What is Cyber Risk and how can financial organisations protect themselves?
What is Cyber Risk and its Impact? asks PwC’s Leonard McAuliffe.
Cyber risk may be defined as any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems. Information technology failures are often realised through a cyber attack.
Leonard McAuliffe
Leonard McAuliffe

Cyber risks have dramatically evolved over the past decade and the approach that financial institutions use to manage them has not kept pace. Financial institutions are increasingly vulnerable to incoming cyber attacks from new directions and adversaries.

Cyber attacks come in the form of “hacktivism,” corporate espionage, insider and nation-states threats, terrorism, and criminal activity and can cost an organisation time, resources, and irreparable harm to its reputation. Information security systems are often designed to meet minimum levels of regulatory or industry compliance rather than to identify the risks to the business and provide appropriate safeguards.

Cyber attacks can directly or indirectly impact a financial institution, as described in the graphic below. Shaded cells are areas where cyber attacks are either the source, cause or a contributor of hazards for financial institutions.

Cyber attacks in Ireland and across financial institutions are growing and cannot be ignored. Over the past two years, cyber crime has doubled in Ireland and nearly one fifth of organisations who reported cyber incidents incurred losses of between €75,000 and €750,000. 6% incurred a loss of nearly €4 million.

From a global perspective, the number of financial firms reporting losses of US$10 million to US$19.9 million increased by a head-turning 141% over last year.
 
PwC Cyber Security Manager, Daniel Muldoon, noted that, “Organisations typically only consider the negative consequences of cyber risk when discussing cyber risk management. In fact, effective cyber risk management can enable the organisation to meet its business strategy and can also help the organisation differentiate itself in the marketplace”.

Effectively managing cyber risk can enable your business to safely recognise the benefits of technological advances to increase:
- Innovation
- Collaboration
- Productivity
- Competitiveness
- Customer Experience

Based on the results of the PwC 2015 Global CEO Survey, 86% of Financial Banking & Capital Markets CEOs indicated that technological advances will transform their business in the coming five years, and 71% of Financial Banking & Capital Markets CEOs see cyber risk as a threat to their business prospects.

Emerging Regulatory Environment Surrounding Cyber Risk
CEOs are not the only ones concerned about cyber risk - recent actions by financial industry regulators in the US and Europe have signalled that they may require proof that financial services firms have implemented a robust security programme.
 

Consider, for instance, the European Union General Data Protection Regulation, which is on track to be finalised by year end. The regulation is expected to add new requirements for breach notification to individuals, require organisations that handle personal data to conduct risk assessments and audits, and increase fines for compromised businesses. Other regulatory bodies have announced intentions to assess financial institutions for risk vulnerability and risk mitigation policies and procedures.

Guidance from the US Securities and Exchange Commission (SEC) suggests that US financial services firms should seriously consider investing in cyber insurance. In fact, the Commission included cyber insurance on its list of possible factors that may be used in examinations. What’s more, the SEC goes so far as to indicate that financial services firms should be prepared to undergo examinations to actually prove their preparedness. In other words, traditional check the-box regulatory compliance is no longer sufficient.

In Ireland, the Central Bank has utilised the Central Bank Act to incorporate requirements outlined in the European Bank Authority’s 'Guidelines on Internal Governance’ ("GL 44"). Specifically, there is a requirement for credit institutions to review their governance of how “their systems are secure with respect to external threats (e.g. cybercrime)”. This has forced auditors to review cyber security as part of the audit process and report to the Central Bank of Ireland on the effectiveness of the controls.

What Can Organisations Do To Manage Their Cyber Risk?
The executive management team should recognise its leadership role in setting the proper tone and structure for managing cyber risk throughout the organisation. They should also recognise the importance of mitigating cyber risks as an essential task in maintaining the on-going success of their institution. We recommend the following key practices for managing cyber risk.
Leonard McAuliffe is director at PwC’s Advisory Practice.
This article appeared in the March 2015 edition.