Five questions about managing cyber risk
With cyber attacks — ranging from network shutdowns to private data theft — becoming more common, many executive leaders and board members are taking a closer look at how their organizations manage and mitigate potential cyber threats. Their concerns are justified: a leading cyber security company reported that it detected four times as many targeted cyber attacks in November 2011 than in January 2011, less than a year earlier.1
Here, Rich Baich answers questions about actions executive leaders and board members should take to manage and mitigate cyber threats. Then he lends his perspective on hacktivism in the financial services industry.
A closer look: Financial services companies
|What’s at stake?||We’re seeing a rapid increase in the prevalence and sophistication of cyber crime and cyber espionage compromising organizational networks and data. These incidents increase an organization’s risk of fraud, intellectual property theft, network incapacitation, and damage to brands and corporate reputation — all of which can be far reaching and costly.|
|Why should executive leaders and board members take action now?||In October 2011, the Securities and Exchange Commission provided guidance that cyber threats deserve attention at the highest levels of management and governance — and that affected companies should disclose both cyber risks and cyber incidents if the information would be important to investor decisions.2|
|What does a comprehensive cyber risk management platform look like?||
A comprehensive platform engages the organization at all levels. The board of directors governs cyber threat risk by working with executive management to establish key performance indicators that can be used to evaluate and monitor cyber threats.
Executive management assumes responsibility for implementing and maintaining the risk infrastructure — people, process, and technology needed to manage and monitor cyber threats effectively.
And of course, business units and support functions own and conduct risk management and monitoring activities. Employee responsibilities are clearly defined and communicated, with training and incentives supporting desired behaviors.
|Where should leaders focus first to reduce the risks associated with cyber threats?||First, organizations should track digital information that leaves the organization — and where it’s going. Second, since passwords are no longer sufficient to keep out cyber criminals, organizations should implement additional ways to identify and monitor who is logging into the network and where they are located. Third, they should set up controls in order to know which software is running on company devices. And fourth, limit information that’s voluntarily sent outside the organization that could be useful to cyber criminals.|
|What are a few of the ways forward-thinking companies are staying ahead of cyber threats?||Some leading companies appoint a board member to oversee cyber risks and share insights with the rest of the board. Others implement cyber risk management processes that are repeatable, clearly documented, and aligned with the organization’s IT risk management and enterprise risk management framework. We also see organizations sharing cyber data with employees across all businesses units and functional areas to increase their awareness and support for reducing of cyber threats.|
A Closer Look: Financial services companies
As if they didn’t have enough security concerns, financial institutions should take action to protect themselves against a new type of cyber criminal — the hacktivist. According to Verizon’s 2012 Data Breach Investigations Report, data breaches motivated by political protests — known as hacktivism — dramatically increased in 2011. While financial gain continued to be the primary motive behind most large organization data breaches (71%), the study showed a significant number of attacks were motivated by disagreement or protest (25%). Hacktivism is becoming increasingly prevalent; the study showed the frequency and regularity of breaches by activist groups in 2011 exceeded the total reported for all previous years combined.3
Hacktivists tend to attack more vulnerable data by stealing and publishing personal information or account numbers in an effort to embarrass institutions. Or, they instigate distributed denial of service (DDoS) attacks by flooding the institution’s website with traffic, which was the tactic used against several international financial institutions in February 2012.
In response to the rising hacktivism threat, some financial services companies are applying strategies used to manage geopolitical risk by observing, collecting, analyzing, and disseminating intelligence across the enterprise to alert others to potential threats. Some also use brand monitoring and other innovative tracking services to help them anticipate situations that could make them a hacktivist’s target so they can take action to prevent or mitigate potential attacks.
Download the Risk Angle above.
- “Symantec Intelligence Report: November 2011,” Symantec Corporation, 2011. Available online at http://www.symanteccloud.com/mlireport/SYMCINT_2011_11_November_FINAL-en.pdf.
- “CF Disclosure Guidance: Topic No. 2 – Cybersecurity,” U.S. Securities and Exchange Commission, October 13, 2011. Available online at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
- Verizon, page 19.http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z037