Financial institutions that want to mitigate cyber risks must disregard old-school, compliance-driven approaches, like scenario analysis, and instead embrace fast, comprehensive frameworks that integrate business development, security and information and communication technology.
Friday, August 2, 2019
By Andrea Giacchero and Jacopo Moretti
Cyber risk is a continuously evolving, complex phenomenon that requires a new risk management approach. We are now at a turning point, facing the intersection of several simultaneous cybersecurity crises, and the choices that we are going to make in the next years in the field of cybersecurity will certainly influence the probability of survival and the sustainability of the entire digital society as we know it.
Like other complex phenomena (e.g., the effects of climate change on the environment), we already have strong evidences that cyber risk is getting out of control and is becoming irreversible. Furthermore, this is a chaotic phenomenon, and making forecasts about possible outcomes is therefore very difficult.
It is not by chance that large organizations across the globe are processing a deep change, re-thinking their cyber risk management and adopting integrated frameworks that include both information and communication technology (ICT) tools and security awareness programs to guarantee effective monitoring. Today, companies are more aware of the necessity to review their ICT and cyber risk management, changing the overall design both in terms of security measures and internal processes.
The idea is to pass from a compliance-based approach to a risk-based one. Indeed, the main aim is to align the firm's cybersecurity and business development strategies.
In the era of big data, to guarantee the security of both internal applications and customers' data, speed is a critical issue. Companies should put in practice a security-by-design concept, developing their products in step with their cybersecurity.
Moreover, companies should build strong resilience. The main idea is that if something goes wrong, one should be able to resume normal activities in a quick and safe manner. For instance, companies should implement mechanisms to restore the availability of the ICT systems and to recover data after a cyberattack.
Identifying cybersecurity threats as quickly as possible (a crucial element to improving risk awareness) is the aim. To achieve this goal, a company must strictly test its escalation processes, identify its channel of communications in case of a cyberattack and define its technological/procedural countermeasures.
One common mistake firms make is believing that cybersecurity is limited to software. On the contrary, cybersecurity comprises a set of approaches and processes.
Cultural and Economic Concerns
The heart of the matter is more a cultural and economic issue, rather than technological. Business models often do not adequately consider the total costs for the defense of the digital environment, which covers a set of infrastructures, protocols and organizational processes. Global investment in cybersecurity is therefore less than desirable.
This has evolved into a chicken-and-egg dilemma: the scarcity of resources dedicated to cybersecurity has resulted in higher costs related to cyber threats. It's a vicious cycle that must be interrupted as soon as possible.
Lamentably, none of the available cyber risk solutions are comprehensive enough. There are, however, steps your firms can take to mitigate cyber risks.
For starters, it's important to realize that the current methods for managing cybersecurity are outdated and ineffective. For example, qualitative and quantitative metrics are typically used to try to establish a firm's cyber risk appetite. But since those metrics likely can't predict all of the possible consequences of cyber risk events, each firm's cyber risk appetite should, quite simply, be set to zero.
Scenario analysis is another commonly-used tool, but it does not allow firms to perceive correctly the inherent riskiness of a cyberattack. Given their complex nature, it is nearly impossible to identify of all the possible consequences of cyberattacks. But this is not a total lost cause. A real risk-based approach that properly calculates financial losses must be implemented - and it must assign a monetary value to any assets compromised by cyber risk events.
Contrary to popular belief, cyber risk insurance policies are also not an effective mitigation strategy. Insurance companies are now formulating peculiar policies against cyber risk; however, as in scenario analysis, an insurance policy is unlikely to assess the costs related to a cyberattack (e.g., a data leakage or theft of intellectual property) precisely. Quantifying the premium of a cyber insurance policy is therefore very hard.
Companies should seriously consider changing their approach to cybersecurity, carefully weighing the balance between costs and benefits. Importantly, they can't let internal biases cloud their vision and decision making.
Internal systems and processes carry the same riskiness as external applications, and therefore must be evaluated just as critically. Meeting this objective requires the adoption of a “zero-trust” approach in which the activities of all systems and users are continuously verified.
Similar to a broken clock that is on time twice a day, risk managers can say something right about their firm's cyber risk appetite without having the faintest idea about future cybersecurity events.
In view of these considerations, every company should strive to mitigate its cyber risk exposure by investing in continuous training of all its employees and by updating its technology.
Andrea Giacchero and Jacopo Moretti both work at Cassa Depositi e Prestiti. Giacchero is the head of operational risk; Moretti is an operational risk analyst.
The opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of Cassa Depositi e Prestiti.