The New Cyber Risk Environment for Financial Institutions
Staying resilient through inevitable disruption
Cyber attacks on financial institutions rose by 38% since the start of the COVID pandemic. As banks and financial institutions (FIs) have been on a journey to rebrand themselves as technology companies, we’ve seen a commensurate increase in cyber risk. Although the financial sector has historically shown great maturity and investment in developing their information and technology risk management frameworks, the threat and operating landscape has drastically changed over the last 18 months.
Listen: Threats, Resilience and Risk Transfer Strategies for FIs
It's a new cyber risk environment for banks and FIs.
The financial world has moved into an even more challenging threat landscape, with ever-evolving cyber schemes, attacks, malware and ransomware.
“The tough news on this is that it’s a challenge, a huge challenge,” says Eric Friedberg, co-founder and Co-President of Stroz Friedberg, LLC, a leading cyber consultancy and technical services firm acquired by Aon in 2016. “Over the last couple of years there’s been a 500% increase in ransomware alone.”
The Colonial Pipeline hack, the JBS meat processing hack, and the hospital hacks are examples of very serious attacks on our national infrastructure for energy, food and health care.
“As Willie Sutton, the famous bank robber, reportedly said when asked why he robbed banks: ‘that's where the money is,’” Friedberg explained. “So the financial institution has really been one of the primary industries that have state sponsored attacks and financially motivated attacks. These attackers are innovating every day.”
Besides the threat landscape there are evolving operating environment threats, including the increase in work-from-home arrangements due to the pandemic, and new fintech and digital offerings with changing business models. Add to that heightened globalization and geopolitical concerns, and you’ve got an increased “attack surface” in which criminals operate.
The question is not whether outages or failures will happen, according to Friedberg, but how long, how disruptive and how damaging the outage will be.
Bank regulators are taking notice as well. Emerging regulatory rules such as the European Commission’s legislative proposal – Digital Operational Resilience Act (DORA) – are intended to beef up banks’ resilience by combining existing information and communications technology (ICT) risk management requirements with several other initiatives into one unified framework.
How are banks and FIs responding?
Because of the increased exposures, attacks and claims, we’re seeing FIs create more distinct and dedicated resilience functions. We spoke with Jenny Chin, Head of Operational Resilience at Goldman Sachs, about how her role has evolved with the risks and resilience measures required today.
“We’ve always had a [business continuity planning] team,” Chin said, “and within each of the divisions that are focused around our business continuity planning and programs. And in addition to that, we were very much focused on the resilience of our assets. This is more of an expanded role in our existing BCP program, which we will continue to run but uplifting it to more of an operational resilience lens.”
The strategy at Goldman Sachs, along with other banks and FIs, is to look beyond a traditional business continuity management program and focus on recovery of assets to the complexity and interconnectivity of their operations. That is, innovative resilience teams are quickly moving from a reactive to a proactive approach, aiming to holistically understand how a disruptive event affects the entire organization including its third parties, both at the point of attack and as it works through the system.
As organizations become more global and interconnected, the future of operational resilience lies in a firm’s ability to mitigate these downstream impacts on not only different divisions within the firm, but also the technologies, third parties, and even fourth parties used by the firm around the world.
“How do we ensure that the systems that we employ, the vendors that we use are, in fact, resilient, as well as their technology?” Chin continued. “Because as we rely more on vendors and third parties to provide a service to us that ultimately we can provide to our clients – I think that is the area of resilience that we really need to focus on.”
To be able to focus on that, however, banks and FIs need to continuously invest in their cybersecurity infrastructure.
Banks and FIs need to invest in cybersecurity infrastructure.
One of the lower marks the FI sector received in Aon’s 2021 Cyber Security Risk Report centered around application (2.2 out of 4) and third-party security (2.4 out of 4). These readings come from the Cyber Quotient Evaluation (CyQu), a comprehensive risk assessment that evaluates cyber risk maturity across nine critical domains. Though the scores were higher than the global average comprising other industries, there is still a lot of work to be done, and it won’t be easy.
Christian Hoffman, CEO of Aon’s Cyber Solutions North America, believes the increase in ransomware over the past few years has created a challenging environment for banks and FIs to invest in cyber risk mitigation. “The addition of the systemic events [like SolarWinds, Microsoft Exchange, etc., led to] early double-digit increases on premiums and have turned into 30- to 40-plus-percent increases [in insurance premiums],” he says. This limits a firm’s ability to invest heavily in infrastructure.
Data is a critical component of that infrastructure and its sustainability. Organizations are investing in data collection as well as data sharing, with new coalitions and government measures to do so. Accurate and reliable data help to quantify the risk and associated losses throughout the organization.
“The accelerated digital transformation triggered by the pandemic has forced financial institutions to reassess the suitability of standardized ‘oprisk’ approaches to modelling cyber risk to inform capital management and insurance strategies,” explained Adam Peckman, Aon’s Global Practice Leader in Cyber Risk Consulting. “Now all financial institutions, buy-side or sell-side, traditional players and emerging digitally-native disruptors, are critically dependent on digital platforms with cyber exposures that represent existential risks. Risk leaders are now looking for better models and datasets to evaluate the complexity of their cyber exposure profile.”
Finally, Christian Hoffman also sees enhancing the stature of security within FIs as an important piece of the puzzle. “Their clients are asking questions and seeking answers around cybersecurity,” he says. “So, we’re seeing this rising tide ... across all segments of the banking space. That discussion needs to ultimately work into the risk transfer discussion.”
The time is now.
The risks posed by cyber attacks and platform failures will only become more disruptive as technology and operating models evolve. Financial institutions need to continue nudging the different components of their risk frameworks closer together. This entails striving for a seamless front-to-back cyber posture linking security infrastructure, loss quantification and risk transfer. In the current insurance market, this approach is table stakes to arranging fit for purpose insurance programs that can deliver maximum value into a firm’s risk framework.