FFIEC Cybersecurity Assessment Tool is a collaboration between FDIC, OCC, FRB, CFPB, NCUA & SLC
What training programs are working? What is not working?
What are some of the common training principles which are most effective?
What role has culture played in the formulation of an overall strategy?
What are the nuances of your culture which present challenges?
Sociability: How well people get on socially Solidarity: Goal orientation and team performance Four Cultures Networked (high on people focus, low and task focus) Communal (high people and high task) Mercenary (low people, high task) Fragmented (low people, low task) The model will predicting the success with which structured approaches to manage risk are implemented in an organization. In general low scores in sociability and solidarity create a barrier to implement effective management of risk As an example a Networked organization (high levels of social interactions and low tolerance for rules and procedures) would respond better by participating in a cyber risk workshop to facilitate change versus a Mercenary culture that would accept any changes more easily as getting the task done is more important than the addressing the people needs. The key is to understand the current culture and worked with that culture to facilitate change. All of the cultures has a upside and downside as it relates to managing cyber risk however research indicates that organizations should seek to strengthen both their sociability and Solidarity rating in order to implement risk management more effectively.
Training and Risk CultureWhat is required regardless of Quadrant?
Curriculum Alignment to Corporate Standards across compliance, privacy & IT Refresh content but align to long term curriculum Assess high-risk areas Do not create “Check-in-the-box” Make it easy for people to understand “who to contact”
Experience & Tracking
Make learning fun Promote good practices by recognizing star performers, departments or “whistle-blowers” Track adherence across employees and third parties Invest in third parties and partners to understand their practices and commitment to your organization Send fake “phishing emails” to see if they are reported
What aspects of your control framework are you adapting for Cyber Risk?
How do you place value on risks and the cost to mitigate a control?
How do you articulate business value and prioritize against residual risk?
Are residual risk modelling the prevailing approach for Cyber Risk?
Do you intend to leverage RCSA or are their other assessments which are becoming more relevant?
How have the measurement techniques evolved?
What are challenges with your transformation?
How would you prioritize measurement initiatives within your bank?
Where is your organization on the journey of Cyber Risk operating model?
Which option are most closely aligned today and where are you going? What are the key barriers to overcome your selected option? Where there any options which your team feels would be more appropriate?
Option 0 – Do nothing, embedded with IT Option 1- How compliance is organized, dec
Are you actively conducting Resiliency Management Exercises?
What lessons have you learned from actual attacks or events?
Cyber and Operational Risk: Building Cyber Resilience
Building Cyber Resilience
CBEST: Bank of England vulnerability testing framework
CFTC: U.S. Commodity Futures Trading Commission
COBIT: Control Objectives for Information and Related Technology. COBIT® is a trademark of
ISACA® registered in the United States and other countries.
IEC: International Electrotechnical Commission
ISA: Information Society of Automation
ISO: International Organization for Standardization
Fed: Federal Reserve System
FFIEC: Federal Financial Institutions Examination Council
FINRA: Financial Industry Regulatory Authority
HKMA: Hong Kong Monetary Authority
NIST: National Institute of Standards and Technology
SEC: Securities and Exchange Commission
SG CA: Cyber Security Agency of Singapore
RiskMinds Operational Risk:
Building Cyber Resilience
This presentation is intended for general informational purposes only and does not take into account the
reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims,
to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of
the information in this presentation and for any acts or omissions made based on such
information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible
for obtaining such advice from their own legal counsel or other licensed professionals.
Accenture is a leading global professional services company, providing a broad range of services and
solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and
specialized skills across more than 40 industries and all business functions—underpinned by the world’s
largest delivery network—Accenture works at the intersection of business and technology to help clients
improve their performance and create sustainable value for their stakeholders. With more than 358,000
people serving clients in more than 120 countries, Accenture drives innovation to improve the way the
world works and lives. Visit us at www.accenture.com
Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Rights to trademarks referenced herein, other than Accenture trademarks, belong to their respective
owners. We disclaim proprietary interest in the marks and names of others.
Learn more about cyber risk and resilience: