As organizations rush to adopt new digital channels, big data, advanced analytics, and emerging technologies such as blockchain, artificial intelligence (AI) and quantum computing, they face new risks that may be difficult to quantify today.
The obvious challenge with emerging risk is the lack of historical perspective and measurement. Position credit risk against cyber, for example, and you’ll realize that credit professionals have the benefit of leveraging time-tested practices and numerous economic cycles as a basis for understanding risk quantification in familiar metrics. Credits that score a 6.2 (expected frequency of default) will, on average, lose a greater percentage of principle balance as compared to credits scoring 3.2, and this is a known quantity.
Now consider cyber risk in light of the imperative to embrace new technologies to remain competitive and the gradual emergence of risk mitigation strategies to match new technologies. Put simply, the unmanaged cybersecurity risk of tomorrow is the unintended consequence of today’s revolution.
Weighing the Benefits of Technology Against Cybersecurity Risk
New technology enables value creation, generates process efficiencies, and allows companies to assimilate and analyze information at an unprecedented speed. This creates numerous opportunities to drive substantive improvement for the public good. For instance, AI tools enable health care professionals to quickly and accurately assist doctors in their diagnosis and treatment of serious illnesses. Similarly, AI applications in the financial industry help mitigate bank fraud and other financial crimes and combat cyber risk.
However, cybercriminals have access to this same technology, which they use to launch attacks and breach corporate networks to steal or damage information. This, combined with the mass digitization of data, growth of internet of things (IoT) deployments and widespread adoption of AI, is straining security resources like nothing we’ve ever seen. Juniper Research forecast the number of records stolen by cybercriminals to reach 5 billion in 2020, and Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015.
Continuous improvement has never been more crucial to cybersecurity risk management. The worst thing you can do is remain static or get comfortable with the status quo. The failure to reassess and invest in your strategy, evolve your practices, educate leaders and employees, and advance risk technology in lockstep with new business applications puts companies and even national economies at risk.
Cybercrime has evolved into a well-organized, well-funded industry that focuses all its attention on penetrating enterprise networks to disrupt, steal, extort and exploit sensitive data. That said, many of the incidents that have made the news have nothing to do with threat actors; instead, they are the result of human error or malicious insiders, which presents a unique type of risk management challenge.
Either way, a reactive and siloed approach to cyber risk management limits effectiveness. The increasing volume and spectrum of threats necessitates detection, management and mitigation strategies that are proactive, adaptable and offensive in nature. Most importantly, these strategies must engage all elements of senior leadership.
Part of the problem is that technology has advanced faster than risk mitigation practices and investments. In many instances, cyber risk management is compartmentalized with technology functions, not widely understood by senior leadership or overtly linked to business strategy. Confronting this new risk means that every member of the senior leadership team, board of directors and company staff must make an investment in understanding and managing cyber risk.
Do You Understand the Risks Facing Your Business?
The more aggressive a firm’s digital and data-driven business strategies are, the greater the need to ensure that cyber risk is understood at the senior executive and board levels. This is the only way to facilitate a healthy and informed dialogue about business strategies and technology deployments with the appropriate risk appetite, safety considerations and governance. Of course, this task becomes more complicated as more technologies are adopted and integrated into the IT environment.
The widespread adoption of big data and advanced analytics will make it increasingly difficult for companies to manage or govern the volume of data they are trying to utilize. This is already a problem for some regulated financial market data providers; datasets and the products derived from them have outrun firms’ ability to map, manage and quality-control the data.
Cloud is another notable example. Many firms are rushing to move workloads to a hybrid cloud environment, which introduces new risks in multiple forms and raises myriad questions, including:
- Where is the data?
- What controls will be provided by each cloud service provider (CSP) and what must be provided by the firm?
- How can the firm risk-assess and performance-manage each CSP?
- How can the firm implement an effective risk dashboard across data types and providers, both on and off premises?
- How can the firm demonstrate regulatory compliance effectively amid rapid change in the industry?
In addition, digital channels, bots and robo-advisors are being used at an accelerating pace. Like other emerging technologies, these expose consumers to new risks, and providers face scrutiny for poor outcomes. Understandably, consumers are not ready for these risks, and they simply do not know how to protect themselves in a world of connected devices, smart appliances and mobile banking. In response to this demand for open banking, and to stimulate competition in payments, the European Union (EU) issued a new Payment Service Directive (PSD2), which requires all financial institutions to share their customer and payment data in a standardized format. This open banking era introduces new obstacles to effective implementation and meeting both regulators’ and customers’ expectations of availability and ease of use.
Finally, the IoT brings countless new endpoints — and countless new microvulnerabilities — to the enterprise. It also exponentially multiplies the volume of data to be handled, complicates operating models, and makes it hard to map concerning data and risks. Consider technologies such as smart homes, connected cars and power grids; attacks on these systems could have physical, even life-threatening consequences that go far beyond the cost of noncompliance and disruption.
The New Regulatory Landscape Demands More of Leadership
The level of regulatory scrutiny and public awareness of cyber risk is rising and, along with it, expectations that companies will appropriately address these risks. Consider the General Data Protection Regulation (GDPR), which gives consumers more control over their personal data, mandates that vendors build data protection safeguards into products and services, and places strict requirements on companies that manage EU citizens’ personal data. Failure to comply could carry fines up to 20 million euros or 4 percent of total worldwide turnover.
Another example is the New York State Department of Financial Services (NYDFS) regulation 23 NYCRR Part 500, which holds the board responsible for overseeing and certifying compliance with appropriate security standards. As mentioned above, PSD2 addressed payment systems and their security requirements for registration under a new set of conditions and other criteria enacted by member states on Jan. 13, 2018. Finally, the California Legislature recently approved the California Consumer Privacy Act (CCPA), which will take effect in 2020. This new legislation, the strictest in the U.S., gives consumers rights related to how their data is managed and sold and imposes obligations on the holders of this data.
As you can see, cybersecurity risk is a real business risk and must be managed holistically as enterprise risk rather than delegated to technical functions. Chief information security officers (CISOs), risk and compliance officers, technology managers and line-of-business leaders must own risk collectively, and it must be built into and considered a crucial component of the business strategy.
To accomplish this, top management and the board must engage in regular dialogue around cyber risks and business strategy and recognize them as inextricably linked. Investment in one necessitates investment in the other. This approach enables business and security leaders to replace defensive strategies with offensive capabilities and maintain an open, honest and direct dialogue about risk. Most importantly, it helps these leaders coordinate and prepare to play their roles when a security incident strikes.
Associate Partner - NA Security Services, IBM