What Treasury needs to know about cyber risk

Given Treasury’s central role in sustaining a bank’s financial stability and security – and the fact that all parts of the bank come to it for knowledge and advice – the department needs a working knowledge of this rising new category in the bank’s risk register.

The starting point for Treasury is to recognise that the responsibility for deflecting cyberattacks can no longer be deferred just to the IT department. If defending against these attacks merely required investment in technology, banks would have already completed it. In fact many have invested millions in technology in their attempts to prevent cyberattacks, yet more often than not their exposure to cyber risk has only increased.

The truth is that banks cannot and will never be able to prevent cyberattacks completely. As former Federal Bureau of Investigations (FBI) director, Robert Mueller, has said: “I am convinced there are only two types of companies; those that have been hacked and those that will be.”

This is partly because technology advances so quickly that IT defences are continually playing catch-up, but also reflects the fact that IT is just one of five areas of cyber vulnerability. The other four are people, processes, culture and third parties, which is why the responsibility for cyber risk now falls squarely under the auspices of boards and executive teams.

As the Hong Kong Monetary Authority (HKMA) declared on 15 September: “The board and senior management are expected to play a proactive role in ensuring effective cybersecurity management.”

This does not mean the chief financial officer (CFO) and Treasury need to become technology experts. Board and executive-level discussions about cyber risk should not include reports of viruses, firewalls, worms and Trojans. Directors and executives often don’t understand risks in the context of these terms – nor do they need to. Like any other enterprise risk, the conversation needs to focus on risk tolerance, metrics, exposures, remediation and governance frameworks.

Cyber risk tolerance

The challenge with setting risk tolerance for cyber is that banks have traditionally wanted to take a zero-risk position, but, as the FBI and regulators acknowledge, that attitude’s simply not realistic. Banks need to decide the right level of risk tolerance that the organisation can accept.

In deciding this level, benchmarking maturity is a fundamental issue. Clearly, banks don’t want to be worst-in-class for cybersecurity because this will expose them to the hacking community but they should also realise that there is often no discernable advantage to being best-in-class either. If a bank’s cybersecurity is too aggressive, it can impact the customer experience, lengthen time to market or increase the cost of enablement and support.

Recognising this, leading banks are re-balancing the equation to make cyber risk controls an enabler of customer digital adoption. In doing so, they are:

• Working with the regulator to better understand the balance between innovation and risk.
• Defining the bank’s risk tolerance level and building controls above this line.
• Streamlining customer access: managing transaction risk “behind the scenes” and, for example, only enforcing additional customer authentication for higher-risk scenarios.

Cyber risk metrics

Developing a strategic approach that roots cyber risk in the real world of a bank’s business requires robust metrics. Traditionally, banks have used purely qualitative measures (such as brand value and competitive impact) around cyber – with no empirical evidence to suggest whether their vast cybersecurity investment is being spent wisely.

However, in the past 12 months, a blend of cyber competencies and actuarial modeling has emerged that can put hard figures around the financial impact of financial risk. Banks can increasingly quantify the direct financial loss of cash and the costs of incident triage and regulatory sanctions. This means it’s now possible to determine whether a bank is spending an appropriate amount on cybersecurity, based on its risk profile – and to see how that spend could be adjusted by flexing the profile.

Cyber risk governance

Managing and governing cyber risk requires controls across all five areas of the bank’s vulnerability: technology, people, processes, culture and third parties. For many banks, this means rebalancing their cyber risk investment model. Traditionally banks have spent most of their cyber risk budget in the technology domain on prevention; today a large proportion of this budget needs to be repurposed to also address:
• Detection: to immediately identify the attacks that get through defences.
• Containment: to ensure, for example, that a breach in one online banking channel doesn’t infect or impact transactions on other channels.
• Incident response: putting in place a mature framework for an enterprise-level response (covering the board, executive, legal, risk, investor relations and media relations, as well as IT) that regulators expect to be tested under different scenarios, throughout the year


Related reading