• Main Home
  • About
    • Founder & CEO
    • Contact
    • Testimonials
    • In the Media
  • Services
    • Speaking
    • Executive Masterclass – Risk Management
    • Speech Topics
    • The Challenge
    • Strategic Advisory
    • Workshop and Interactive Training Topics
  • THE GRAY RHINO
    • Corporate Book Clubs
    • International Editions
      • 灰犀牛 (Chinese Traditional Characters)
      • 灰犀牛 (Chinese Simplified Characters)
    • Readers Guide
      • Media
  • YOU ARE WHAT YOU RISK
  • Gray Rhino Blog
    • The Horn
    • My Gray Rhino
    • Audio
    • Video
    • Quiz: How Rhino Ready Are You?
Facebook Twitter Instagram
Trending
  • You Are What You Risk Launches in Korean
  • The Risk of Not Trusting
  • Investment, Women, and Risk on The Purse Podcast
  • IQ2 and Richmond Forum: Can Humans Adapt to Climate Change?
  • Applying Gray Rhino Theory for Reinvention
  • Ellig Group Webinar on Responding to Obvious Risks
  • GUEST POST: Could “Gun Control” Activists Use Better Marketing?
  • Climbing Gold Podcast Explores Risk Fingerprints in Elite Alpinism
Twitter Facebook LinkedIn Pinterest RSS
The Gray Rhino
Leaderboard Ad
  • Main Home
  • About
    • Founder & CEO
    • Contact
    • Testimonials
    • In the Media
  • Services
    • Speaking
    • Executive Masterclass – Risk Management
    • Speech Topics
    • The Challenge
    • Strategic Advisory
    • Workshop and Interactive Training Topics
  • THE GRAY RHINO
    • Corporate Book Clubs
    • International Editions
      • 灰犀牛 (Chinese Traditional Characters)
      • 灰犀牛 (Chinese Simplified Characters)
    • Readers Guide
      • Media
  • YOU ARE WHAT YOU RISK
  • Gray Rhino Blog
    • The Horn
    • My Gray Rhino
    • Audio
    • Video
    • Quiz: How Rhino Ready Are You?
The Gray Rhino
You are at:Home»Blog»The Horn»Cyber risk governance should take centre stage in financial services
green-grey code filling the screen of a laptop in a dark room
Photo by Markus Spiske via Unsplash

Cyber risk governance should take centre stage in financial services

1
By Lutfey Siddiqi on January 6, 2020 The Horn

It feels as though cyber risk has crept up on us without warning and with great intensity.

We have come a long way from the days when our Palm Pilots had to be hot-synced through a docking station and the occasional hazard was from viruses transmitted as email attachments. Over the years, we have embraced extreme connectivity combined with extreme automation in a never-ending drive towards convenience and cost-efficiency.

However, even as banks continue to nudge, cajole (and perhaps occasionally threaten) their customers towards impersonal e-channels, we learn about record amounts of losses from online fraud and theft. Furthermore, all of us – not just the specialists – are asked to act as conscription soldiers in the fight against this threat.

According to a report by Accenture, almost eight out of ten business leaders believe that they are adopting new technologies faster than they can address related security issues. It also estimates that nearly $350 billion of value could be lost by the banking sector to cybercrime in the next five years.

Publicly-known examples across various sectors include the NotPetya cyber attack on the shipping Group Maersk, the WannaCry attack on the British National Health Service (NHS), the theft of reserves from Bangladesh central bank via the SWIFT network, and the hacking of confidential data from Sony Film Studios.

With more of our devices integrated through “the internet of things” and more of our services provided by an assemblage of outsourced specialists, there are simply more points of entry for potential attacks or lapses. With a wide diversity of digital maturity, capability and habits of ‘cyber hygiene’ amongst us, system resilience could be compromised by the weakest link.

At the same time, the backdrop for international cooperation amongst authorities appears particularly bleak. Back in April 2009, at the height of the global financial crisis, governments of the G20 came together with a robust, comprehensive and effective plan of action. By contrast, with alleged state involvement in certain attacks, countries operate as “frenemies” with a guarded stance on issues of cyber.

There is a conflict between the need for the seamless sharing of threat-intelligence on the one hand, and the desire to localize data within national borders on the other. There may also be cultural differences in attitudes towards citizens’ privacy vis-à-vis the state. Finally, cyber threats appear to be highly dynamic as attackers harness digital tools with great agility. It is possible, for example, for quantum computing to make it easier to break current encryption methods.

This landscape of a rough neighborhood coupled with a seemingly underdeveloped security apparatus at the international level poses new challenges of risk management for the financial services sector. A cyber event could trigger a loss of confidence possibly through compromising the integrity of data on which the flow of finance relies. It could in turn trigger bank runs, liquidity freezes or jumps in market prices. Whether this sustains into a system-wide crisis or not would depend on the prudential response of regulators, as argued by Danielsson et al (2016).

In the words of Catherine Bessant, chief operation and technology officer at Bank of America, “The threat is huge and what makes it difficult for boardrooms is that it’s hard to model; it’s a risk where past is not prologue”.

As it is, unlike credit risk or market risk, operational risk (of which, cyber risk is a subset) can be more nebulous in its framing. The Basel Committee on Banking Supervision (BIS) issued guidance on sound practices for the management and supervision of operational risk in 2003, later updated in 2011. A more recent BIS publication “Cyber-resilience: Range of Practices” (December 2018) catalogues a sweep of activities by both banks and regulators.

Quantifying cyber risk is difficult. Any rigorous process requires data (internal and external), assumptions and subjective estimates made by a risk committee. That is why the qualitative aspects of the approach and framework are so important. As is the need to perform table-top war games.

Regulators expect that institutions would build systems that are “secure by design” with an emphasis on resilience against threats rather than compliance to a standard checklist. The roles and responsibilities of members of the board, senior management and other key posts must be articulated explicitly and without ambiguity. Staff in cyber-related functions must have the required capabilities and some jurisdictions have implemented specific cyber-certifications. There is ample spotlight on the contractual framework and governance of outsourcing activities, seeking to ensure that nothing falls through the cracks. Regulators are also keen to calibrate the regulatory burden to the size and significance of the service provider so as not to discourage innovation by fintech start-ups.

For large traditional banks, the organizational design and cultural slant towards cyber risk is still a work in progress. Should compliance officers sit with operations or the legal department? Are there sufficient separation, communication and challenges amongst the ‘three lines of defense’? Does the chief information security officer (CISO) have the required seniority or stature within the organizational chart? Does she come from a technology, legal or crime-enforcement background? Do the board and senior management appreciate that new products, markets or cost-reduction measures must be road-tested against their impact on cyber risk, or is that an after-thought?

What are the norms of information sharing within banks, between banks, and between banks and regulators? Incident reporting from banks to regulators is mandatory in most places. This may include the requirement to submit a root-cause analysis and a post-mortem of lessons learnt. However, there are gaps in the other lines of communication: between regulators across jurisdictions, from regulators to banks, and amongst banks (possibly due to perceived stigma). According to the BIS (2018), “full adoption of all types of information-sharing arrangements within a jurisdiction is still exceptional.”

Finally, banks need to continue to refine their taxonomy of controls, risk classification, indicators and a book of tangible items that can serve as metrics for their cyber risk control environment. That dashboard could include items such as cyber-incident response playbooks, recovery plans, vulnerability scans to password and encryption policy to training statistics, near-miss events etc.

Unfortunately, cyber risk is here to stay. The sooner we can adopt a shared language, a convergent framework and an elevated awareness of this risk, the better prepared we would be to strengthen our defense and resilience to this risk.

This article originally appeared on the LSE Business Review blog and is reproduced here with permission of the author.

  • Author
  • Recent Posts
Lutfey Siddiqi
Lutfey Siddiqi
Lutfey Siddiqi is Visiting Professor-in-Practice at the Centre for International Studies at the London School of Economics (LSE). He is also an Adjunct Professor at the National University of Singapore, having been a founding member of the faculty at its Risk Management Institute. Until May 2016, he was a Managing Director and member of the executive committee of FX, Rates & Credit (FRC) at UBS Investment bank with global responsibility for emerging markets. Lutfey is a member of the Global Agenda Council (Financing & Capital) at the World Economic Forum, LSE Court of Governors & LSE Investment committee, Bretton Woods Committee, Advisory board of the Systemic Risk Centre and Academy for the $1 Million Global Teacher Prize. He was honored as a Young Global Leader by the World Economic Forum in 2012.
Lutfey Siddiqi
Latest posts by Lutfey Siddiqi (see all)
  • Cyber risk governance should take centre stage in financial services - January 6, 2020
  • Trade War Brings Asia’s Gray Rhinos into Sharper Focus - October 10, 2018
  • What Has Changed for Risk Managers? - June 13, 2017
board governance cyber risk Lutfey Siddiqi
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Lutfey Siddiqi

Lutfey Siddiqi is Visiting Professor-in-Practice at the Centre for International Studies at the London School of Economics (LSE). He is also an Adjunct Professor at the National University of Singapore, having been a founding member of the faculty at its Risk Management Institute. Until May 2016, he was a Managing Director and member of the executive committee of FX, Rates & Credit (FRC) at UBS Investment bank with global responsibility for emerging markets. Lutfey is a member of the Global Agenda Council (Financing & Capital) at the World Economic Forum, LSE Court of Governors & LSE Investment committee, Bretton Woods Committee, Advisory board of the Systemic Risk Centre and Academy for the $1 Million Global Teacher Prize. He was honored as a Young Global Leader by the World Economic Forum in 2012.

Related Posts

GUEST POST: Could “Gun Control” Activists Use Better Marketing?

Exploring the Future via Cli-Fi

A Crash of Recombinant Viral Strains

1 Comment

  1. Pingback: Cyber risk governance in financial services

YOU ARE WHAT YOU RISK
YOU ARE WHAT YOU RISK Book Cover Click to order YOU ARE WHAT YOU RISK: The New Art and Science of Navigating an Uncertain World (Pegasus Books, April 6, 2021)
Book A Keynote or Workshop
Speakers Connect Sidebar Ad Book Gray Rhino & Company Founder & CEO Michele Wucker to speak at your next event. For more information  click on the logo  to contact Speakersconnect.

Connect on Twitter
Twitter
Gray Rhino & Company
Gray Rhino & Company
@GrayRhinoCo

Gray Rhinos: The Obvious Dangers We Ignore : A Discussion with Ms. Michele Wucker : Part 1 of 2 on MoveConversations with @VenkatSN2 ecs.page.link/YRVEq pic.twitter.com/G6uj…

reply retweet favorite
12:04 pm · August 4, 2022
Twitter
Gray Rhino & Company
Gray Rhino & Company
@GrayRhinoCo

#CapitalGains #Taxes, #Risk, and #Growth: We need to talk about the way that current U.S. tax policies treat risks by subsidizing dangerous risk-taking while failing to invest in heading off others. ecs.page.link/S6UQ1

reply retweet favorite
4:41 pm · August 3, 2022
Twitter
Gray Rhino & Company
Gray Rhino & Company
@GrayRhinoCo

You are What You #Risk: A Discussion with Michele Wucker on MoveTo @MVConversations with @VenkatSN2 ecs.page.link/vERpx pic.twitter.com/CkRV…

reply retweet favorite
12:04 pm · July 28, 2022
Twitter
Gray Rhino & Company
Gray Rhino & Company
@GrayRhinoCo

How has Covid-19 Changed #Career #Risk Choices? The pandemic affects both the immediate issue of workplace #safety as people start returning to their offices and longer-term trade-offs in the #futureofwork. ecs.page.link/1veDp

reply retweet favorite
4:41 pm · July 27, 2022
Twitter
Gray Rhino & Company
Gray Rhino & Company
@GrayRhinoCo

AUDIO: SteadyTrade #podcast Episode 200: Discover Your Risk Fingerprint With Michele @wucker  ecs.page.link/ToAYZ

reply retweet favorite
12:04 pm · July 21, 2022
Follow @grayrhinoco
DCROI COURSES
DCROI logo DCROI works with boards on the positive governance of risk-taking, aligned with achieving corporate goals and most effectively fulfilling corporate purpose.
BOOKSHOP.ORG STORE
Bookshop.org logo Shop at Bookshop.org and support independent booksellers. Browse our lists on business, decision making, current affairs, and more.
About
About

Gray Rhino® & Company provides a simple yet powerful framework, training and tools to help individuals, organizations, and communities to better counter and overcome obvious but too often neglected challenges in business, life, and the world.

Twitter LinkedIn
GRAY RHINO TRACKER Sign Up
Subscribe below for exclusive insights and updates in our monthly newsletter, The Gray Rhino® Tracker.
©2016-2021 Gray Rhino & Company 5940 North Sheridan Road, Chicago, IL 60660
  • About
  • Privacy Policy
  • Contact

Type above and press Enter to search. Press Esc to cancel.

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie SettingsAccept
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT