Financial Services Ireland

REPORT

Cyber resilience: Evidencing a well-thought-out strategy

Read more


Over the past 12 months, cyber attacks have caused widespread disruption and inflicted more financial damage on businesses than ever before across multiple industry sectors including financial services, healthcare, energy, pharmaceuticals and utilities. The evidence is plain to see in the media headlines as well as in the public breach disclosures and profit warnings issued by a number of global companies.

Against this backdrop, the need has never been greater for financial services companies to develop the capability to absorb these attacks into their business-as-usual operations rather than a reactive, crisis mode. There are a few reasons for this focus on what is being termed ‘cyber resilience’.

  • Firstly we can expect continued disruption driven by the rapid pace of technology and as a result, we will see accelerating financial services reliance on digital technology at the heart of value and operations as well as transformation of customer channels.
  • Secondly, cyber threats will seek to exploit from this reliance by leveraging technology weaknesses to further their personal, ideological, financial or geopolitical goals through disruption, fraud, data theft or destruction, cyber sabotage and espionage.
  • Finally as a direct consequence boards, risk committees, investors and regulators are increasingly seeking comfort that financial services companies doing business in the digital world are adequately prepared to defend themselves from these attacks – as well as protecting the overall stability and integrity of the financial system as a whole.

Read: “NotPetya” ransomware- the new normal, or not what it seems?

Cyber resilience is therefore much broader and deeper than simply updated view of business continuity or disaster recovery plans. It means understanding to an unprecedented level where failures can impact the business across the entire value chain and carefully planning how to eliminate, avoid, reduce or compensate for those failures.

Organisations naturally have finite resources and can’t do everything; hence this entire process must be risk-based on risk to focus energy on those areas that are most important.

This is a journey that will not happen overnight and requires careful medium to long-term planning. Defining the strategy and executing the plan that moves a business to a future state of improved cyber resilience is a process. Overall governance is crucial for sponsorship and a coordinated programmatic approach is key since necessary activities cut across all three lines of defence.

From working with our clients and interacting with financial services regulators globally, we broadly see the components of the process towards cyber resilience as follows:

  • Establish governance of cyber resilience initiative including oversight and challenge
  • Risk assess critical functions, processes, data and systems
  • Identify, architect and protect systems, especially those most critical for the firm and the broader financial services ecosystem
  • Manage critical third parties and other key dependencies in the supply chain
  • Detect, respond, recover and communicate when incidents occur
  • Test systems and recovery plans for the most serious scenarios and participate in market-wide exercises
  • Refine your approach intelligently through continuously iterating based on changes in the business and the threat environment

We outline this overall process in more detail in the paper below, which I hope will help prompt fresh thinking and provide a source of comfort for those who have already embarked on such a journey.

Hugh Callaghan

FS Executive Director, Cyber
Hugh's Full Profile