Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cyber and Operational Risk: Building Cyber Resilience

2,420 views

Published on

Managing operational risk and cyber risk means getting certain things right. Resilience is high on the list, but what other priorities can firms address? See www.accenture.com/CyberRisk for more.

Published in: Technology
  • Be the first to comment

Cyber and Operational Risk: Building Cyber Resilience

  1. 1. RiskMinds Operational Risk: Building Cyber Resilience
  2. 2. Copyright © 2015 Accenture All rights reserved. 2 • People are often the weakest link – employees, vendors, customers • Attacks span the traditional defenses – physical security, manipulation of staff, fraud, application security, malware • Digital assets create more entry points • It is not a matter of IF but to WHAT EXTENT you are compromised Building Cyber Resilience We have heard from multiple #RiskMind2015 presentations that this is a growing problem
  3. 3. Copyright © 2015 Accenture All rights reserved. 3 Global Regulatory Landscape The Regulatory Landscape is changing rapidly to address these concerns. (FFIEC) Pilot Cybersecurity Assessment (FINRA) Equities Trading Initiatives and Securities trader Registration Q4 2014 Q1-3 2015 Q4 2015 2016 (SEC) Cyber Exams, Issues Risk Alert (FFIEC) Cybersecurity Assessment Tool (CFTC) Cybersecurity Requirements (Fed) Cybersecurity Information Sharing Act (SG CSA) National Cyber Security Masterplan 2018 (SEC) IM Cybersecurity Guidelines Future/Proposed Rules Current Rules (NIST) Cybersecurity Framework Q3 2014 2016 (CFTC) High Speed Trading Rules (SEC) High Frequency Trading Rules (HKMA) Cybersecurity Risk Management Circular (BoE) CBEST Vulnerability Testing Framework Source: Accenture analysis based upon publicly available data.
  4. 4. Copyright © 2015 Accenture All rights reserved. 4 1. Training and Risk Culture – Taking your unique organization and infusing the right cyber risk behaviors 2. Controls – Where are the weak points – build robust set of controls across operations, business and IT 3. Measurement with a Purpose – What is going on without you knowing it – creating metrics which expose the risks 4. Operating Model – How do you work with the rest of the organization - assigning clear lines of accountability and ownership 5. Resilience – At some point it will go wrong, be prepared The Top 5 Priorities to Get Right We will discuss 5 priorities and determine as a group if these are the top priorities
  5. 5. Priority #1 – Training and Culture
  6. 6. Copyright © 2015 Accenture All rights reserved. 6 Cyber Risk Culture View of the Organization How does your organization’s culture span these quadrants? High Sociability Low Sociability High SolidarityLow Solidarity Networked Cohesive Fragmented Task Masters The “Investment Bank” The “Outsourced” Bank” The M&A growth “Regional Bank” The Organic growth “Retail Bank” Influence of relationships Influence of the “drive” to meet common goals
  7. 7. Copyright © 2015 Accenture All rights reserved. 7 • Dynamic • Ideas flow freely • Metrics driven • Centralized Cyber Function • Decompose and define approaches • No single solution • Identify problem segments High Sociability Low Sociability High Solidarity Low Solidarity Networked Cohesive Fragmented Task Masters The “Investment Bank” The “Outsourced” Bank” The M&A growth “Regional Bank” The Organic growth “Retail Bank” Influence of relationships Influence of the “drive” to meet common goals Training and Culture Cultural View of the Organization How does your organization’s culture span these quadrants? • Consensus driven • Proud of brand • Emulate role models • Tone from the top • Individual accountability • Incentives distort risk and culture • Based on strong controls • Clear metrics
  8. 8. Copyright © 2015 Accenture All rights reserved. 8 Cyber Risk Pulse Check A highly engaging and dynamic diagnostic that rapidly assesses employee understanding of Cyber Security best practices and provides data-driven insights and benchmarking for your firm. E N G A G E M O T I V A T E A N A L Y Z E Designed with advanced learning methods and game mechanics to create an immersive experience First ever NYSE benchmark on Cyber Security that will allow for comparative analysis against cross-industry participants Dynamic diagnostic environment that highlights the critical importance of Cyber Security, driving behavioral and cultural change http://pages.s6.exacttarget.com/page.aspx?QS=c76003443ff9837d 8ef9974a19a99cfa5f994776888b6bfc6115f9e9e82e4c33&campaig n=701E0000000xb2E NYSE
  9. 9. Priority #2 – Controls
  10. 10. Copyright © 2015 Accenture All rights reserved. 10 Controls (Cyber Risk Enhancements Requirements) Traditional control frameworks evaluate effectiveness through an operational risk approach focused on residual risk. 1. Business / IT Process 2. Risk Identification and Inherent Risk 3. Control Identification and Rating Impact Frequency | Severity Risk Type 4. Residual Risk Scoring Process Control Effectiveness Attributes Key, Type Control Layer Business Domains Scorecard Dependencies Applications Cyber Scenarios and Trigger Events Active | Passive Risk New FocusRenewed focus Key Risk Indicators Target Residual Risk Value Control Assessment Types Risk Control Self Assessment | Third Party | Applications | Infrastructure | Regulatory
  11. 11. Copyright © 2015 Accenture All rights reserved. 11 Scenario: • Disgruntled employee with access to customer data • Employee working during non-working hours • Downloading of files which vary from peer group • It is month end and high IT usage is expected Example Controls Use case: Identifying insider threats based upon system and physical access to firm-wide assets with privacy data. Controls to Mitigate: • Security – Abnormal physical access records vs normal patterns • HR –Poor recent performance from supervisors, LinkedIn® resume updated • IT – Alerts with network, server or database patterns which are historically misaligned to normal business operations • Business – Correlate data usage by peer group for high impact activities related to reporting/extracts • IT – Abort or suspend reporting when thresholds are reached for exporting or querying data C1 C2 C3 C4 C5 Risk Score: 68/100 67/100 35/100 75/100 45/100 Investigate
  12. 12. Priority #3 – Measurement with a Purpose
  13. 13. Copyright © 2015 Accenture All rights reserved. 13 Measurement with a Purpose Common categories to consider for Cyber Risk Reporting 1. Board Level Reporting 2. IT Risks 3. Operational 4. Advanced Analytics Infrastructure Third Parties SoftwareInternal Employee Training Data Loss Prevention Employee Monitoring External Vulnerabilities Surveillance Funding Risk/Reward Decisions IT Operations Fraud Target Residual Risk Access Management Physical SecurityHigh Crimes and Investigation New FocusRenewed focus
  14. 14. Priority #4 – Operating Model
  15. 15. Copyright © 2015 Accenture All rights reserved. 15 Embed the first line of defense within technology organization. Create a centralized office with technology control officers across business lines which just focus upon IT. Cyber Risk Operating Models An operating model defines the organization’s accountability for doing the work, supporting the right decisions and measuring effectiveness. Centralize an entire department as 2nd line of defense with examinations across the lines of business. Build highly specialized team and track similar to compliance function. Policy setting organization and influencer similar to data and privacy. Develop risk frameworks around IT, data integrity, and operations and run as 2nd line of defense. Create an enterprise-wide risk function dedicated to identify, measure and respond to threats. Option 1 – Dedicated Function Option 0 – IT Centric Option 2 – Cyber Czar Option 3 – Risk Led
  16. 16. Copyright © 2015 Accenture All rights reserved. 16 Operating Model Analysis Each option should consider the tradeoffs with the firm’s ability to Prevent and Detect Threats. Efficiency Ability to Prevent and Detect Threats Low High High Option 0 – IT Centric Option 1 – Dedicated Function Option 2 – Cyber Czar Option 3 – Risk Led
  17. 17. Copyright © 2015 Accenture All rights reserved. 17 Operating Model Analysis Each option should consider the tradeoffs with the firm’s ability to Prevent and Detect Threats. Ability to Prevent and Detect Threats Low High High ValuetoCustomer Option 0 – IT Centric Option 1 – Dedicated FunctionOption 2 – Cyber Czar Option 3 – Risk Led
  18. 18. Copyright © 2015 Accenture All rights reserved. 18 Operating Model Analysis Each option should consider the tradeoffs with the firm’s ability to Prevent and Detect Threats. Ability to Prevent and Detect Threats Low High High SpeedtoExecute Option 0 – IT Centric Option 1 – Dedicated Function Option 2 – Cyber Czar Option 3 – Risk Led
  19. 19. Priority #5 – Resilience
  20. 20. Copyright © 2015 Accenture All rights reserved. 20 A Comprehensive Approach Helps Protect the Full Breadth of Entry Points and Operations which Underpin Financial Services Organizations Detect IdentifyRespond Prevent Detection and Identification – Tools and metrics to identify and log aspects to manage operations Operational Monitoring – Aligning the tools to identify and detect threats along with their escalation and oversight Event Response Plan – Structure to identify and manage action plans Business and IT Controls – Oversight of the controls and their testing programs and how to leverage COBIT®, ISA, ISO/IEC, NIST controls Operating Model – Specifying the structure with people, organization, roles, tools and processes to govern Crisis Management – Structure to manage incidents and notify impacted parties Risk Events - Scenarios which can impact the organization specific to Cyber threats Risk Identification – Aggregated set of typical risk associated with Cyber Risk How do we respond? What is the impact? How do we organize? How do we monitor?
  21. 21. Copyright © 2015 Accenture All rights reserved. 21 Resilience The ability to operate the business processes in normal and adverse scenarios without adverse outcomes Intgerated: Identify,Prevent,Detect Response: Everyscenario
  22. 22. Glossary CBEST: Bank of England vulnerability testing framework CFTC: U.S. Commodity Futures Trading Commission COBIT: Control Objectives for Information and Related Technology. COBIT® is a trademark of ISACA® registered in the United States and other countries. IEC: International Electrotechnical Commission ISA: Information Society of Automation ISO: International Organization for Standardization Fed: Federal Reserve System FFIEC: Federal Financial Institutions Examination Council FINRA: Financial Industry Regulatory Authority HKMA: Hong Kong Monetary Authority NIST: National Institute of Standards and Technology SEC: Securities and Exchange Commission SG CA: Cyber Security Agency of Singapore
  23. 23. RiskMinds Operational Risk: Building Cyber Resilience Disclaimer: This presentation is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals. About Accenture Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 358,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Rights to trademarks referenced herein, other than Accenture trademarks, belong to their respective owners. We disclaim proprietary interest in the marks and names of others.
  24. 24. Learn more about cyber risk and resilience: www.accenture.com/CyberRisk

×