On a contrary note, the financial sector have operated in isolation on the aspect of cyber security. However, in the present times, it’s imperative that both the industries work together…
Emerging technologies and digitization have brought in their own new challenges and exposed organizations to new cyber threats. It is estimated that every year cyber-attacks cost organizations approximately 500 billion in damages. Increasing global interconnectedness and the complexity of systems make large-scale cyber-attacks on financial market infrastructure even more pertinent and threaten the stability of financial markets.
With the cyber threat landscape changing rapidly and attacks becoming more frequent, severe and systemic, the primary concern facing organizations is that security breaches could lead to data loss, financial losses, regulatory sanctions, reputational damage, operational disturbances, and other things. Today, cyber threat is a high priority agenda at the board level.
The strategies adopted for cyber risk management currently focus on two objectives. Reducing the risk of a cyber-attack and minimizing the impact of a breach, and building resilience, i.e. detecting and recovering quickly from the impact of a data breach.
Risk Management
Globally, organizations are investing in developing a comprehensive set of cyber risk management capabilities that cover the entire value chain and ensure the threat is efficiently managed across the ecosystem. Some parameters of this risk management framework are as follows
Dashboard: A digital cyber risk dashboard facilitates monitoring of metrics, escalation of cyber threats and supports management decision making. The dashboard’s control effectiveness scorecards show the performance of control measures, the impact of control failures and ongoing investments in mitigating risks.
Financial Risk Quantification: This is about determining the severity and likelihood of cyber risk in monetary terms. Cyber risk quantification measures the value-at-risk (VaR) and helps in the assessment of the impact in financial terms. Cyber stress testing framework helps in identification and quantification of VaR under various scenarios.
Cyber Risk Appetite: This refers to clearly articulated top-of-the-house qualitative statements and quantitative metrics to define the acceptance level of cyber risk.
Operating Model: This refers to clearly articulated roles and responsibilities for cyber risk management across the three lines of defense in the organization.
Cyber Risk Identification: This includes a comprehensive set of response mechanisms and governance for cyber incidents linked to risk identification and remediation.
Global Perspective
Traditionally, financial institutions have operated cyber risk functions in silos. However, the nature of unknown cyber security threats today requires industry participants to work together. Industry-wide investment into a collaborative initiative would be the first step. In brief, increasing collaboration among financial institutions is crucial for cyber risk management.
A report by The Depository Trust & Clearing Corporation and Oliver Wyman, which includes discussions with 50-plus domain experts, concluded that effective response and recovery requires continued industry collaboration and, in some cases, common industry utilities and approaches.
Age old approaches to cyber risk mitigation have failed and hence organizations are investing in identifying new approaches that include the use of advanced cloud-based SaaS services and platform-based approaches to security risks. Government institutions, such as NCSC in the UK and NIST in the US, have established cyber security centers and developed frameworks.
Capital markets players are recognizing that it is sub-optimal when institutions deal with cyber-attacks in silos and several countries have put in place central agencies focused on cyber risk management. Organizations should consider adoption of a common set of standards by capital market participants. Organizations should continuously strengthen IT governance, review policies, processes and systems to keep pace with changing risks and attack vectors.
Indian Perspective
Several India’s leading banks and capital market participants have a well-defined plan for cyber risk management at the institutional level. However, as an Industry, it should take a few steps to ensure greater effectiveness of cyber risk management plans.
Securities market regulator, the Securities and Exchange Board of India (SEBI), issued guidelines on cyber security and cyber resilience to market infrastructure providers in 2015 and developed guidelines for registrars in 2017.
In 2011, the Reserve Bank of India (RBI) issued comprehensive guidelines on information security, electronic banking, technology risk management, and frauds for risks emerging from digital adoption. In 2016, the RBI released a comprehensive set of requirements for internal cyber security frameworks.
The government of India has also undertaken initiatives including the Information Technology (IT) Act, 2000. It has set up the nodal cyber security agency, CERT-In, to respond to computer security incidents. The National Critical Information Infrastructure Protection Centre is the central agency to facilitate safe, secure and resilient information infrastructure for critical sectors of the economy.