Do you know what a Petya-style ransomware attack could cost your business?
10 October 2017
Cyber risk is one of the greatest risks facing the financial services industry. The PwC CEO Survey found that UK CEOs rate cyber risks as their second biggest business threat - second only to the availability of key skills. Although it is known to be a major risk, many organisations fail to understand properly why they might be targeted, what makes them vulnerable and what is the cost to the business of a successful attack. Building a complete and accurate understanding of this risk through establishing the cyber risk exposure to the business, is critical to ensuring that the response to the risk is correct and appropriate.
In financial services companies, operational risk management frameworks are designed to articulate and manage the non-financial risks to which organisations are exposed. However, they have not matured at the same rate as the risks have evolved. The pathways by which operational events materialise sound increasingly IT-enabled: insider privilege escalation, malware, ransomware, social engineering, phishing, denial of service, man-in-the-middle, internet-facing application attack, supply-chain connection attack, etc.
More mature organisations clearly establish the cyber risk exposure to the business and its correlation to business risk: bringing to life the business context of cyber security risks, its correlation to business’s economic functions and the identification and remediation of any related control weaknesses. For example, it is more valuable to the business to report on “sensitive high-net-worth data stolen by an advanced external cyber threat actor leveraging existing vulnerabilities in the customer relationship management system of the private banking division” rather than the generic risk of “data loss” or cyber capability weaknesses such as “weak vulnerability management”. In our experience those mature companies build true cyber resilience through:
- Managing cyber risks for key business functions / processes
- Targeting investment to manage real high-risk scenarios
- Using threat scenario analysis to quantify cyber risk for critical business assets.
Companies without a view of the business impact of cyber risk cannot make decisions effectively
From our experience of the financial services industry, organisations who have not yet embedded their exposure to cyber events in their operational risk framework are unable to respond organisationally to the changing threat landscape.
Too many companies today decide cyber security budgets with a technology focus and do not have an appreciation of the business risk they are trying to reduce. The flip side of that is that when organisations need to determine, communicate and prepare for the cyber events their business operations are exposed to, they are doing it without a look-through to the maturity of the security controls, and to the known threats the organisation faces. They are looking at the past for help, when this has little or no value in predicting the evolving cyber risks of the future.
At PwC, cyber security experts, operational risk professionals and risk modelling teams have implemented methods to allow a holistic quantification and management of cyber risk. In this framework, risk owners understand the contributing impact cyber risk has on their operational risks and can leverage this information to augment their risk management practices.
When applying this framework to your organisation, we:
- work with your existing frameworks to align your IT risk taxonomy to your operational risk and business impacts.
- enhance the risk taxonomy by mapping cyber risk registers to business risks. We prepare the ground for communication of cyber scenarios you might face today and in the future.
- apply data on the threats you face to our cyber risk quantification models to generate scenarios, which are tailored to the assets and business functions at risk. We identify what expenses and lost revenue are driving the losses.
- put in place dynamic feeds of new threats to update the scenarios and their impacts and embed the framework across your critical business functions.
How have we been able to do this? We have developed cyber risk analytical tools, working with a global cyber security software giant, and we have set the task to a multidisciplinary team of versatile risk modellers and cyber security specialists who help clients prevent and remediate the effects cyber attacks. And we have borrowed from other sectors, in particular the exposure-based predictive modelling the insurance industry uses when they know that the risks they face in the future bear little or no resemblance to any data they can get from the past.
How does this help?
A robust approach to measuring cyber risk exposure will enable you to:
- Satisfy your internal model policy requirements by having an operational risk module that truly reflects the risks that your organisation is exposed to. Now you can derive capital loadings from operational risk which are underpinned by a robust method, allowing you to respond to the emerging regulatory requirements.
- Communicate and plan for the financial impact of a cyber event. Underpin your cyber resilience planning with quantified impacts, channel commensurate remediation efforts in your IT security budgets, and communicate to stakeholders the downside risks you run in carrying out your business.
- Use the currency you have created to plan your risk management strategy: what to avoid, what to mitigate, what to accept and what to transfer through insurance. We think there are some distinct financial benefits from becoming a better buyer of insurance, and being transparent about the risks you run with your insurer will make you a more attractive risk to underwrite.
With the cyber operational risk framework we have developed, we help financial companies to understand current threats, prepare for the threats of the future and enable them to start on the journey to building strong cyber risk governance throughout the organisation.