Cyber security is an essential task for corporations. But how can firms assess and understand their cyber risk on a holistic basis? Ajoy Kumar, DTCC Head of Cyber/Tech Risk, explains how DTCC assesses its risk landscape from a business line level and extends that information across the organization in a holistic risk management approach.
Given the critical nature of cyber security to the overall functioning of an organization, Financial Services Organizations (FSOs) are starting to measure and manage cyber risk as one of the critical risks in their overall risk portfolio. While FSOs are starting to gain an understanding of their cyber risk across the entire business franchise, understanding the cyber risk landscape at an individual Line of Business (LOB) level has not advanced at the same rate.
At DTCC, our Enterprise Cyber Risk Assessment (ECRA) enables each DTCC LOB to better understand its unique cyber security risk portfolio. The ECRA is done to satisfy the regulatory requirements from CFTC and IOSCO among the larger ask of understanding potential cyber risks through empirical data and mitigating processes that help lower the risk.
Related: Cyber Threats and Data Recovery for FMIs
Identifying LOB cyber risks includes analyzing prior cyber risk assessments, incidents, issues, Risk Control Self Assessments (RCSA), vulnerability data and, threats across the enterprise and deriving the LOB-specific view based on the business context, threat landscape and technology footprint.
This approach includes a bottoms-up analysis of data and a top-down validation of the risks within the LOB. Once cyber risks are included in the business risk portfolio, LOBs are able to extend their existing business and operational risk management practices to cyber risk management and take a holistic risk management approach across the entire risk portfolio.
The Value of a Cyber Risk Assessment
While firms can perform several security and risk assessments, they can have difficulty bringing together disparate results into a single report to inform the business of their top cyber risks.
The ECRA informs each LOBs potential cyber risks and enables a better understanding of these risks, using both quantitative and qualitative methods, and ultimately providing information that will allow each LOB to set cyber risk priorities.
The bottom-up analysis of data and a top-down evaluation of a firm’s risk levels are done in parallel, allowing a complete understanding of the risk and control environments, developing risk scenarios and prioritizing recommendations.
The bottom-up analysis involves collecting risk data from several empirical sources, which are then normalized. Based on the understanding of this data, overall risks are categorized. The result is a risk catalog that form the building blocks for informed decisions and next steps. The risk catalog is refined yearly, adding risks where necessary and improving clarity to keep up with emerging threats.
Regulatory agencies have honed in on the threats of cyber risk to the overall securities industry. To comply with rules and mandates, risks are mapped according to regulatory requirements, including privacy and third-party risk, to make informed categorizations.
Related: Cyber Resilience and Operational Risk
This is where the top-down assessment begins. Key stakeholders, including business operations and product owners, prioritize the cyber risk categories that have been identified and refine language as needed. Informed discussions are then conducted, and relevant risks are gauged. The risk ranking is then finalized based on LOB input. LOBs can always override the stack ranking of risks based on their knowledge of their enterprise. This also serves as a useful exercise for the organization to be involved with the risk assessment and efforts to mitigate risk.
In the top-down assessment, LOBs can review the threat library, which contains essential information on threat actors, levels of sophistication, potential motives and their effect on the LOB. This exercise visualizes how different operational and cyber risks come together and how to best manage these risks. For example, Covid-19 created an opportunity for cyber risk to be manifested in many companies. Malicious actors could have been hired as lower controls were present in the onboarding process due to the sudden switch to a virtual environment. Having a threat library and an exercise on scenario planning is critical for conducting ECRA planning and allows firms to pivot as necessary.
Following the top-down and bottom-up analysis, there is a discussion about inherent risk. Viewing the risks without any controls is a lengthy exercise the first time, and should be done frequently, as risks are not static. For instance, Covid-19 altered the status of the workforce from onsite, to at home, to hybrid. The inherent risks changed, adding to risk was need for additional device capacity and monitoring on company devices and networks and illustrates the benefits of evaluating inherent risks frequently. The residual risk is then calculated from the inherent risk and understanding the control environment. Understanding of control environment helps with evaluating how investments have helped lower the risk to environment.
Finally, trend analysis is a critical tool for senior management to see individual risks, and each exercise helps stakeholders with future planning and spending prioritization efforts. In summary, ECRA helps FSOs make more informed decisions about cyber risk management and take a holistic risk management approach across their entire risk portfolio.
Kumar recently spoke at the Global Resilience Federation 2021 Virtual Summit on Security & Third-Party Risk.