A Discussion with Chris Beck on Cyber Risk Management and Strategies
BankersLab has long been synonymous with cutting-edge risk management, portfolio management, and pioneering innovation.
Our clients in the financial sector have made significant progress in their digital transformation journey. As we continue to incorporate advanced technology, engage with various vendors, and establish more API connections in our operations, it’s crucial to enhance our vigilance.
To further understand how our clients can fortify their operational risk management, BankersLab recently conducted an interview with Chris Beck, Managing Director of Milliman’s Cyber Risk Practice.
BankersLab: As our clients progress in their digital innovation journey, they are finding that cyber-risk has become intertwined with this transformation. What similarities and differences do you see between the financial sector and other verticals? Are we ahead, behind, or mid-pack, in terms of being cyber-risk savvy?
Chris: The financial sector tends to be ahead of other sectors. That said, it’s also one of the most attractive targets for cyber-attack. Saying “cyber is adversarial” might seem unsophisticated, but it’s fundamental to understanding the effort needed to mitigate cyber risks and their potential impacts.
Like government and energy, financial services present a particularly attractive target to bad actors. Nation-states try to disrupt the lives of the citizens of other countries and create distrust in the adversary government’s ability to defend key services or even to function. But you can say the same things about the financial service sector. Unlike nation-states, cyber criminals often look for targets that will pay a ransom quickly or that will enable them to conduct fraudulent transfers of money.
While the financial services sector has invested in cyber controls, cyber leadership, and cyber governance, it still struggles to stay ahead of the bad actors.
BankersLab: When we work on operational risk with our clients, we find that some solutions both mitigate risk and bring revenue and customer satisfaction. An example would be biometric authentication in banking. Do you see opportunities for cyber-risk management to be more strategic rather than simply a cost line item?
Chris: There are two critical forces at play here which may appear to be at odds, but we have the opportunity to accomplish both. There is absolutely the ability to see Cyber-risk as both a risk problem and a reward problem. First, consumers demand instant services and access to data. The rise of instant payment apps and buying goods on demand are only two examples. That said, exposing data can increase someone’s potential to be the victim of a cybercrime. A company that can show it delivers speed and security at the same time will have an advantage in the market. (quote box instead of paragraph)
BankersLab: Let’s talk about failure points. Are the common failure points that we should prioritize in the financial sector?
Chris: Financial services firms tend to find challenges in several areas.
The first is their exception process. Most financial service firms do a good job of writing cyber policies and implementing controls, but not at handling exceptions to those rules. Almost all firms balance their business needs and their controls with an exemption policy, where they turn controls off or don’t enforce certain controls for specific users and groups. Often, they don’t scrutinize those policies closely enough to determine how much risk the exceptions add to the institution. Companies should therefore have strict procedures for allowing exceptions.
The second failure point is understanding how the threats are changing. Companies do a good job responding to attacks on others (or themselves) by patching systems or implementing new controls. However, they do a poor job of analyzing potential threats they haven’t yet encountered. Greater cooperation across industries and government in understanding how bad actor tactics and methods evolve would go a long way to reducing cyber losses.
BankersLab: Let’s talk about success. What strategies, approaches and thinking do you observe at client sites that are the most proactive in terms of cyber-risk?
Chris: The most successful companies have robust governance processes that regularly assess business needs, emerging threats, and the control environment. None of these are static, and success depends on continually evolving.
The most successful companies also have a strong influence on their vendors and the cyber risks they introduce, though most will say that’s their greatest challenge. These companies also have detailed “cloud” strategies, on how to minimize their own harms if one of their cloud providers were successfully attacked, instead of relying solely on the cloud providers to invest in security or the “safety in numbers” idea that cloud providers have so many customers, their own reputation would suffer if they had a major attack.
BankersLab: Let’s talk people. We’ve all seen the mandatory, broad-based cyber risk e-learning. Is it effective? How can the financial sector ‘up its game’?
Chris: People pose the greatest risk as the entry point for cyber bad actors. Through negligent or sometimes even nefarious actions, their own badged and authorized users create the largest exposure for most firms.
Cyber risk training has become “table stakes” for most institutions. Most users have no problem explaining how they should act, and have no issue passing their training, but that doesn’t always translate into good habits or actions.
The key is to create a culture of vigilance. Leadership at the most successful firms hold individuals accountable for poor user behavior. This ranges from a conversation with a manager if someone violates a policy, to HR actions, including compensation-based consequences, for repeat offenders.
BankersLab: What do you wish that financial sector professionals knew or understood, in terms of better managing cyber-risk?
Chris: In most firms, there’s still a division between people who understand how technical controls work and those who take a risk-based approach that includes the needs of the business. Many cyber professionals have deep technical training and experience, but don’t fully grasp how business needs will drive user behavior in conflict with best technical practices. Balancing security and business remains an in-demand skill set for financial services firms.
At BankersLab, we’ve discovered that experiential learning yields significant results. In today’s complex environment, merely adhering to mandatory basic cybersecurity training for lenders falls short. It’s essential to strike a balance between risk and reward, tackling challenges with a data-centric approach.
We invite you to participate in our workshop, where we delve into the intricate cause-and-effect dynamics of Cyber Risk and Operational Risk.
Want to learn more?
Join us in our data-driven journey towards improved operational risk management. Check out our Operational Risk in a Digital World Simulation Workshop.