3 minute read 12 Sep 2017
Businesswoman writing whiteboard tablet dark office

How organizations can identify and protect high-value assets

By Cindy Doe

EY Americas Advisory Risk Leader

Seasoned financial services professional. Resides in Massachusetts with her husband and three children.

3 minute read 12 Sep 2017

Show resources

  • Optimize your organization’s high-value asset identification capability (pdf)

Managing high-value assets (HVA) has become an essential part of senior management and business process owners’ risk management program.

High-value assets (HVA) are more than just your most valuable line items on the balance sheet. Beyond their monetary value, organizations need to consider the enterprise-wide impact HVAs have on crossfunctional processes such as operations, compliance and legal as well as on broader risks (including reputational risk, liquidity and resiliency.)

HVA includes any elements of critical business processes, applications, data and infrastructure that must be protected to provide for the continued confidentiality, availability and integrity (CIA) of information. Confidentiality refers to systems that store and process sensitive data that must be protected to maintain an organization’s reputation, achieve compliance with laws and regulations, and protect intellectual property or trade secrets. Availability refers to systems needed to maintain an organization’s continued operations and ability to execute in the market. Integrity refers to the systems and processes that help ensure that data and information within the ecosystem is complete and accurate.

Having a comprehensive understanding of HVA enables an organization to:

  • Align critical business processes, applications, data, and infrastructure
  • Prioritize and enhance defenses against cyber attacks
  • Develop a tailored backup and resiliency strategy
  • Meet board and market expectations
  • Respond quickly to market conditions
  • Assist with regulatory risk assessments and expectations

Yet despite the importance of understanding HVA, most organizations lack a formal process to identify HVA, and have limited ability to understand the upstream/ downstream data flows and dependencies within the business.

HVA driver #1: increased risk posed by cyber attackers 

The first driver of the push toward better HVA management is the ceaseless probing by cyber attackers seeking weak points. Financial institutions, especially those considered to be critical infrastructure such as clearing networks and stock exchanges, are under constant threat from cyber attackers of all types, from hacktivists to hostile nation-states. Financial institutions also must cope with increasingly sophisticated attacks by adversaries with a profit motive, whether it’s attackers stealing and reselling customer data, or committing financial crimes, and then covering their digital tracks. For any of these attackers, finding a financial institution’s unguarded HVA poses a serious threat. If an entire business process relies upon a component, even if it is a relatively small subsystem, that component should be considered as part of HVA and protected to an appropriate extent. 

HVA driver #2: faster pace of deployment from new business models

Technology disruptors like digital delivery continues to change business models for financial institutions. To embrace digital delivery, financial institutions are constantly being pressured to move quickly with new initiatives, new applications and new products. This creates a natural tension with the operational constraints of maintaining integrity, resiliency, privacy and security. 

Yet financial institutions’ “Do no harm” approach to protecting the customer has limited the pace of change, and this has turned out to be a competitive liability for large financial institutions versus Fintech companies. Unlike traditional financial services firms subject to a high level of oversight and expectations, Fintech companies tend to move quickly with a “fast-to-fail” strategy, in which they deploy into the market products that are only 80% to 90% ready and then adjust accordingly. This approach is difficult for financial services firms to imitate, both because of their internal culture and expectations to protect the marketplace and consumers. 

Summary

Organizations that gain experience managing HVA as an ongoing process will become better at maintaining proactive defenses in the face of everchanging threats. Once you find that employees, on their own initiative, start to point out potential HVAs that need to be defended at an enterprise level, you’ll know that you’ve achieved a valuable shift in thinking that will better prepare your organization well for the future.

About this article

By Cindy Doe

EY Americas Advisory Risk Leader

Seasoned financial services professional. Resides in Massachusetts with her husband and three children.