Author: George Toner
24 Oct 2019
Recent work with Chief Risk Officers (CROs) from financial institutions highlighted that the management of financial risk and cyber risk remains worlds apart. The role of the CRO involves managing price to book ratios, return on equity, loan to value and debt maturity. This is far removed from the CISO office where discussions are often limited to threats, vulnerabilities and impact.
Financial institutions are heavily regulated and have a great deal to lose, requiring CROs to achieve a delicate balance of both compliance and risk management. In such a complex and volatile environment, both profitability and solvency of the financial institution remain in the forefront of the CRO’s mind, with two questions frequently being asked:
- Can we demonstrate to the regulator that we hold sufficient capital and have adequate risk controls in place?
- How much money could we lose?
To answer these critical questions, CROs leverage data, proven scientific techniques and advanced tools. In doing so, they can model and forecast future outcomes, and assure board members that adequate capital exists to absorb unexpected losses. Something many CISOs can only dream of.
When compared to the CRO, the role of today’s CISO remains a stark contrast. How cyber risk is analysed, modelled, communicated and validated couldn’t be more different to that of financial risk. What can we learn from how financial risk is managed? Can any aspects of financial risk management be put to effective use in the cyber risk domain? Simply put, what can CISOs learn from the CRO?
While CISOs cannot expect to adopt every aspect of financial risk management, there are many good practices, applied by the CRO office, that can benefit cyber risk management. Consider how the CRO delivers effective risk management by: examining key factors that influence risk, employing data analytics, modelling and visualisation, embracing risk tolerance/appetite to keep risk within acceptable limits; providing meaningful results to inform critical decision making; and continuously evaluating the approach to deliver confidence.
Collaboration with the CRO and their team will bring the CISO significant reward when it comes to managing cyber risk. Here are five steps to get started.
- Engage with the CRO to understand approaches taken for financial risk and identify methods that should be adopted for cyber risk
- Identify established terminology and concepts in financial risk that can be used to improve engagement about cyber risk
- Stress test your cyber risk analysis methodology and model by submitting them to the model risk validation team, and use the results as the basis for improvement
- Determine the most effective communication methods used for reporting financial risk to the board, and adjust cyber risk reporting accordingly
- Explore opportunities to use and tailor financial risk management methodologies that will benefit cyber risk management
The Information Security Forum provides a range of guidance and best practice for effective risk management, protection of technology and planning for future threat scenarios. Examples include:
- Quantitative Techniques in Information Risk Analysis
- Aligning Information Risk Management with Operational Risk Management
- Engaged Reporting
- Threat Horizon series