, insurers and asset managers are making million-dollar cyber investment decisions to mitigate threats. A fact-based and structured approach will help Asia Pacific institutions achieve the right ROI.
As more regulators require businesses to take a structured approach to managing cyber risk, few financial institutions can demonstrate they are investing in the right cyber risk mitigation strategies. Since cyber threats first arrived on financial institutions’ risk registers, boards and management have been making mitigation decisions based on the collective experiences of internal security experts and external consultants.
This doesn’t necessarily align to the structured approach required by regulators. Financial institutions are now expected to approach cyber risk decisions in a similar manner to the way they would other risk domains, such as credit risk. The current approach sometimes results in a false sense of security, where boards may mistake action for effective protection, where managers rest easy because “we’re using the latest technologies,” and where strategies are considered successful if an institution simply avoids being “the slowest gazelle in the herd”.
A quick comparison with the strictly quantified procedures for allocating capital investment illustrates the dangers involved in continuing with this approach. If institutions cannot quantify the value at risk from a cyber threat and the quantum a particular set of cyber control investments will deliver, how can they meaningfully decide how much to invest and where? How do they know cyber investments are properly focused on their critical assets to mitigate their key threats?
The below approach provides a structured method to measure an institution’s ability to defend against attacks. It also allows risk committees to forecast a return to appetite from the uplift program. Boards can identify which controls will deliver the greatest return on investment, allowing investment to be prioritised.