Will the next systemic crisis be cyber?
Arrow Institute conference
• Why could a cyber attack cause the next systemic crisis?
• How can Operational Risk management cover cyber risks?
► Enterprise Risk Management (ERM) framework and cyber risks
► Risks identification
► Assessment and reporting
► Response strategies
• Main learnings and conclusions
A constantly evolving
Cyber « Hacktivism »
Script kiddies are sometimes
portrayed in media as bored,
lonely teenagers seeking
recognition from their peers. Criminals
Activists / Hacktivists
Cyber threats are diverse and continually evolving…
• Cyber-protests, or “hacktivism”, have become popular and continue
to grow in frequency.
► Anonymous group, Operation Payback
► End-users with limited technical know-how
► Distributed denial of service attacks (DDoS) attacks or spam
campaigns on selected companies and/or organisations
• Social Engineers will get confidential information by
manipulation or deceit.
• Advanced Persistent Threats: sophisticated and clandestine means to gain continual
intelligence/data on an individual, or group of individuals, companies or governments.
• Highly targeted, thoroughly researched, amply funded, and tailored to a particular
organisation using multiple attack vectors and using “low and slow” techniques to
Companies are evolving…
• Less control on the provider (no penetration-test allowed,…);
• Centralization of data from multiple companies;
• Privacy & Commercial issue (Patriot act…);
• Business continuity concerns…
How much does it cost? We don’t know exactly
Costs of cyber-crime to society are substantial.
Some studies cite figures as high as $400 billion or $ 1 trillion!
2011 2012 2013 2014
Based on reported impacts only…
How can Operational Risk manage cyber risks?
• Euroclear case study
• Enterprise Risk Management (ERM) framework and cyber risks
► Risks identification
► Assessment and reporting
► Response strategies
A growingly interconnected world
• Euroclear is the world’s largest provider of
settlement and related services for domestic
and cross-border financial transactions.
• Settle over 170 million transactions a year in 53
• We have links with 44 markets across the globe
• > € 780 billion of collateral outstanding every
• > € 573 trillion transactions settled
• > 2,000 financial institution clients from 90
• Hold client assets valued at €24 trillion.
• 3,300 employees in 12 locations worldwide.
Multicurrency settlement and asset servicing
International CSDCentral Securities Depository
Settlement of a trade:
– local buyer and local seller
– in a domestic security
– payment in the domestic
Settlement of a trade:
– Wherever the counterparties are
– in any international security
– payment in any currency
Euroclear UK & Ireland, France, Netherlands, Belgium, Nordics Euroclear Bank
Enterprise Risk Management (ERM)
What is the goal? Organise the chaos to ensure continuity
The Euroclear Enterprise Risk Management (ERM) framework
covers these areas of focus and ensures:
• the right ownership and governance
• a holistic approach
• a dynamic approach
• alignment with established market standards and regulations
• coverage of business-as-usual and crisis management up to
recovery and disaster
Enterprise Risk Management
• What are the relevant
• Horizon scanning
• Risk and scenario-based
assessments on cyber
• Government and peer
information sharing fora.
• Post-mortem assessment
• How effective are our
• What is our maturity
• Report Group Risk Profile
and entity risk reports
• Security programmes
• Incident responses and
• Simulation exercises
Enterprise Risk Management in practice
How does it apply to cyber threats?
Group Risk Committee
Local MC/ Division Heads/Risk Mgt
Group Domain Security
Local Domain Security
Line of Defence)
Audit and Compliance
• Chief Security officer oversees the implementation of the Security
framework covering the 4 security domains and ensures:
► Clarity of accountability
► Same level of control across the group
•Risk specialists provide:
• Support to first line of defence (framework and tools)
• Assurance to senior management on adequacy and
effectiveness of controls.
Supported by control functions
in second and third lines of defence
Supported by policies, procedures,
control frameworks, tools, expert advice
Awareness is key…
• Global security awareness programme
• « One Minute Security Managers »
• E-learning modules and tests:
► Phishing, Smishing, Vishing…
► Mobile devices, working outside of the office
► Social engineering…
Understanding the cyber threats
Information Security risks
(Reporting in Risk Management - Risk Universe)
Logical security risks
(Reported via the Corporate Risk analysis)
“Cyber” related risks
(Cyber Risk analysis)
Finding your way through many
Establishing a cyber threat list
Mitigation factors reference source is:
The SANS TOP 20 critical controls for effective cyber defence.
Many sources of external Information sources
•US Department of Homeland
•Deloitte cyber threats list
•Information Security Forum (ISF)
•SANS TOP 20 (controls)
•ENISA cyber threats list
•Febelfin threat list regarding
mobile computing (used by
•BSI threat catalogue
About 100 cyber threats grouped in 10 families:
1. Threats to building infrastructure (including SCADA) & personnel
2. Threats to IT networks
3. Threats to IT systems / servers
4. Threats to fixed end-points (such as workstations & thin clients)
5. Threats related to mobile computing (corporate laptops/iPads, mobiles,
6. Threats to electronic communications / data in transit.
7. Threats to business applications
8. Social Media & Social Engineering threats
9. Threats related to removable medias
10. Threats related to web hosting, together with SaaS
Building a manageable threats ListIdentify &
Perform the risk assessment
• Measure coverage and effectiveness of controls
• Determine maturity levels
• Combine self assessment (HSA, RCSA) with second / third lines
• Identify gaps and potential improvements
H, M, L
* SANS TOP 20 Controls for effective cyber defence,
Internal Control framework, ISO 27002, etc.
Identified gaps and
Complement with scenario based
Developing realistic scenarios around key business services and
Data theft or
Measure & report
• Merge results from both approaches (technical assessment + scenarios)
• Measure company’s readiness to cyber attacks
• Report Group Risk Profile and entity risk reports
1st Qtr 2nd Qtr 3rd Qtr 4th Qtr
Patching, zoning, Data
•Detection: IPS, ..
gaps & potential
Integration into company’s crisis
•Company’s corporate response plans
►Technical response and
►Communication to all audiences &
stakeholders (clients, business
counterparties, internal staff, regulators,
• Security incidents simulation and testing
Monitoring and incident management
Assess criticality, escalate and appoint coordinator
Convene X-Silver or local Silver Team and inform GOLD
Activate the crisis meeting (follow CM guidelines)
- Assign chair/Review team composition.
- Start log of actions.
Perform situation briefing
INITIAL IMPACT ASSESSMENT
Get initial situational appraisal from IT:
• (1) What has happened?
• (2) Where? What are the entities / business services (potentially) impacted?
• (3) When was it discovered?
• (4) What is the impact? Will it get worse and how?
• (5) What have we done to deal with it? Who is involved?
• (6) What decisions / actions need to be taken?
• Reference: crisis report format
• Dependent on initial appraisal, what is the strategic intent: “Take such actions as to protect staff, business
operations and safeguard our reputation”
• Assess (potential) business impact: services unavailability,
• Identify upcoming deadlines
• What are the available BCPs?
• Notify the insurer? Emergency number of the ‘CyberEdge’ policy
• Activate X-Silver team (if not yet done) and ensure that other local Silver teams are activated
Cyber response plan (extract)
A few challenges
•Monitoring the threats to adapt strategies to their rapid evolution:
► Finding your way through multiple information sources
► Prioritising investments (defensive vs reactive)
•Capturing potential impacts and activating responses in time
•Adapting business continuity & recovery plans to manage conflicting objectives:
► Demanding Recovery Time Objectives (restart as soon as possible) sometimes
in contradiction with the technical response and the time needed to resolve
► Minimising the business impact will potentially conflict the objective to protect
the company’s business and reputation (eg: isolating, closing communication
► Maintaining channels of communication with key stakeholders
•Finally, cyber threats also present many challenges for national and international
regulators (adapting their framework, legislation, cross border cooperation…)
•The risk framework needs to be adapted to better capture and report on
cyber related risks (threats, controls and measurement)
•Operational Risk Managers have an important role to play in cyber risks
•Business engagement is essential!
► To understand the business impact of the threats and prioritise your
► To support your awareness campaign (tone of the top)
•Monitor threats as they are constantly moving and re-assess your
protection regularly and your business continuity strategy.
•Your turn will come whatever the strength of your defences, so getting
ready and testing is crucial.