By Lorraine Toland, Business Development Representative, AQMetrics
Cybersecurity threats are now high on the list of risk mitigation priorities for most firms and institutions – and if not, then they certainly should be. In addition to the reputational damage an attack can cause your firm, it is now widely recognised that they can also wreak serious financial damage, which in turn can negatively impact your investors and shareholders. Furthermore, cybersecurity must now be viewed in relation to all other operational risks. Yet despite the consequences of cybersecurity breaches and the growing regulatory impetus to consistently monitor, as well as evaluate, risk management processes and have a holistic register in place, this is not yet ingrained in the culture of most firms. But change may well be on the horizon.
The Central Bank of Ireland (CBI) recently highlighted the need for most firms to radically improve their approach to risk monitoring. Since 2015, the CBI has been carrying out onsite thematic and targeted inspections of various firms’ cybersecurity provisions. The concerning issue it has uncovered is that the risk registers in most institutions are completely outdated, of poor quality and are still being updated manually ie, on spreadsheets. In addition, it believes that firms shouldn’t be monitoring cybersecurity in isolation but should instead view it in the context of their wider IT security, business continuity planning and risk management strategies.
The CBI’s findings provide a timely warning to the industry in general, particularly in light of recent high-profile failures and the increasing emphasis from global regulators that firms must adequately monitor all risks. Most regulators and inspectors, for example, require all staff – including board members and non-executive directors – to be aware of what is in their risk registers. It is also important to know that your firm would be required to provide regulators with all necessary documents, which may include your meeting minutes, system logs, user access logs, policies and procedures etc. Yet as the CBI discovered, there is often a noticeable lack of technical knowledge, particularly at board level. To remedy this, the CBI suggests having best practice workshops to strengthen the technical awareness of your board members.
Standardised and understandable
In addition, when you are initially capturing your operational risk data it is vital to ensure that this information is captured consistently across your whole organisation. This then radically simplifies the process of aggregating all your risk information from across different departments, or even different groups. But instead we still find many firms are trying to manually aggregate large volumes of data from a variety of different spreadsheets in different formats, then trying to formulate this into a meaningful report.
But how can your firm achieve consistent data capture efficiently and ensure it can provide meaningful insights into your risk exposure? To this end, the National Institute of Standards and Technology (NIST) has produced a recommended framework and methodology, consisting of five requirements for firms to use in the cybersecurity processes. This is intended to provide a common language for understanding, managing, and expressing cybersecurity risk, both internally and externally. The five core functions are:
- Identify: Develop the organisational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
Weight of responsibility
These five requirements can be used to help identify your governance procedures, formulate a risk management strategy and then to also run formal risk assessments in-house to review your risk register and how successfully your data is being recorded on an ongoing basis. Having an automated, fully auditable risk register will further strengthen this process. For example, AQMetrics offers single cloud-based platforms which enable firms to capture their risk in a consistent and controlled way across their whole organisation. This also provides full auditability, playback capability and all workflows all accessed from a single platform, so it is all in one place.
Ultimately, being able to effectively monitor all risk across the board is now vital: from market and credit risk through to business continuity planning (BCP) and third-party vendor risk. With upcoming regulatory changes, such as the implementation of the General Data Protection Regulation (GDPR) next year, having a holistic view of all your risks is also beneficial for demonstrating to regulatory bodies that your firm is indeed meeting its requirements. In addition, it provides an additional level of comfort for your investors that not only are you capturing all of your risk, but you are in fact ten steps ahead. Of course, some firms opt to outsource much of this risk capture to third-parties instead but this can often create additional, unintended risk. You can outsource your risk but not the responsibility – the onus remains on your firm to ensure you have an adequate risk register in place and that risk mitigation is truly an ingrained part of your business culture.