Documente Academic
Documente Profesional
Documente Cultură
of Operational Risk
and Cyber Security
The Convergence of Operational Risk and Cyber Security
A joint paper by Accenture and Chartis Research advising that operational risk
management and cyber security processes should align to better cope with the
increasing cyber threat and improve resilience.
Cyber security has jumped to the top of companies’ risk agenda This is a report by Accenture and Chartis analyzing the benefits of
after a number of high profile data breaches, ransom demands, better alignment across operational risk management procedures
distributed denial of service (DDoS) attacks and other hacks. In with cyber security in an enterprise risk management (ERM)
an increasingly digitized world, where data resides in the cloud, framework. The objective for leading firms should be to focus on
on mobiles and devices connected to the “Internet of Things” increasing the resilience of the organization, and despite the best
threat vectors are multiplying, threatening firms’ operations, efforts it is highly unlikely that any firm can completely avoid security
customer and bank details and future financial stability. issues in the digitally-connected world we all operate within.
Firms should develop a strategy to cope with this cyber threat Cooperation is an essential starting point in the organization—
emanating from online criminals, hacktivists or nation states a DDoS attack or data breach impacts people, processes and
looking to destabilize payment and financial systems such as technology across the business. As well as getting IT systems
Russia’s alleged 2007 cyber-attack against Estonia’s financial back up and running financial institutions (FIs) should write
services ecosystem.1 The need is most pressing at large scale to customers and regulators, activate back-up facilities, and
financial services institutions as many of these sit at the apex compensate any losses. Operational and cyber security employees
of the financial system. need lines of communications and a coordinated pre-planned
response. Firms should take this opportunity to review their existing
risk management processes, departments and responsibilities
with respect to cyber security, re-aligning them into an overall
operational and ERM strategy with boardroom backing.
2
The Convergence of Operational Risk and Cyber Security
In September 2015, for instance, the Securities and Exchange Other examples illustrating the scope of the problem include:
Commission (SEC) fined R.T. Jones Capital Equities Management, a
St. Louis-based investment adviser, $75,000 for failing to establish • Interpol and Kaspersky Lab revealed in February 20154 that about
the required cyber security policies and procedures in advance of $1bn had been stolen over a two year period from financial
a breach that occurred in July 2013. An unknown hacker gained institutions worldwide by a cybercriminal gang comprising
access to data and compromised the personally identifiable members from Russia, Ukraine, other parts of Europe and China.
information (PII) of approximately 100,000 individuals, including The Moscow-based security firm dubbed the criminal gang
thousands of the firm’s clients, after infiltrating its third-party “Carbanak” and Interpol was in pursuit. The criminal case proves
hosted web server. The attack left R.T. Jones’ clients, vulnerable that FIs are just as susceptible to cyber-attacks as retailers that
to fraud theft and prompted the SEC’s action for violating Rule hold card details or telcos and utilities among others. They are
30(a) of Regulation S-P under the US Securities Act of 1933.2 also at the top of the tree for any fraud-related attack.
• The Ponemon Institute LLC has calculated that cyber risk translates
As Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s to a mean annualized cost, for every company, of $7.7 million.5
Asset Management Unit, said in the ruling:3 “Firms must adopt
written policies to protect their clients’ private information and • In a recent “2015 Cyber Security Global Survey” conducted
they need to anticipate potential cyber security events and have by Chartis Research,6 which questioned 103 risk professionals,
clear procedures in place rather than waiting to react once a 69% of them said they expect their cyber security expenditure
breach occurs.” to increase next year by more than 10%.
Risk Controls
3
The Convergence of Operational Risk and Cyber Security
A necessity for establishing control is to first set a good In the US, the National Institute of Standards and
definition of the problem. Many firms produce their own Technology (NIST) can also provide useful definitions and
cyber security definition. A common starting point is with guidelines. Both external frameworks should be examined
the International Standards Organization’s ISO 27k series as part of an early stage project to align operational risk
on IT risk, which includes a cyber security component, management (ORM) and cyber security procedures.
under ISO/IEC 27032. It reads as follows:
The main definition problem that FIs encounter is around scope.
Officially, ISO/IEC 27032 addresses “Cybersecurity” or “Cyberspace Broad and narrow definitions of cyber security both have strengths
security,” defined as the “preservation of confidentiality, integrity and weaknesses. A broad definition provides wide coverage
and availability of information in the Cyberspace.”8 and lends itself to a cross-silo approach. However, it can lead
to confusion over responsibilities and cause significant overlap
In turn “Cyberspace” is defined as the “complex environment with other areas like IT security. A narrow definition can result in
resulting from the interaction of people, software and services the creation of another tactical risk management silo, which is
on the internet by means of technology devices and networks undesirable. The aim must be to develop an open definition that
connected to it, and which does not exist in any physical form.”9 covers all of the threat vectors, but clearly assigns responsibilities.
4
The Convergence of Operational Risk and Cyber Security
Examples – Definition
Coverage Strengths Weaknesses
of Cyber Security
“Protection against services Covering incidents which Differentiates between local IT Doesn’t focus on
or applications in cyberspace occur in cyberspace, i.e. online. issues and online IT. physically-enabled network
being used for or are the attacks, such as black boxes.
target of a crime, or where
cyberspace is the source, tool,
target, or place of a crime.”
“Detection, prevention Covering incidents wherein Differentiates between IT Narrow definition; can
and recovery processes IT-specific controls are security and cyber security (by cause confusion around
for malicious or deliberate deliberately broken. specifying deliberate attacks), responsibilities when cross-silo
damage, bypass or removal and also fraud risks (by attacks occur such as when
of IT controls.” specifying IT controls). a fraud attack is initiated by
a phishing malware.
“The body of technologies, Defining cyber security as Broad focus, enabling the Soft definition; often cannot
processes and practices essentially encompassing the capture of information from be distinguished from IT
designed to protect networks, security of all IT processes. multiple potential silos. security definitions, such as:
computers, programs and data “Information security is the
from attack, damage set of business processes
or unauthorized access.” that protects information
assets regardless of how the
information is formatted or
whether it is being processed,
is in transit or is being stored.”
“The attempt to subvert Defining cyber security as Defines information Does not distinguish between
information risk controls of the protection of access to risk controls as a target technologically-enabled
the bank for the agenda of information in an IT system. for perpetrators. and non-technologically
the perpetrator.” enabled attacks.
Source: Chartis Research, based on discussions with financial institutions, August to December 2015
5
The Convergence of Operational Risk and Cyber Security
Cyber-attacks from external criminals or internally disgruntled The expansion of operational risk to include cyber threats
employees can fit this definition. They become a problem only is being driven by a number of trends:
if the processes and people elements in an FI’s strategy are not
sufficiently developed. If the chief risk officer (CRO) is talking 1) The rising number and complexity of cyber-attacks
to the chief information security officer (CISO) and both are now represents a real threat to an FI’s profitable
aware of their specific responsibilities, and how they align with existence. Reputational damage and regulatory fines
the wider ERM strategy, then a data loss event, DDoS attack or await FIs that cannot prove a coordinated response,
hack needn’t be catastrophic. Joining the dots and aligning a communication and back-up plan is in place.
strategy is key. The challenge is that cyber security is traditionally
managed through its own set of internal controls within IT, 2) Boards and senior leadership increasingly recognize that
which are separate from the duties and processes required for the solution lies beyond the technology layer and in the
operational risk management or compliance. Bringing cyber broader people and processes of the institution.
security into a common framework is necessary in our view.
3) Poor cost-to-income ratios are driving banks to consolidate
their silo-based risk management.
In addition, the Basel Committee’s 2014 report on operational
risk includes cyber-attacks as a scenario. This illustrates the The “new normal” of expanded operational risk management (ORM)
nature of the operational risk that can result from cyber security strategies that align with cyber security, fraud and anti-money
breaches, ranging from continuity to credit and market risk. laundering (AML) disciplines is illustrated in Figure 1. For example,
cyber security events such as the “Carbanak” $1bn loss from
“…some banks have developed scenarios related to earthquakes financial institutions worldwide and this year’s Dyre Wolf malware
and other catastrophic events such as a cyber-attack to assess not attack against banks12 show that phishing, malware, fraud, money
only the operational risk exposures (i.e. business continuity, costs, laundering and business disruption all go together. A cyber risk
fraud losses, lawsuits, etc.) but also other risks such as credit response and ORM strategy should be similarly coordinated.
risk (i.e. increased defaults, devaluations of collateral), market
risk and general economic conditions (i.e. lower revenues).”11
6
The Convergence of Operational Risk and Cyber Security
Figure 1. Operational risk management can be the integration point for cyber security and other risk management areas
Model Risk
Operational
Cyber Security Conduct Risk
Risk Management
AML
Chartis Research has seen operational frameworks and Regulators and partners in the financial supply chain will be
methodologies expanding into full governance, risk and reassured by strong managerial oversight and the presence
compliance (GRC) initiatives at FIs. The three lines of defense of a cyber risk-aware culture. In addition, the near-immediate
– inputs such as risk events arising from malware; your dissemination of negative news through social media and the
monitoring and coping mechanisms; and auditing of the strategy internet has increased the threat of reputational risk. Loss of
(see Figure 2) – mean that a firm should be able to prove a reputation could lead to a loss of customer and stakeholder
boardroom-backed governance and risk structure is in place trust, loss of revenue, and a higher level of regulatory
and reinforced by training and testing from the bottom-up. scrutiny in future, posing a direct threat to executives
and the C-suite, who can potentially lose their jobs.
7
The Convergence of Operational Risk and Cyber Security
Establishing a Framework
By taking an integrated view of operational risk and cyber security, FIs will
be better able to protect, monitor and mitigate a wider array of threats.
8
The Convergence of Operational Risk and Cyber Security
Source: Chartis Research, based on analysis of the risk strategies of several global financial institutions, December 2015
Disaster recovery and business continuity planning (BCP) As an example, cyber risk threats and/or vulnerable events, such
processes should also be clearly defined and link into an as wire transfers, should be examined and modeled start-to-finish
institution’s combined operational and cyber risk strategy. as part of any FI’s procedure, with a “kill chain” clearly established
to mitigate risk. Potential points of compromise, responsibilities,
and remediation measures should all be detailed at each stage
to establish a comprehensive framework.
9
The Convergence of Operational Risk and Cyber Security
Front line troops with job titles such as CISO or chief On-going training is also advisable so that FIs can keep pace
technology or information officer (CTO/CIO) tend to have with any technological and regulatory changes. Training
a strong understanding of IT, but in many cases they remains particularly crucial as the vast majority of cyber
have limited formal risk management understanding. security incidents start from avoidable human error, such as
an employee clicking on a phishing email. While many firms
Similarly, risk managers have a strong understanding of the focus on technology and prevention, training and awareness
business and risk concepts needed for a good cyber security of potential cyber risks from the bottom up is essential.
response in the event of an attack, but a relatively weak
understanding of the complex IT issues involved. This should include mandatory awareness of good security
practices, and periodic testing of employee responses to
Increasing IT and risk knowledge transfer is a critical success potential attacks. In addition, while it is important that training
factor when aligning cyber security and operational risk. Staff is part of the front office, it is also vitally important that
rotation and shadowing may be helpful in promoting mutual responsibility for basic cyber security does not die out in middle
comprehension and understanding. Joint competency centers management. In interviews conducted by Chartis and Accenture
should also be considered, alongside recruitment and incentive with firms who had implemented phishing testing, they said
strategies to encourage collaboration. Formal knowledge transfer that management (including the C-suite) were more likely to
initiatives should have senior management oversight and support. respond to phishing emails than front-office employees.
Speed will be of the essence if an FI comes under attack so Some may work under the illusion that their firms’ security
lines of communication between risk and IT professionals systems are protecting and insulating them, but with respect
should be open. Regular test scenarios can help. to cyber security, all employees are potentially on the front line.
10
The Convergence of Operational Risk and Cyber Security
11
The Convergence of Operational Risk and Cyber Security
Good data management, monitoring and analytics can help feed Real-time reporting
effective processes, communication and early warning mechanisms
The move towards dynamic and responsive risk management
into the three lines of defense shown in Figure 2. Technology
and governance has increased the demand for real-time
can help deliver an integrated approach to cyber security and
reporting and the escalation of risk information. The traditional
operational risk. A common analytical layer is highly desirable.
audit-based snapshot approach to ORM should be replaced
by dynamic and real-time ORM alerts, including cyber KRIs
In addition to the required security tools, Accenture and Chartis
in a reformed structure that is supported by automated data
consider the following to be important technology elements
feeds. Early warning systems can be created in this manner.
in any risk-based approach.
Anomaly detection
Integrated data management
Current anomaly detection systems are often based on
FIs may find it hard to attain a holistic view of their operational
searching for known patterns. However, fraud and cyber
risks across the whole enterprise because they have many
security analysts require dynamic abilities to look for
disparate IT systems in use. An effective operational risk
unpredictable new patterns of attack and relationships.
management system should access risk data from various ORM
Advanced anomaly detection software goes beyond business
and cyber security applications, as well as operational sources
rules to include analytics, using advanced methods such as
such as AML, 3rd party risk, and fraud management systems,
mathematical correlations, predictive modeling and artificial
bringing together KRIs based around internal and external
intelligence to acquire a holistic view of entity activity.
losses, malware detection, standards, patching, and model risk
management. Unified risk data models and standards are critical.
Integrated case management
Metadata In most FIs separate business lines use standalone case
management databases and workflow solutions for logging
A metadata-driven approach is essential for this integrated
and managing alerts. Reporting is also typically done on a
cyber ORM approach to work. Metadata is a means of creating a
siloed basis. Instead FIs are encouraged to pool information.
logical and manageable view of all the risk information available
Pooling cross-organizational, cross-border data is perhaps
to an organization. Use the latest approaches to enterprise
the most important step down the integration path an FI can
data management (EDM) for a more agile and responsive data
take. Unusual patterns of behavior and new threats can all be
environment, enabling auditability, traceability of changes,
identified more quickly with enterprise-wide search capabilities
drill-down workflow and enterprise case management.
and remediation action can more easily be activated.
12
The Convergence of Operational Risk and Cyber Security
Conclusions
Bringing together leadership and capabilities across fraud, IT, cyber • Effective cyber security requires collaboration across silos,
security and operational risk in this manner can help FIs to “connect knowledge sharing and cooperation between technology
the dots” and improve their enterprise risk management (ERM) and operational risk employees. Each should understand
strategy. Governance, skills, taxonomies and technology should the others’ responsibilities. Collaboration between the chief
be aligned with the common definition, language and approach data officer (CDO), CIO, CISO and CRO is very important.
delineated at the start of the alignment push between operational
and cyber risk. The ability to view cyber security breaches as a • Coordination between cyber security and operational
risk, with associated probabilities and impacts, help firms focus risk will encourage increased visibility of risks and a
on striking the right balance between resilience and protection. communication of cyber security issues at the board level.
Boardroom support for the formation of an integrated cyber
The key recommendations from Accenture and Chartis ORM approach is essential from the top down. Similarly,
Research include: bottom-up cyber security should be built through a
risk-aware culture, including training and periodic testing.
• FIs should establish consistent definitions for cyber security. Firms
should avoid the potential creation of another risk management • Alignment between the operational risk and cyber security
silo by using an open definition that also assigns responsibilities disciplines should help FIs stay ahead of online criminals,
in the event of an attack, helping firms to have a consistent hacktivists and rogue states. A comprehensive pre-planned
view of cyber security across business and IT processes. strategic response will encourage firms to resist the growing
cyber threat.
• Cyber security should be managed as a risk discipline across
the three lines of defense – ownership, oversight and assurance.
This should help firms to align with board-level risk appetite.
Cyber Threats
13
The Convergence of Operational Risk and Cyber Security
References
1
“Estonia under cyber attack,” Hun-CERT. 7
“The Global Risks report 2015,” World Economic Forum.
Access at: http://cert.hu/sites/default/files/Estonia_attack2.pdf Access at: http://www3.weforum.org/docs/WEF_Global_
Risks_2015_Report15.pdf
2
“SEC Charges Investment Adviser With Failing to Adopt
Proper Cybersecurity Policies and Procedures Prior to 8
“ISO/IEC 27032:2012 Information Technology – Security
Breach,” U.S. Securities and Exchange Commission, techniques – Guidelines for cybersecurity,” ISO website,
press release, September 22, 2015. Access at: http:// online browsing platform. Access at: https://www.iso.org/obp/
www.sec.gov/news/pressrelease/2015-202.html ui/#iso:std:iso-iec:27032:ed-1:v1:en
3
Ibid 9
Ibid
4
“The Great Bank Robbery: Carbanak cybergang steals $1bn from 10
“Consultative Document on Operational Risk,” Basel Committee
100 financial institutions worldwide,” Kaspersky Lab, Virus on Banking Supervision, January 2001. Access at: https://www.
News, February 16, 2015. Access at: http://www.kaspersky. bis.org/publ/bcbsca07.pdf
com/about/news/virus/2015/Carbanak-cybergang-steals-
1-bn-USD-from-100-financial-institutions-worldwide
11
“Review of the Principles for the Sound Management of
Operational Risk,” Basel Committee on Banking Supervision,
5
“Forewarned is Forearmed, 2015 Cost of Cyber Crime Study: October 6, 2014. Access at: http://www.bis.org/publ/bcbs292.pdf
Global,” October 2015. Access at: http://www8.hp.com/uk/en/
software-solutions/ponemon-cyber-security-report/index.html
12
“The Dyre Wolf – Bank Transfer Scam Alert,” National Fraud
Intelligence Bureau and City of London Police, April 2015.
6
“Cyber Security Global Survey,” Chartis Research, results Access at: http://www.fsb.org.uk/docs/default-
to be published Q1 2016. source/fsb-org-uk/152/assets/april-2015/the-
dyre-wolf---bank-transfer-scam-alert.pdf
14
The Convergence of Operational Risk and Cyber Security
Prior to his current role he was responsible for our Global Risk
Management Practice, and prior to that he led Accenture’s
Finance & Enterprise Performance consulting services for global
banking, insurance and capital markets institutions. With his
extensive experience in the financial services industries, combined
with his knowledge of risk management and the finance function,
he guides executives and client teams on the journey to becoming
high-performance businesses.
Acknowledgement
The authors would like to thank Peyman Mestchian of Chartis
Research for his valuable contribution to this document.
15
Stay Connected About Chartis Research
Accenture Finance & Risk Services Chartis Research is the leading provider of research and analysis
www.accenture.com/financeandrisk on the global market for risk technology. It is part of Incisive
Media which has market leading brands such as Risk and Waters
Connect With US Technology. Chartis’s goal is to support enterprises as they drive
www.linkedin.com/groups?gid=3753715 business performance through better risk management, corporate
governance and compliance and to help clients make informed
Join Us
technology and business decisions by providing in-depth analysis
www.facebook.com/accenture
and actionable advice on virtually all aspects of risk technology.
Areas of expertise include:
Follow Us
www.twitter.com/accenture • Credit risk
• Operational risk and governance, risk and compliance (GRC)
Watch Us
www.youtube.com/accenture • Market risk
• Asset and liability management (ALM) and liquidity risk
Disclaimer
This document is intended for general informational purposes only and does
not take into account the reader’s specific circumstances, and may not
reflect the most current developments. Accenture disclaims, to the fullest
extent permitted by applicable law, any and all liability for the accuracy
and completeness of the information in this document and for any acts or
omissions made based on such information. Accenture does not provide
legal, regulatory, audit, or tax advice. Readers are responsible for obtaining
such advice from their own legal counsel or other licensed professionals.
No part of this publication may be reproduced, adapted, stored in a retrieval
system or transmitted in any form by any means, electronic, mechanical,
photocopying, recording or otherwise, without the prior permission of Chartis
Copyright © 2016 Accenture Research Ltd. The facts of this report are believed to be correct at the time
of publication but cannot be guaranteed. Please note that the findings,
All rights reserved. conclusions and recommendations that Chartis Research delivers will be based
on information gathered in good faith, whose accuracy we cannot guarantee.
Accenture, its logo, and Chartis Research accepts no liability whatever for actions taken based on any
High Performance Delivered information that may subsequently prove to be incorrect or errors in our analysis.
are trademarks of Accenture. See Chartis “Terms of Use” on www.chartis-research.com. RiskTech100® is a
registered trade mark of Chartis Research Limited. Unauthorized use of Chartis’s
name and trademarks is strictly prohibited and subject to legal penalties.
© Copyright Chartis Research Ltd
2016. All Rights Reserved. Chartis
Research is a wholly owned
subsidiary of Incisive Media Ltd. 15-5280