The Convergence of Operational Risk and Cyber Security.

A joint paper by Accenture and Chartis Research advising that operational risk management and cyber security  processes should align to better cope with the increasing cyber threat and improve resilience.


Cyber security has jumped to the top of companies’ risk agenda
after a number of high profile data breaches, ransom demands,
distributed denial of service (DDoS) attacks and other hacks. In
an increasingly digitized world, where data resides in the cloud,
on mobiles and devices connected to the “Internet of Things”
threat vectors are multiplying, threatening firms’ operations,
customer and bank details and future financial stability.
Firms should develop a strategy to cope with this cyber threat
emanating from online criminals, hacktivists or nation states
looking to destabilize payment and financial systems such as
Russia’s alleged 2007 cyber-attack against Estonia’s financial
services ecosystem. 1 The need is most pressing at large scale
financial services institutions as many of these sit at the apex
of the financial system.
This is a report by Accenture and Chartis analyzing the benefits of
better alignment across operational risk management procedures
with cyber security in an enterprise risk management (ERM)
framework. The objective for leading firms should be to focus on
increasing the resilience of the organization, and despite the best
efforts it is highly unlikely that any firm can completely avoid security
issues in the digitally-connected world we all operate within.
Cooperation is an essential starting point in the organization—
a DDoS attack or data breach impacts people, processes and
technology across the business. As well as getting IT systems
back up and running financial institutions (FIs) should write
to customers and regulators, activate back-up facilities, and
compensate any losses. Operational and cyber security employees
need lines of communications and a coordinated pre-planned
response. Firms should take this opportunity to review their existing
risk management processes, departments and responsibilities
with respect to cyber security, re-aligning them into an overall
operational and ERM strategy with boardroom backing.

Scope of the Problem: The Cyber Security Threat

In September 2015, for instance, the Securities and Exchange
Commission (SEC) fined R.T. Jones Capital Equities Management, a
St. Louis-based investment adviser, $75,000 for failing to establish
the required cyber security policies and procedures in advance of
a breach that occurred in July 2013. An unknown hacker gained
access to data and compromised the personally identifiable
information (PII) of approximately 100,000 individuals, including
thousands of the firm’s clients, after infiltrating its third-party
hosted web server. The attack left R.T. Jones’ clients, vulnerable
to fraud theft and prompted the SEC’s action for violating Rule
30(a) of Regulation S-P under the US Securities Act of 1933. 2
As Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s
Asset Management Unit, said in the ruling: 3 “Firms must adopt
written policies to protect their clients’ private information and
they need to anticipate potential cyber security events and have
clear procedures in place rather than waiting to react once a
breach occurs.”
Other examples illustrating the scope of the problem include:
• Interpol and Kaspersky Lab revealed in February 2015 4 that about
$1bn had been stolen over a two year period from financial
institutions worldwide by a cybercriminal gang comprising
members from Russia, Ukraine, other parts of Europe and China.
The Moscow-based security firm dubbed the criminal gang
“Carbanak” and Interpol was in pursuit. The criminal case proves
that FIs are just as susceptible to cyber-attacks as retailers that
hold card details or telcos and utilities among others. They are
also at the top of the tree for any fraud-related attack.
• The Ponemon Institute LLC has calculated that cyber risk translates
to a mean annualized cost, for every company, of $7.7 million. 5
• In a recent “2015 Cyber Security Global Survey” conducted
by Chartis Research, 6 which questioned 103 risk professionals,
69% of them said they expect their cyber security expenditure
to increase next year by more than 10%.
• The World Economic Forum (WEF) again identified technological
risks, in the form of data fraud, cyber-attacks among the top ten
risks in terms of likelihood while critical information infrastructure
breakdown is among its top ten risks in terms of impact. 7 The
threats are real and growing.

Defining the Problem

A necessity for establishing control is to first set a good
definition of the problem. Many firms produce their own
cyber security definition. A common starting point is with
the International Standards Organization’s ISO 27k series
on IT risk, which includes a cyber security component,
under ISO/IEC 27032. It reads as follows:
Officially, ISO/IEC 27032 addresses “Cybersecurity” or “Cyberspace
security,” defined as the “preservation of confidentiality, integrity
and availability of information in the Cyberspace.” 8
In turn “Cyberspace” is defined as the “complex environment
resulting from the interaction of people, software and services
on the internet by means of technology devices and networks
connected to it, and which does not exist in any physical form.” 9
In the US, the National Institute of Standards and
Technology (NIST) can also provide useful definitions and
guidelines. Both external frameworks should be examined
as part of an early stage project to align operational risk
management (ORM) and cyber security procedures.
The main definition problem that FIs encounter is around scope.
Broad and narrow definitions of cyber security both have strengths
and weaknesses. A broad definition provides wide coverage
and lends itself to a cross-silo approach. However, it can lead
to confusion over responsibilities and cause significant overlap
with other areas like IT security. A narrow definition can result in
the creation of another tactical risk management silo, which is
undesirable. The aim must be to develop an open definition that
covers all of the threat vectors, but clearly assigns responsibilities.

Expanding Operational Risk to Include Cyber Security

Cyber-attacks from external criminals or internally disgruntled
employees can fit this definition. They become a problem only
if the processes and people elements in an FI’s strategy are not
sufficiently developed. If the chief risk officer (CRO) is talking
to the chief information security officer (CISO) and both are
aware of their specific responsibilities, and how they align with
the wider ERM strategy, then a data loss event, DDoS attack or
hack needn’t be catastrophic. Joining the dots and aligning a
strategy is key. The challenge is that cyber security is traditionally
managed through its own set of internal controls within IT,
which are separate from the duties and processes required for
operational risk management or compliance. Bringing cyber
security into a common framework is necessary in our view.
In addition, the Basel Committee’s 2014 report on operational
risk includes cyber-attacks as a scenario. This illustrates the
nature of the operational risk that can result from cyber security
breaches, ranging from continuity to credit and market risk.
“…some banks have developed scenarios related to earthquakes
and other catastrophic events such as a cyber-attack to assess not
only the operational risk exposures (i.e. business continuity, costs,
fraud losses, lawsuits, etc.) but also other risks such as credit
risk (i.e. increased defaults, devaluations of collateral), market
risk and general economic conditions (i.e. lower revenues).” 11
The expansion of operational risk to include cyber threats
is being driven by a number of trends:
1) The rising number and complexity of cyber-attacks
now represents a real threat to an FI’s profitable
existence. Reputational damage and regulatory fines
await FIs that cannot prove a coordinated response,
communication and back-up plan is in place.
2) Boards and senior leadership increasingly recognize that
the solution lies beyond the technology layer and in the
broader people and processes of the institution.
3) Poor cost-to-income ratios are driving banks to consolidate
their silo-based risk management.
The “new normal” of expanded operational risk management (ORM)
strategies that align with cyber security, fraud and anti-money
laundering (AML) disciplines is illustrated in Figure 1. For example,
cyber security events such as the “Carbanak” $1bn loss from
financial institutions worldwide and this year’s Dyre Wolf malware
attack against banks 12 show that phishing, malware, fraud, money
laundering and business disruption all go together. A cyber risk
response and ORM strategy should be similarly coordinated.

Chartis Research has seen operational frameworks and
methodologies expanding into full governance, risk and
compliance (GRC) initiatives at FIs. The three lines of defense
– inputs such as risk events arising from malware; your
monitoring and coping mechanisms; and auditing of the strategy
(see Figure 2) – mean that a firm should be able to prove a
boardroom-backed governance and risk structure is in place
and reinforced by training and testing from the bottom-up.
Regulators and partners in the financial supply chain will be
reassured by strong managerial oversight and the presence
of a cyber risk-aware culture. In addition, the near-immediate
dissemination of negative news through social media and the
internet has increased the threat of reputational risk. Loss of
reputation could lead to a loss of customer and stakeholder
trust, loss of revenue, and a higher level of regulatory
scrutiny in future, posing a direct threat to executives
and the C-suite, who can potentially lose their jobs.