The last few years has seen the frequency of third-party cyberattacks grow against global financial institutions. One of the biggest reported attacks against financial organisations occurred in early 2016. In that incident $81 million was taken from accounts at Bangladesh Bank. Unknown hackers used the SWIFT credentials of Bangladesh Central Bank employees to send more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of New York. When the bank managed to halt $850 million in other transactions, the hackers were prevented from stealing the full $1 billion they were after.
The Financial Conduct Authority (FCA) reported 69 attacks in 2017 compared to 38 reported in 2016. A rise of more than 80% in the last year. The reasons for the rise included the continuation of cyberattacks targeting systems running SWIFT and the range of financial organisations that cybercriminals have been trying to penetrate expand significantly. SWIFT remains a fundamental part of the world’s financial ecosystem, whilst cybercriminal groups attacked bank infrastructure, e-money systems, cryptocurrency exchanges and capital management funds. The overall goal was to withdraw very large sums of money.
With the evolving risk landscape and the challenges of new potential risks, including third party risks, companies within financial services need a set of management procedures and a framework for identifying, assessing and mitigating the risks these challenges present. Effective risk management offers sound judgement in making decisions about what is the appropriate resource allocation to minimise and mitigate risk exposure.
Risk management lifecycle
The basic principle of a risk management lifecycle is to mitigate risk, transfer risk and accept/monitor risk. This involves identification, assessment, treatment, monitoring and reporting.
- Mitigate risk: An organisation must measure cyber risk performance and incentivise critical third-party vendors to address security issues through vendor collaboration.
- Identification: You can’t manage your risks if you don’t know what they are, or if they exist. The first step is to uncover the risks and define them in a detailed, structured format. You need to identify the potential events that would most influence your ability to achieve your objectives, then define them and assign ownership.
- Assessment: Once the risks are identified they need to be examined in terms of likelihood and impact. It is important to assess the probability of a risk, and its consequences. This will help identify which risks are priorities and require the most attention. You need to have some way of comparing risks relative to each other and deciding which are acceptable and which require further management. In this way you establish your organisation’s risk appetite.
- Transfer risk: An organisation is advised to influence vendors to purchase cyber insurance to transfer risk in the event of a cyber event.
- Treatment: Once the risk has been assessed, an approach for each risk must now be defined. After assessment, some risks may require no action, to only be continuously monitored, but those that are seen as not acceptable will require an action or mitigation plan to prevent, reduce, or transfer that risk.
- Accept and monitor risk: the organisation must understand potential security gaps and may need to accept certain risks due to business drivers or resource scarcity.
- Monitored: Once the risk is identified, assessed and a treatment process defined, it must be continuously monitored. Risk is evolutionary and can always change. The review process is essential for proactive risk management.
- Reporting: At each stage is a core part of driving decision-making in effective risk management. Therefore, the reporting framework should be defined at an early point in the risk management process, by focusing on report content, format and frequency of production.
Managing with risk transfer
Risk transfer is a strategy that enterprises are considering more and more. It mitigates potential risks and complies with cyber security standards. As cybercrime rises, an insurer’s view of cybersecurity has changed from being a pure IT risk to one that requires board-level attention. Insurance is now viewed as fundamental in offsetting the effects of a cyberattack on a financial institution. However, insurers will want to know that appropriate and audited measures are in place to prevent an attack in the first place. In addition that there are processes in place to respond correctly when cybersecurity does fail. An example would be NB Bank. It failed to receive a pay out after discovering its situation had an exclusion cause.
An organisation’s risk management responsibility now extends down the supply chain. Insurers will want to know the organisation’s strategies to monitor and mitigate third party vendor risk. Simplifying risk management and the transfer of risk can also be accomplished by measuring your organisation’s security rating. This is a similar approach to credit ratings for calculating risk. Ratings provide insight into the security posture of third parties as well as your own organisation. The measurement of ratings offers cost saving, transparency, validation and governance to organisations willing to undertake this model.
The benefits of security ratings will be as critical as credit ratings and other factors considered in business partnership decisions in the very near future. The ratings model within risk management can help organisations collaborate and have productive data-driven conversations with regards to risk and security, where they may not have been able to previously.
Long term potential
This year we will see a continuation of third-party cyberattacks targeting systems running SWIFT, allowing attackers to use malware for cross-border transactions across the world. Banks generally have more robust cyber defences than other sectors.
Once breached, financial services organisations’ greatest fear is copycat attacks. This is where an effective risk management strategy can enable better cost management and risk visibility related to business operational activities. This leads to better management of market place, competitive and economic conditions. It also increases leverage and consolidation of different risk management functions.
BitSight transforms how companies manage third and fourth party risk, underwrite cyber insurance policies, benchmark security performance, and assess aggregate risk with objective, verifiable and actionable Security Ratings.