In March, PRMIA partnered with S&P Global Market Intelligence and the European Risk Management Council (ERMC) in London to deliver a unique C-Suite initiative -- "Tech Risk and Cyber Risk - Seeing the Unseen,” a virtual roundtable conference discussion with CROs from London and New York.
As operational risk undergoes a significant maturation phase, with specific risks such as Tech risk and Cyber now attracting singular focus from Boards and Regulators alike, this topic commanded great interest from the CRO population. The interplay between Cyber and Tech risk and the need for senior risk practitioners to have greater sight of these new risks and approaches were the underlying themes of the discussion. This innovative event was moderated simultaneously in London by Michael Imeson, Senior Content Editor, Financial Times Live, and in New York by Marc Barrachin, Managing Director, Product Research and Innovation, Risk Services, S&P Global Market Intelligence.
Ten CROs in London and ten in New York were invited to the 90-minute event. These guests represented a cross section of the financial services sector on both sides of the Atlantic, from banks to insurance companies, from asset managers to challenger institutions.
During the conference introduction by Evgueni Ivanstov, Chair of the ERMC, he shared the startling results from a recent Economist survey of 500 crises indicating that 57% of them were related to cyber-attack. Moreover, the World Economic Forum’s annual report on risks for 2017 now has data fraud and theft in its top five global risks.
The meeting continued with comments from Dr. Alastair MacWillson, a Senior Advisor on Cyber Security at Parker Fitzgerald. Based on his work with the Bank of England’s CBEST framework and the U.S. government’s Cyber Storm program, Dr. MacWillson was able to give a transatlantic oversight and comparison on where each regulator stands in its cyber oversight of financial institutions. CBEST (cybersecurity best practices), for example, is now used by the 40 most important banks and financial institutions in the U.K. to test their cyber resilience.The U.S. does not currently have this framework in place. Dr. MacWillson continued with recent report findings that have proven there is an infinite variety of what can go wrong in this technology space and so CROs cannot predict where failures will occur. This is largely due to the massive scale and complexity of IT systems in each bank and the processes that link them. It's also a function of the speed of change from this threat. Cyber is a mutating threat that constantly morphs into the unexpected. And how does a CRO measure this uncertainty, let alone manage it?
Further discussion among the CROs focused on this challenge of managing cyber risks while maintaining your institution’s technological competitive advantage. How does a CRO influence the balance of innovation and protection? Does outsourcing technology increase the risk or reduce it? How do we ensure we are meeting our clients’ technology needs without overreaching on our safeguards?
After much discussion, the group concluded the following:
- Cyber risk and technology risks are mutating risks making issues difficult to identify, anticipate or measure.
- They mutate at speed, globally, and through our networks so making their management very difficult.
- History provides no real guidelines in predicting what can go wrong. We must run scenarios on what really might go wrong that would seriously impair or kill the business.
- One CRO challenge is that he/she does not have or own all the data. The CIO or other business areas may own some of it.
- About 30% of a CRO’s time is currently spent on cyber and tech risk issues.
- When looking at the enormity of the task of cyber security, it is vital to understand where your organization’s “crown jewels” reside.
- Just like bank robbers, cyber criminals will go after the money, so payments are the prime target, followed by customer data.
- In order to protect your most valuable assets, focus on: i) Assurance, and ii) Defensibility.
This article was featured in the May 2017 issue of Intelligent Risk, knowledge for the PRMIA community, focusing on cyber risk. Download the new issue.
Want to stay ahead of credit risk in your portfolio? Learn more about the tools used to conduct this analysis.