Post on 15-Jan-2017
Copyright © 2015 Accenture All rights reserved. 2Copyright © 2015 Accenture All rights reserved. 2For more information, please visit: www.accenture.com/riskstudy2015
According to respondents from the 2015 Global Risk Research Study Cyber Risks are set to rise and are high priority on the CRO agenda
74%of insurance respondents expect cyber and IT risks to become more severe
65% of Banking respondents expect cyber risk to become more severe
58%of capital markets respondents expect an increase in the severity of cyber risks
Cyber & IT Security Risk in Financial Services
Copyright © 2015 Accenture All rights reserved. 3
What is Cyber Risk?
Cyber Risk
Reputational Risk• Loss of Trust (internal and external)• Brand Damage / Loss of Intangible Value• Time intensive / costly to repair• Need to embrace Digital
Technology and Operational Risk• Failure of infrastructure, processes or systems• Inability to operate/Run the business• Requires regular planning and oversight• Importance of effective and current controls
Fraud and Financial Crime• Lost revenue and profit – high cost• High velocity and high frequency/relentless• Need to stay close to regulatory agenda • Requires both business and technology solutions
Sourcesof Cyber Risk• Hacktivism• Hacker / Lone Wolf• Nation State Attacks• Insider Data Leakage• Social Engineering
Internal Originsof Cyber Risk• Digital Banking Services• Payments • Electronic Trading• Third Parties• Technology Infrastructure
Cyber Risk can manifest itself across several dimensions, makingit difficult to detect, measure, and control
Copyright © 2015 Accenture All rights reserved. 4
Protecting Against the Cyber Threat is not a New Problem
• Linear or horizontal approach is not working
• Large Institutions lack the facts and processes
• Challenge to understand what information needs tobe protected and the most effective set of defense mechanisms
• Companies that spend more on cyber resiliency do not necessarily manage cyber resilience risk in a more mature way
Cyber resilience is a continual challenge due to the exponential rate at which people, processes and organization are connected digitally
Historical Methods
• It’s not possible to isolatethe risk
• Cyber risk does not respect your organizational structure
• It’s not just a technology problem, but rathera technology, process and people problem
• Firm that invest in and develop cyber capabilities to instill trust will have an competitive edge in the digital era
New Paradigm
Copyright © 2015 Accenture All rights reserved. 5
Resilience
• Downtime/Loss of service• Theft/Fraud• Loss of data• Impact to reputation/brand
The ability to operate the business processes in normal and adverse scenarios without adverse outcomes
• Secure processes and systems• Strong controls• A strong risk culture• Digitized/Automated processes
Resilient businesses have: Resilience Prevents:
Copyright © 2015 Accenture All rights reserved. 6
A Comprehensive Approach helps Protect the Full Breadth of Entry Points and Operations which Underpin Financial Services Organizations
Detect
IdentifyRespond
Prevent
Detection and Identification – Tools and metrics to identify and log aspects to manage operations
Operational Monitoring – Aligning the tools to identify and detect threats along with their escalation and oversight
Event Response Plan – Structureto identify and manage action plans
Business and IT Controls – Oversight of the controls and their testing programs and how to leverage COBIT®, ISA, ISO/IEC, NIST* controls
Operating Model – Specifying the structure with people, organization, roles, tools and processes to govern.
Crisis Management – Structure to manage incidents and notify impacted parties
Risk Events - Scenarioswhich can impact the organization specific to Cyber threats
Risk Identification – Aggregated set of typical risk associated with Cyber Risk
How do we respond?
What is the impact?
How do we organize?
How do we monitor?
Copyright © 2015 Accenture All rights reserved. 7
Measurement with a PurposeObservations and Hypotheses
• Customers• Employees• Partner/Third
Parties
• Business Process
• Support Process
• Other Process
• Software• Configuration
s• Access
Management
1. Without the right metrics, Cyber Risk could become diluted and mis-aligned to business value
2. Historical key performance indicators (KPIs) may not provide insights
3. Board-level reporting has no clear standards and could be out of sync with the real threats
4. Techniques to model the scenarios, risk events and residual risk across the firm are not focused on cyber threats
Process Technology
People
Copyright © 2015 Accenture All rights reserved. 8
Measurement with a PurposeCommon categories to consider for Cyber Risk Reporting
1. Board-Level Reporting 2. IT Risks 3. Operational 4. Advanced
Analytics
Infrastructure
Third Parties
SoftwareInternal
Employee Training
Data Loss Prevention
Employee Monitoring
External
Vulnerabilities
Surveillance
Funding
Risk/Reward Decisions IT Operations
Fraud
Target Residual Risk
Access Management Physical Security High Crimes and
Investigation
New Focus Renewed focus
Copyright © 2015 Accenture All rights reserved. 9
Embed the first line of defense within technology organization. Create a centralized office with technology control officers across business lines which just focus upon IT.
Cyber Risk Operating Models An operating model helps define the organization’s accountability for doing the work, supporting the right decisions and measure effectiveness
Centralize an entire department as 2nd line of defense with examinations across the lines of business. Build highly specialized team and track similar to compliance function.
Policy setting organization and influencer similar to data and privacy. Develop risk frameworks around IT, Data integrity, and operations and run as 2nd line of defense.
Create an enterprise-wide risk function dedicated to identify, measure and respond to threats.
Option 1 – Dedicated Function
Option 0 – IT Centric
Option 2 – Cyber Czar
Option 3 – Risk Led
Copyright © 2015 Accenture All rights reserved. 10
Operating Model Analysis Each option should consider the tradeoffs with the firm’s ability to Prevent and Detect Threats
Effi
cien
cy
Ability to Prevent and Detect Threats Low
High
High
Option 0 – IT Centric
Option 1 – Dedicated Function
Option 2 – Cyber Czar
Option 3 – Risk Led
Copyright © 2015 Accenture All rights reserved. 11
Operating Model Analysis Each option should consider the tradeoffs with the firm’s ability to Prevent and Detect Threats
Ability to Prevent and Detect Threats Low
High
High
Valu
e to
Cus
tom
er
Option 0 – IT Centric
Option 1 – Dedicated Function
Option 2 – Cyber Czar
Option 3 – Risk Led
Copyright © 2015 Accenture All rights reserved. 12
Operating Model Analysis Each option should consider the tradeoffs with the firm’s ability to Prevent and Detect Threats
Ability to Prevent and Detect Threats Low
High
High
Spe
ed to
Exe
cute
Option 0 – IT Centric
Option 1 – Dedicated Function
Option 2 – Cyber Czar
Option 3 – Risk Led
Copyright © 2015 Accenture All rights reserved. 13
1. Training and Risk Culture – Taking your unique organization and infusing the right cyber risk behaviors
2. Controls – Where are the weak points – build robust set of controls across operations, business and IT
3. Measurement with a Purpose – What is going on without you knowing it – creating metrics which help expose the risks
4. Operating Model – How do you work with the rest of the organization - assigning clear lines of accountability and ownership
5. Resilience – At some point it will go wrong, how do you get the best outcome from the worst situation?
The Top 5 Priorities to Get Right Cyber Risk does not fit neatly into a single organization node to then be managed and mitigated effectively
Copyright © 2015 Accenture All rights reserved. 14
A risk-based approach helps to set priorities, establish a risk appetite (and a budget) and bring order and priority in place of reaction
Holistic Capabilities to help Deliver Resilient Solutions
More institutions are focusing on a better way to address the challenges of cyber risk, but few have mastered it
Establish effective controls for people, process and technology to facilitate effective surveillance and improved incident response to deliver resilient solutions
GlossaryCOBIT: Control Objectives for Information and Related Technology. COBIT® is a trademark of ISACA® registered in the United States and other countries.
ISA: Information Society of Automation
ISO: International Organization for Standardization
IEC: International Electrotechnical Commission
NIST: National Institute of Standards and Technology
How to Make your Enterprise Cyber ResilientDisclaimer: This presentation is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.
About AccentureAccenture is a global management consulting, technology services and outsourcing company, with more than 358,000 people serving clients in more than 120 countries. Combining unparalleled experience, comprehensive capabilities across all industries and business functions, and extensive research on the world’s most successful companies, Accenture collaborates with clients to help them become high-performance businesses and governments. The company generated net revenues of US$31.0 billion for the fiscal year ended Aug. 31, 2015. Its home page is www.accenture.com.
Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Learn more about cyber risk and resilience:www.accenture.com/CyberRisk