Given Treasury’s central role in sustaining a bank’s financial stability and security – and the fact that all parts of the bank come to it for knowledge and advice – the department needs a working knowledge of this rising new category in the bank’s risk register.
The starting point for Treasury is to recognise that the responsibility for deflecting cyberattacks can no longer be deferred just to the IT department. If defending against these attacks merely required investment in technology, banks would have already completed it. In fact many have invested millions in technology in their attempts to prevent cyberattacks, yet more often than not their exposure to cyber risk has only increased.
The truth is that banks cannot and will never be able to prevent cyberattacks completely. As former Federal Bureau of Investigations (FBI) director, Robert Mueller, has said: “I am convinced there are only two types of companies; those that have been hacked and those that will be.”
This is partly because technology advances so quickly that IT defences are continually playing catch-up, but also reflects the fact that IT is just one of five areas of cyber vulnerability. The other four are people, processes, culture and third parties, which is why the responsibility for cyber risk now falls squarely under the auspices of boards and executive teams.
As the Hong Kong Monetary Authority (HKMA) declared on 15 September: “The board and senior management are expected to play a proactive role in ensuring effective cybersecurity management.”
This does not mean the chief financial officer (CFO) and Treasury need to become technology experts. Board and executive-level discussions about cyber risk should not include reports of viruses, firewalls, worms and Trojans. Directors and executives often don’t understand risks in the context of these terms – nor do they need to. Like any other enterprise risk, the conversation needs to focus on risk tolerance, metrics, exposures, remediation and governance frameworks.
Cyber risk tolerance
The challenge with setting risk tolerance for cyber is that banks have traditionally wanted to take a zero-risk position, but, as the FBI and regulators acknowledge, that attitude’s simply not realistic. Banks need to decide the right level of risk tolerance that the organisation can accept.
In deciding this level, benchmarking maturity is a fundamental issue. Clearly, banks don’t want to be worst-in-class for cybersecurity because this will expose them to the hacking community but they should also realise that there is often no discernable advantage to being best-in-class either. If a bank’s cybersecurity is too aggressive, it can impact the customer experience, lengthen time to market or increase the cost of enablement and support.
Recognising this, leading banks are re-balancing the equation to make cyber risk controls an enabler of customer digital adoption. In doing so, they are:
• Working with the regulator to better understand the balance between innovation and risk.
• Defining the bank’s risk tolerance level and building controls above this line.
• Streamlining customer access: managing transaction risk “behind the scenes” and, for example, only enforcing additional customer authentication for higher-risk scenarios.
Cyber risk metrics
Developing a strategic approach that roots cyber risk in the real world of a bank’s business requires robust metrics. Traditionally, banks have used purely qualitative measures (such as brand value and competitive impact) around cyber – with no empirical evidence to suggest whether their vast cybersecurity investment is being spent wisely.
However, in the past 12 months, a blend of cyber competencies and actuarial modeling has emerged that can put hard figures around the financial impact of financial risk. Banks can increasingly quantify the direct financial loss of cash and the costs of incident triage and regulatory sanctions. This means it’s now possible to determine whether a bank is spending an appropriate amount on cybersecurity, based on its risk profile – and to see how that spend could be adjusted by flexing the profile.
Cyber risk governance
Managing and governing cyber risk requires controls across all five areas of the bank’s vulnerability: technology, people, processes, culture and third parties. For many banks, this means rebalancing their cyber risk investment model. Traditionally banks have spent most of their cyber risk budget in the technology domain on prevention; today a large proportion of this budget needs to be repurposed to also address:
• Detection: to immediately identify the attacks that get through defences.
• Containment: to ensure, for example, that a breach in one online banking channel doesn’t infect or impact transactions on other channels.
• Incident response: putting in place a mature framework for an enterprise-level response (covering the board, executive, legal, risk, investor relations and media relations, as well as IT) that regulators expect to be tested under different scenarios, throughout the year
We have been witness to a series of significant security events recently around payment execution, from Leoni in Germany through to ABB in South Korea and SWIFT in Bangladesh to name a few of the major headlines.
Europe’s opening banking regulation is finally here. After months of preparation across the continent, the Revised Payment Services Directive comes into effect on January 13.
The revised Payment Services Directive regulation, regarded as one of the most disruptive in Europe’s financial services sector, will begin to make an impact on January 13, 2018.
The cost of compliance efforts for banks has increased exponentially in recent years. This is especially true for those banks that are active in the global trade finance domain, where the overwhelming expectation is for compliance requirements to become even more complex, strict and challenging over time.