This document discusses the growing threat of cyber attacks and the need for organizations to build cyber resilience. It notes that financial institutions in particular may have become distracted from cyber risks in recent years. The key issues outlined are that cyber attacks represent an undeclared war, failures can be silent, risk is challenging to analyze, and cyber risk is systemic. It defines cyber resistance as having secure design, mature controls, good risk decisions and other practices, while cyber resilience relies more on situational awareness, technical agility, and organizational readiness to solve problems. Building successful cyber programs requires addressing all of these aspects through specialist practices and developing capabilities ahead of standards.

1. Cyber Resilience:
Managing Cyber Shocks
Phil Huggins

2. Why are we worrying about Cyber attacks?
2
“The focus on credit, market and liquidity risk over the last
five years may have distracted attention from operational,
and in particular cyber risks, among financial institutions
and infrastructures. This is a rapidly rising area of risk with
potentially systemic implications.” Andrew Haldane, Bank of
England, 2013
“Current preventative and disaster recovery measures may
not be able to stand up against a large-scale and co-
ordinated attack” IOSCO, 2013
“DTCC expects cyber-attacks to escalate and become more
sophisticated in the future.” DTCC, 2013

3. Why are we worrying about Cyber attacks?
3
Digital
Growth
Organisations are currently under attack.
Those attacks have either succeeded or will succeed.
What remains in question is:
• Understanding your adversaries – preparation for the attack
• Ability to identify that attack early – situational awareness
• Understanding your critical assets – the damage the attack will cause
• Ability to withstand that damage – the ability to re-establish normal operations
DamageCaused
Probability of Attack
Core
Asset
Damage
Serious
Disruption
Major
Theft
Data
Breach
Institutional
Impact

4. What are the key issues?
4
• There is an undeclared war in cyber space
• Cyber failure is silent
• Risk analysis and modelling is deeply challenging
• Cyber risk is systemic
• Many firms are below the “cyber poverty line”
• Effective practices are developing faster than standards

5. What is Cyber Resistance?
5
Consciously
Secure
DesignMature
Controls
Environment
Good
Cyber Risk
Decisions Cyber
Threat
Hunting
Experiential
Learning &
Threat
Simulation
Cyber
Resistance
Situational
Awareness
Technical
Agility
&
Adaption

6. What is Cyber Resilience?
6
Security Initiative
& Problem Solving
Pace of
Decision
Making
Diversity
of Cyber
Capacity
Organisational
Readiness &
Business Problem
Solving
Cyber
Resilience
Situational
Awareness
Technical
Agility
&
Adaption

7. Key ingredients in a successful cyber programme
7
Consciously
Secure Design
Mature Controls
Environment
Good Cyber
Risk Decisions
Cyber Threat
Hunting
Experiential
Learning &
Threat
Simulation
Security Initiative &
Problem Solving
Pace of
Decision
Making
Diversity
of Cyber
Capacity
Organisational
Readiness & Business
Problem Solving
Cyber
Resistance
Cyber
Resilience
Situational
Awareness
Technical Agility
& Adaption
Specialist cyber practices
Developing ahead of standards
Organisational capabilities
Cannot be driven from security

8. Key characteristics of successful cyber programmes
8
• Effectiveness – of the management of the risk
• Appropriateness – to the risks the firm faces
• Proportionality – to the scale and the margins of the firm
• Feasibility – Of planned improvements in terms of
timescales and the capability the firm currently has

9. Key takeaway
9
“Cyber is not a minority sport for technologists only.”
Andrew Gracie, Bank of England, 2015

10. strozfriedberg.com
THANK YOU
Phil Huggins, Vice President
phuggins@strozfriedberg.com
T: +44 207 061 2299
©2015 Stroz Friedberg. All rights reserved.