Justin McCarthy serves as chair of the global board for the Professional Risk Managers’ International Association, a professional body for over 50,000 financial risk managers around the world. He has worked in many financial risk management roles, including at Bank of America Merrill Lynch, PricewaterhouseCoopers and with the Irish Financial Regulator. This work has allowed him to see the changes in risk management since through and beyond the recent global financial crisis. This includes work on the PRISM risk based supervision framework with the Irish Regulator. However, before his risk work, Justin was an IT practitioner and was a Senior Network Engineer and IT Security Officer with the EMC Corporation.
Christopher P. Skroupa: How does cyber security affect the financial risk community? How can institutions forge a formidable cyber defense in advance of the problem?
Justin McCarthy: Cyber security is fast climbing to the top of the list of issues that the financial risk community has to worry about. While there has been an awareness of cyber security in functions like IT, recent events have resulted in a focus for the financial risk manager. Of note was the recent incident where cash was taken from the accounts of Tesco Bank customers in the U.K. This was carried out by using an online attack on 40,000 accounts and resulted in around £2.5 million being removed from about half of the accounts targeted.
With these kinds of incidents in mind, institutions will be expected—and indeed, may have a regulatory obligation—to prepare a cyber defense. The first part of this is to understand the issue at hand and to take a few simple actions. Cyber security and all the related elements such as phishing, malware, passwords and a plethora of such topics may seem to be impossible to get a handle on, but sometimes, it may help to understand that this is just another risk to be mitigated.
If we were asked to prevent an old-style bank robbery, then we might feel more confident in how to do this. We would ensure that the safe had a time lock, that the bank branch was locked at the end of the day and that there was a short and well-controlled list of key holders. We can do the same with cyber security. We should ensure that proper controls and security are in place around our financial assets – we guard the keys to our buildings, but don’t questions about who has a “log on” to our payments systems. Sometimes asking a simple question like that can be the start of mitigating these risks.
Skroupa: Financial entities seem to be increasingly driven by their regulatory obligations—are you seeing any examples of this? Have you seen financial entities expand their strategies to non-regulatory measures to ensure an effective defense?
McCarthy: Yes, financial regulators are seeing the threat in this to the institutions that they supervise and in their mission to protect financial stability and financial consumers, they are moving to address this in guidance and in their engagement programs.
A recent response has been with the regulator I formerly worked with: the Central Bank of Ireland. In September 2016, they released Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks. While there is much detail in the related report, the key elements are quite simple. It sees Information technology as becoming central to the supply of financial services, that the incidence of cyber-attack and business interruption is on the increase and, quite interestingly, that institutions should assume they will be successfully targeted. It places the responsibility for cyber security with boards and senior management and expects this issue to be put among their top priorities. A holistic approach that aligns IT and business strategy, outsourcing risk, change management, cyber security, incident response, disaster recovery and business continuity is expected, and the Central Bank of Ireland lays out its intentions to make cyber security part of their supervisory engagements.
On the question of non-regulatory measures, there would have been existing measures in place with functions like IT to ensure a secure operating environment—recent focus and initiatives have helped by ensuring this is recognized and discussed at the level of senior management and at the boardroom table.
Skroupa: How should boards address cyber risks? How much of a say should investors have in a company’s cyber defense structure?
McCarthy: Rather than trying to find new and complex ways to do this, it can be useful to look at existing ways the board are interfacing with their financial risk function and leverage those for cyber risk as well. An example of this may be applying the risk appetite statement to their cyber security infrastructure.
Risk appetite may be defined as the level of risk that an institution is willing to accept in carrying out their business objectives. A well-developed risk appetite will document the level of risk to be accepted for different categories of risk. Thus, an institution may agree that they have a low level of risk for an area like market risk and thus will take little risk—and expect lesser return—on their investments. Meanwhile, an institution may decide to accept high risk on their loan writing activities but charge a high level of interest to compensate for the expected higher level of defaults.
For cyber security, the board can be asked to express a level of cyber risk that can be accepted. While they will most likely say “zero risk,” as per the guidance from the Central Bank of Ireland, the assumption must be made that you will be targeted. Thus, the zero-appetite element may be more inward looking—for example, there may be zero tolerance for staff not to complete cyber security awareness training or zero tolerance for staff to share passwords.
Investors already have a strong interest in this aspect of risk management—major banks will include their risk appetite statements in their annual statements and this can be reviewed and questioned by an investor.
Skroupa: How can firms defend themselves from ever-evolving cyber threats?
McCarthy: This is probably the toughest question we have here… there may be no defense that an institution can deploy to defend themselves. However, this does not mean we should not try.
The first measure has already been alluded to: education and awareness. If we try and understand some of the simpler aspects of this threat and put measures in place to defend against it, then we have made a start. Some of the more recent successful attacks have been related to “phishing,” where an innocent looking email may be used to launch a cyber-attack. The defense is simple—make staff aware that they should be careful when opening emails on their work devices and if in any doubt, check with the IT department.
The next is to ensure that the technical aspects are being addressed by the IT function. Asking simple questions like, “Is the anti-virus software up to date?” or “Have we had an external review of the new website?” or “Has there been a review of the active usernames and passwords?” can give surprising answers. On the last one, it can be enlightening to find that staff who have left months—or even years—earlier still have active accounts on the user system and sometimes are even still being used by other staff!
The last one relates back to the risk appetite element already detailed. If the board says that they have zero appetite for cyber risk, then they need to supply the resources to help enforce this. If cyber security training is be provided for staff, then a budget has to be put in place for that. And lastly for this element, there needs to be a report back to the board on the items selected as part of the risk appetite. A report that only 50% of staff have completed their training may result in some choice questions back to the staff of the institution.
Christopher P. Skroupa is the founder and CEO of Skytop Strategies, a global organizer of conferences.