Hearing the phrase, cyber risk is business risk, has become the recent norm at conferences and webinars. Specific to the financial industry, cybersecurity risk is now as significant as financial risk. The latter has well-refined standards and practices to measure and manage — the former does not. Just ask the executives and board members who find themselves in the position of being responsible for — but not experts in — cybersecurity. In many cases, they are fiduciaries for the business, not cybersecurity experts.
Fiduciary is a term normalized in the investment industry, reflecting the relationship between decisions the fiduciary is tasked with and the outcomes on assets owned by someone else. An example is a retirement plan committee with discretion to make investment decisions on behalf of an employee retirement plan.
Simply put, a fiduciary is expected to act prudently and solely in the best interests of another party. They are expected to have some level of skill and knowledge. If they don’t, they seek expert advice.
Are new security guidelines coming?
The financial industry currently has no specific regulation imposing fiduciary conduct standards with respect to cybersecurity. However, in March 2022, the SEC proposed new guidelines over strategy, governance and reporting of cybersecurity risk.
The effect of this proposed guidance is driving cybersecurity and its related risks further into the C-suite. The proposed penalties for failure, with respect to data security, involve mandatory public disclosure and, in the case of negligence, subpoena to the Department of Justice.
Garnering public trust
While the “teeth” of the proposal are still to be determined, we expect this regulatory focus over cybersecurity to expand for one reason: trust.
“The SEC strives to promote a market environment that is worthy of the public’s trust and characterized by transparency and integrity.”Trust is not necessarily lost in the event of a cyber breach. Lasting damage occurs when a forensic audit uncovers negligence or laziness regarding actions taken — or not taken — to affirmatively anticipate and protect against a cyberattack. Meaning, fiduciary responsibility is oversight of the process and resources deployed, not necessarily the outcomes. Using the retirement benefits committee example, a negative investment return does not in itself indicate a failure of fiduciary duty as long as the committee can demonstrate a prudent process.
Comparing financial risk to cybersecurity risk
A CFO probably considers financial risks such as liquidity or credit by forecasting potential economic scenarios and testing how the company’s balance sheet would perform. Ultimately, the finance department would establish a confidence interval of those scenarios that is in line with the company’s posture. Then in review, the team could evaluate their initial projections versus actual outcomes by assessing market values.
While cybersecurity lacks the luxury of market values for risk measurement, it does have levels of measurement. Consider the following:
Ask your cybersecurity team to define the top 75 threats that the company expects to face this quarter and why they think that. That number could represent a three standard deviation confidence interval for attack activity, created by historical data and intelligence.
Using this convention, how does the cyber program connect each of these 75 threats to specific compensating controls the infrastructure has in place to mitigate them? Defining the scope of risk and implementing specific mitigation processes is a very defensible process.
At the end of the quarter, how many of those 75 threats actually showed up during the period? How many of those attacks were stopped? For the attacks that were expected but did not show up, how is it verified that they were absent versus undetected?
If the necessary information is not available, the fiduciaries now know where to invest until they are able to satisfy a standard of measurement.
The failure and recovery loop
Let’s flip back to financial risk. When making a loan, a bank has a process in place to evaluate a borrower. It considers a “failure and recovery” loop: if the borrower’s income is impaired and they can no longer service the loan, are there other assets to utilize for payment? If there are no other assets to support repayment, is there recoverability in an asset tied to the loan (i.e., house for a mortgage)? If there is no asset tied to the loan, can the bank insure against this loan? Finally, if all else fails, can the business survive a complete wipeout of this loan?
This failure and recovery loop translates well to cybersecurity. A malicious email gets through the primary gateway — is there something in place to identify it (other than the employee) while it is sitting in an inbox? Let’s say that fails and the employee clicks on a “bad” link. That attack traverses to a laptop. Will the endpoint security detect it? Even though we might be confident in these two layers, let’s pretend the attacker succeeds to this point — do we know if the network security tools will see and stop it’s call-out to the internet?
This probably sounds like “defense in depth,” a strategy incorporating layers of protection across IT infrastructure for resiliency.
Caution to the fiduciary: defense in depth, in and of itself, doesn’t mean secure or even layered. The strategy only works if the security team’s process aligns each threat to each of the steps in the above example. The “top 75 threats” list means that there are 75 different attack paths mapped out and tested. Once again, if the information is unavailable, the fiduciaries now know where to invest.
Though the practice of managing cyber risk is young, Gartner research forecasts that “by 2026, at least 50% of C-level executives will have performance requirements related to cybersecurity risk built into their employment contracts.”
Leaders can use their business acumen and minimal operations expertise to set a risk standard for the business to live up to. In doing so, decision makers will have a framework to evaluate the investments made (people, process and technology), quantify risk and determine if they are doing enough — just like they do with every other department of their business.