This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print page

Risk Angles

Five questions about managing cyber risk


An interview with Rich Baich, principal, Security and Privacy, Deloitte and Touche LLP and Global Lead for Cyber Threat Management.

With cyber attacks — ranging from network shutdowns to private data theft — becoming more common, many executive leaders and board members are taking a closer look at how their organizations manage and mitigate potential cyber threats. Their concerns are justified: a leading cyber security company reported that it detected four times as many targeted cyber attacks in November 2011 than in January 2011, less than a year earlier.1

Here, Rich Baich answers questions about actions executive leaders and board members should take to manage and mitigate cyber threats. Then he lends his perspective on hacktivism in the financial services industry.

Quick links:
A closer look: Financial services companies

Question Rich's take
What’s at stake? We’re seeing a rapid increase in the prevalence and sophistication of cyber crime and cyber espionage compromising organizational networks and data. These incidents increase an organization’s risk of fraud, intellectual property theft, network incapacitation, and damage to brands and corporate reputation — all of which can be far reaching and costly.
Why should executive leaders and board members take action now? In October 2011, the Securities and Exchange Commission provided guidance that cyber threats deserve attention at the highest levels of management and governance — and that affected companies should disclose both cyber risks and cyber incidents if the information would be important to investor decisions.2
What does a comprehensive cyber risk management platform look like?

A comprehensive platform engages the organization at all levels. The board of directors governs cyber threat risk by working with executive management to establish key performance indicators that can be used to evaluate and monitor cyber threats.

Executive management assumes responsibility for implementing and maintaining the risk infrastructure — people, process, and technology needed to manage and monitor cyber threats effectively.

And of course, business units and support functions own and conduct risk management and monitoring activities. Employee responsibilities are clearly defined and communicated, with training and incentives supporting desired behaviors.

Where should leaders focus first to reduce the risks associated with cyber threats? First, organizations should track digital information that leaves the organization — and where it’s going. Second, since passwords are no longer sufficient to keep out cyber criminals, organizations should implement additional ways to identify and monitor who is logging into the network and where they are located. Third, they should set up controls in order to know which software is running on company devices. And fourth, limit information that’s voluntarily sent outside the organization that could be useful to cyber criminals.
What are a few of the ways forward-thinking companies are staying ahead of cyber threats? Some leading companies appoint a board member to oversee cyber risks and share insights with the rest of the board. Others implement cyber risk management processes that are repeatable, clearly documented, and aligned with the organization’s IT risk management and enterprise risk management framework. We also see organizations sharing cyber data with employees across all businesses units and functional areas to increase their awareness and support for reducing of cyber threats.

A Closer Look: Financial services companies


As if they didn’t have enough security concerns, financial institutions should take action to protect themselves against a new type of cyber criminal — the hacktivist. According to Verizon’s 2012 Data Breach Investigations Report, data breaches motivated by political protests — known as hacktivism — dramatically increased in 2011. While financial gain continued to be the primary motive behind most large organization data breaches (71%), the study showed a significant number of attacks were motivated by disagreement or protest (25%). Hacktivism is becoming increasingly prevalent; the study showed the frequency and regularity of breaches by activist groups in 2011 exceeded the total reported for all previous years combined.3

Hacktivists tend to attack more vulnerable data by stealing and publishing personal information or account numbers in an effort to embarrass institutions. Or, they instigate distributed denial of service (DDoS) attacks by flooding the institution’s website with traffic, which was the tactic used against several international financial institutions in February 2012.

In response to the rising hacktivism threat, some financial services companies are applying strategies used to manage geopolitical risk by observing, collecting, analyzing, and disseminating intelligence across the enterprise to alert others to potential threats. Some also use brand monitoring and other innovative tracking services to help them anticipate situations that could make them a hacktivist’s target so they can take action to prevent or mitigate potential attacks.

Download the Risk Angle above.

  1. “Symantec Intelligence Report: November 2011,” Symantec Corporation, 2011. Available online at
  2. “CF Disclosure Guidance: Topic No. 2 – Cybersecurity,” U.S. Securities and Exchange Commission, October 13, 2011. Available online at
  3. Verizon, page 19.


Material on this website is © 2014 Deloitte Global Services Limited, or a member firm of Deloitte Touche Tohmatsu Limited, or one of their affiliates. See Legal for copyright and other legal information.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see “About Deloitte” for a more detailed description of DTTL and its member firms.

Get connected
Share your comments


More on Deloitte
Learn about our site