Banks are increasingly aware of the threats that can arise from cyber-related crimes and are continuing to strengthen their defenses against these threats. The resulting pace of change and innovation on both sides of the “conflict” continues to accelerate as the potential for gain and/or loss for the attacking entities and financial institutions only grows.
Newly published Accenture research on cybersecurity across the banking sector found that 78 percent of senior security executives from across the banking sector expressed confidence about their overall cybersecurity strategy. However, these executives may be overconfident; the survey also revealed that, among the thousands of phishing, malware and penetration attacks that financial services firms face each year, there were an average of 85 serious attempted cyber breaches. Of these, about one-third (36 percent) were successful – meaning at least some information was obtained through the breach. And, according to respondents, a majority (59%) of successful breaches go undetected for several months – demonstrating that the cybercrime industry has evolved from its early days of being “smash and grab” to a more sophisticated approach of getting inside in order to listen, learn and extend the criminal activity.
Dealing with threats of this magnitude continues to call for new and innovative approaches to cybersecurity. Typically, banks have tried to establish controls to manage cyber risk from the top down with a strong security perimeter. But in coping with the complexities of firewalls, malware and phishing alongside increasing use of social engineering approaches to infiltrate the institutions, banks are struggling to connect the technical aspects of cybersecurity with the broader concerns of operational risk – defined by the Basel Committee as “the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems, or from external events.”
Any successful cyberattack has the opportunity to affect people, processes and technology throughout the organization. In the wake of an attack, banks need to get IT systems back up and running, but they also need to reassure customers and regulators, deploy effective back-up systems, and potentially, compensate losses. This calls for advance planning, cooperation and communication between operational, risk, infrastructure and cybersecurity teams. Proper planning is a critical component in the overall defense approach and needs to be prioritized on a risk basis. Being able to identify the valuable data assets in the environment – and then focusing on how to provide multiple layers of defense for this specific population – helps to enable the right strategy and focus the security related investment.
Another important factor for consideration is the ability to quickly quarantine an area which has been breached, to enable the broader systems and processes of the bank to continue operating while the affected areas are investigated, repaired and brought back on line. Incorporating the cyber risk strategy with an effective enterprise risk management (ERM) strategy can therefore help to limit the damage from a data loss event, distributed denial of service (DDoS) attack or other cyber incidents. Increasingly we do see cyber risk as a specific component of a comprehensive operational and ERM strategy, with formal review and oversight by the board and senior management.
Banks are continuing to step up both their investments in cybersecurity and their risk-based approach to protecting the institution. In addition to spending on technology and cyber expertise, they also are enhancing the governance framework to help foster accountability across heritage functional silos and create a more cohesive security-minded culture. By ensuring that the security program is supported by a more comprehensive risk and business strategy, organizations are able to develop a more complete “cyber response plan” that includes stakeholder communications and the protection and recovery of key assets. And the result is seen in banks decreasing their risk exposure while also improving the speed and effectiveness of their responses.
Cyber threats will continue to evolve, but banks that tie cybersecurity efforts to broader operational risks will be far more resilient in a challenging environment.
The post Banks Face Challenge Of Integrating Cyber And Operational Risk appeared first on McAfee Blogs.