Risk management is an inherent component of any financial institution's business operations, whether it be market risk, credit risk, or reputational risk. Cyber attacks are a rapidly growing threat that can affect those other risks, said Thomas Sanzone, executive vice president at Booz Allen Hamilton, at a webinar on the topic presented jointly by his firm and the Financial Services Information Sharing and Analysis Center (FS-ISAC). Sanzone leads the firm’s commercial financial services business. During the webcast, he emphasized that many financial services companies don’t prioritize cyber risk as high on the scale as they should. “In an average financial institution they’re looking at risk as market risk, credit risk, and operational risk--and the cyber risk can affect all three, and that’s not as well understood as it could be,” he said.
The companies that are effectively tackling the cyber challenge head-on view the problem not as an IT issue but “as a systemic risk and challenge to their business operations,” said Sedar Labarre, a cybersecurity consultant at Booz Allen Hamilton who works with clients in the financial services industry.
Chief information security officers (CISOs) are being relied upon in organizations to help executive management better understand cyber risks, but the way in which their role is built into an organization isn’t necessarily conducive to those critical conversations, said Labarre. He said that in order to tackle the cyber challenge, companies must challenge the way they’ve traditionally thought of CISOs and the value they bring to an organization.
“It requires a change in the traditional role and characteristics of the CISO. The CISOs need to be put in a position where they’re effectively empowered to do their job,” he said. “We are seeing a few organizations that are actually embracing that evolution and taking it a bit farther, and actually having the CISO [at a level with] the CIO, creating almost if you will a check and balance between the decision making and the risk management around how they’re doing operations.”
Sanzone echoed Labarre’s point, indicating that institutions with effective cyber risk policies and frameworks are involving the CISOs at the highest levels. “At a very minimum, they’re going to have to be in a position to present the subject matter to those executives both at the board and the executive committee level on a frequent basis,” he said. “In fact, many of the CISOs I talk to are a constant agenda item on those teams.”
Sanzone noted that speaking to the C-level executives in a language they can understand is key for CISO’s in communicating the cyber threat and the potential damage an event could cause. “Articulate the risk in their terms. So if you’re talking to a head of trading, or wealth management, or [credit] cards, talk in terms of the way in which they manage their business and how they view risk. Tying the cyber risk to the way they manage risk in their business directly, and then importantly quantifying it,” said Sanzone. “The more we can quantify business impact, whether it’s from a market perspective or a credit perspective, to a business head, the more they’ll understand and the more they’ll get their arms around it.”
The speakers noted that the responsibility in guarding against cyber risk does not stop with the CISO or executive management. Labarre also emphasized that organizations must align their business practices with the cyber risk management policies. “The reliance of the business on the IT functions dictates now that it’s a senior business decision,” he said. “It’s about running a business; it’s about making informed decisions about cyber risks in consideration of the business...We need to have an understanding of what’s important to the business first and foremost, and use that to drive our cyber decisions."