Cyber and the C-Suite: New Cyberrisk Responsibilities for Chief Risk Officers

 
 

c-suite cyber risk management

How to Use the World Economic Forum’s Cybersecurity Principles
A 2017 WEF report outlines best practices for boards and the C-suite to help strengthen an organization’s cyber practices by providing guidance for managing cyberrisks much in the same way that organizations manage enterprise risk. Read more about these 10 steps and how to implement them.

Common trends are emerging in the new and proposed cyberrisk management regulatory standards calling for a broad range of financial institutions to address cyberrisk across all three lines of defense (3LoD). In a 3LoD model, the first line of defense includes risk-taking units, such as the front-office business units responsible for revenue and business decisions, as well as the control and support functions that can influence the firm’s risk profile, like operations, information technology, and certain activities within treasury and finance. The second line includes oversight, risk management and other control functions that are independent of the business. Finally, the third line consists of internal auditors reviewing the processes of the first and second lines. Additionally, the board of directors will be expected to provide oversight through its risk and audit committees.

Chief risk officers (CROs) have significant responsibilities and access to the board and senior management that put them at the forefront of technological, operational and human resources challenges involved in implementing the 3LoD approach to cyberrisk management.

Under this model, CROs have to take on important responsibilities in six new areas:

1. Management and oversight: Guide the board toward a target risk appetite and budget.

Cyberrisks do not neatly fit into existing risk frameworks. Unlike credit and liquidity risks estimated using decades of loss data—and even some operational risks, like fraud—cyberrisks are relatively new and rapidly changing. Consequently, the available control indicators and metrics for cyberrisk are difficult to translate into financial loss estimates.

Nevertheless, CROs must make their best efforts. Even with incomplete data, the CRO can establish a baseline risk appetite based on known quantities and consensus expectations. One approach starts by targeting an overall risk tolerance (e.g., “How can I protect against the most critical risks?”) and sets budgets and priorities accordingly. Another approach starts with the budget (e.g., “What can I accomplish with $10 million?”) and then attempts to prioritize cyberrisk mitigation spending.

Whether guided primarily by risk appetite or budget, CROs can help frame an appropriate course of action to achieve a firm’s target level of cyber exposure, making a risk-focused business case for the appropriate level of investment across all three lines of defense, along with the other key front-line executives who are driving the cyber program day to day.

2. Organizational structure: Keep the business (including IT) on its toes.

As the leaders of the second line of defense, CROs need to provide a credible challenge to the first line, which includes front-line business units, operations and IT. That requires the CRO to maintain direct relationships with the chief information officer (CIO) and other key roles, such as chief information security officer (CISO), chief technology risk officer (CTRO) and chief privacy officer (CPO).

Yet it is not as simple as setting up effective reporting relationships. The objective is to establish the ability and process to provide a credible challenge to cyberrisks within the first-line businesses, rather than to assign direct responsibility for those practices to the CRO. In response, most organizations have already established or are in the process of establishing a separate, second-line technology or cyberrisk function under the CRO to set and monitor the board-approved cyberrisk appetite and first-line adherence to the cyberrisk management framework. Thus, the second line of defense can provide a credible challenge to the work of the first line of defense. Any disagreements that arise should be managed through healthy dialogue, ideally based on data models and analytics. If disagreements remain unresolved, major issues should be escalated to the CEO and, when appropriate, the board of directors.

3. Risk frameworks: Measure actual cyberrisks to better predict future losses.

To estimate future cyber losses, organizations need to measure the current level of cyberrisk. The problem is that, at any given moment, the actual level of risk is unobservable. It often takes six to eight months to detect a cyber intrusion, which means a risk analyst trying to determine actual cyberrisks will need to look back at least that far. For example, network activity previously classified as innocuous may be reclassified as an attempted cyberattack as new information becomes available.

To perform such reclassifications, the first line of defense will need to collect more information than was previously required, and store it for longer. The second line of defense will need to build an “incident library” to support calculations of loss and risk associated with cyberattacks and populate the library using a combination of real-time data and retrospective analysis. To be more dynamic and timely, loss estimates have to become more predictive, based on firm and industry data on current threats and vulnerabilities, coupled with past loss data. Over time, cyber loss data should include estimates on opportunity costs—that is, lost business due to outages or disruptions.

The measurement of actual cyberrisk is essential for getting better at understanding and monitoring risks and calculating losses, all of which contribute to the CRO’s ability to include cyberrisk in existing enterprise-wide risk frameworks for risk governance, risk reporting and metrics, and escalation mechanisms.

4. Impact assessment: Prepare for the “big one” you cannot predict based on past experience.

Even while dealing with smaller incidents on a reactive basis, the CRO needs to proactively mitigate the risks of large-scale cyberthreats. If the network goes down for an hour, you may lose some incremental business and waste your employees’ time. By contrast, if there is a ransomware attack on your liquidity system, or a cyberattack on your money transfer system, the resulting damage could be at a higher order of magnitude. A single attack of either nature can cause significant damage to a firm’s financial results and reputation, but the concrete losses and long-term implications can vary significantly.

The CRO has an important role in fostering an enterprise-wide cultural shift involving employees, vendors and outsourcing partners to uncover potential vulnerabilities across silos and relationships. Only by working with the CISO, first-line business process owners and relevant technologists to build an end-to-end view of the firm’s business processes—ideally including vendors that support those processes—can the CRO discover the extent of risk within a firm and prioritize appropriately. The most urgent attention needs to be focused on cyberattacks that have the highest potential impact on liquidity, capital or earnings.

Everyone is going to get hacked at some point—you just want to make sure that you can detect it, manage it, recover from it, and thereafter enhance the overall program through lessons learned.

5. Preparedness: Enhance resiliency and recovery.

Unlike natural disasters or physical attacks, it is hard to know exactly when a cyber incident occurs, except in retrospect. Thus, CROs need to challenge the effectiveness of disaster recovery and business continuity efforts with respect to cyberattacks. For example, suppose a ransomware attack encrypts both your primary data center and your secondary backup server. To fix the problem, you would have to determine the infection point, recover everything to that point, and then selectively apply changes to roll forward. That is much more difficult than switching over to a secondary server in the case of a geographically-specific system failure. How firms operate under such circumstances is critical.

CROs also have to challenge the first line’s determination of the firm’s high-value assets, including critical systems and key internal and external dependencies. Such determinations will give priority to those assets in terms of investments and during recovery from an incident. Lower-value assets can be restored on a more flexible timeline, but high-value, critical systems need to be protected with enhanced resiliency and recovery strategies.

6. Insurance: Evaluate the effectiveness of a cyber insurance policy under real-world conditions.

Just as cyberrisks are changing quickly, cyberrisk insurance policies have also undergone a significant transformation in recent years. Firms should consult with their insurance carriers to make sure that they are up to date on what insurers can offer, as the marketplace is constantly changing. It is a responsibility of the CISO, CIO and CRO to evaluate policies on an ongoing basis.

Through close oversight, firms may also discover that their cyber insurance policies are getting in the way. For example, a policy may require the firm to retain all evidence involved with a cyberattack, despite the firm’s cyber incident response team being unlikely to do so when under the immense pressure to restore a system.

In this situation, the firm has three options: train their team to comply with the insurance policy, negotiate with the insurer to set a more reasonable standard, or make the decision to self-insure.

 

More articles by »

About the Author

John Doherty is a partner in EY’s financial services advisory practice.

More articles by »

About the Author

Mark Watson is an executive director in EY’s financial services advisory practice.

 
 
 

Leave a reply

required

required

optional