Remember when stolen credit card numbers represented the height of sophistication in cybercrime? Those days are long gone. Complex, hard-to-detect attacks now could bring down not just a single institution but also large parts of the Internet and our financial system.
Consequently, cybersecurity is no longer just about deflecting attackers. Today, it’s about figuring out how to manage and stay ahead of intruders who are already inside the organization.
Today’s attackers typically aren’t seeking quick results; rather, they attempt to insert themselves silently into a financial institution’s networks – probing for vulnerabilities, waiting for an opportune time to strike or using their host’s trusted connections to infiltrate other unsuspecting institutions. These attacks often span several months or even years.
These new responsibilities will require significant investment in people and tools, including upgraded monitoring and analytic capabilities to provide improved assessments of current levels of cyberrisk.
It’s akin to an arms race – organizations must respond to criminals who are constantly developing new, nefarious methods and techniques to achieve their objectives. As for cybercriminals’ myriad motives, some want to damage the reputations or brands of their targets; others seek customers’ or clients’ sensitive information, which can be used to compromise and steal various types of assets; and other motives are harder to discern.
Recent concerns about systemic cyberthreats have elevated cyberrisk to a higher place on the political and regulatory agenda. Following recent cyberattacks on major credit card and payment systems, the industry began to seriously consider the real risk that cyberattackers could disrupt larger financial systems rather than just harming individual firms. Such an attack could significantly disrupt financial transactions, halt entire markets, and undermine stability and trust in the financial services sector.
This has led to a call for a better approach for addressing cyberrisks, an approach that goes beyond being the sole concern of the information security group. To that end, the financial services industry has embarked on a journey to implement a “three lines of defense” (3LoD) model for cyberrisk, encompassing the following:
- First line: Business units and information security teams with direct accountability for owning, understanding, and managing cyberrisks.
- Second line: Risk managers responsible for aggregate enterprise-wide cyberrisks, who are granted independent authority to effectively challenge the first line’s approach to cyberrisks.
- Third line: Internal audit team providing assurance of overall cyberrisk governance for the enterprise.
These three lines of defense are guided by an active, engaged and qualified board of directors that approves and oversees the firm’s approach to cybersecurity, while achieving alignment by providing a credible and effective counterbalance to management (see Figure 1).
BLUEPRINT FOR ENTERPRISE-WIDE CYBERRISK GOVERNANCE
Establishing a 3LoD approach to cyberrisks is not a trivial task. Financial services firms are still grappling with how to best implement the model across their businesses for existing, more mature categories of risk. Adding cyberrisk management to the 3LoD model will pose an even greater challenge for organizations.
The overall concept is well-known; it’s the practical implementation that’s the issue. Some common questions include the following:
- Frontline accountability for all risks makes sense, but what needs to be done for first-line business and technology leaders to effectively meet their risk obligations?
- Second-line oversight of aggregate risks is clearly important, but how does the second line undertake this role without leaving the impression that the first line may abrogate its duty, knowing the second line is there?
- Third-line assurance acts as an important backstop, but how does internal audit engage sufficiently to drive improvements in cyberrisk governance without undermining its independence?
A critical success factor will be understanding each line’s role and having strong board oversight during the implementation of the 3LoD model for cyberrisks.
FIRST LINE: ENHANCE CYPERSECURITY CAPABILITIES, BRING IN THE BUSINESS
Front-line business units, working with the information security and cybersecurity teams, have to measure, monitor, manage and mitigate cyberrisks within the board-approved cyberrisk tolerance.
A strong first line of cybersecurity requires a significant effort within the lines of business. Whether in the retail bank, investment bank, corporate bank, private bank, or any other area, business heads will have to perform a thorough examination to determine whether the business is doing enough to manage cyberrisk. Information security groups can no longer apply one-size-fits-all solutions to the entire enterprise. Each line of business must carefully define the cyberrisks and exposures it faces. Cyberrisks must be woven into the fabric of the first line’s risk and control self-assessment, and into fraud, crisis management, and resiliency processes.
This will require businesses to achieve a better understanding about the interrelationship between their activities and cyberrisks. The lines of business will need to actively monitor existing and future exposures, vulnerabilities, threats, and risks associated with their activities. After all, the business best knows its own data flows and business processes. Working with technologies, businesses need to determine the impact that cyber risk will have on its clients, operational processes and strategies.
These new responsibilities will require significant investment in people and tools, including upgraded monitoring and analytic capabilities to provide improved assessments of current levels of cyberrisk. Information security already has many capabilities in these areas, but they will need to be reinforced and shared across all three lines. (See sidebar: “Getting to the Right Level of Maturity.”)
SECOND LINE: INVOLVE CYBERRISK MANAGERS IN OPERATIONS
Cyberrisk shouldn’t be walled off as a separate risk function. Instead, it should be embedded into the broader second-line risk management framework. Enterprise risk managers need to compare cyberrisks to other risks using the same financial and probability benchmarks, so that spending on cyberrisk prevention and remediation can be considered simultaneously with other pressing enterprise risks.
Second-line risk management plays a critical role in managing cyberrisks. As the keeper of a firm’s board-approved risk tolerance, they determine how to appropriately measure cyberrisks, embedding quantitative and qualitative (e.g., reputational) thresholds for cyberrisks into the statement of risk tolerance for the firm. Moreover, these clearly established appetite and associated thresholds need to cascade down into the operations for each line of business.
Other core activities of risk managers need to be extended to treat cyberrisk in much the same way as market risk or operational risk. To do so, cyberrisks need to be embedded firmly into the organization’s firm-wide risk taxonomy and risk-and-control processes, including a distinct cyberrisk management framework that covers internal and external risks and dependencies. Based on that framework, second-line risk managers should develop a comprehensive picture of cyber exposures, vulnerabilities, and risks and then generate solid metrics to inform decision-making and to establish the risk/return trade-offs involved with investments in cybersecurity. Furthermore, risk managers need to monitor the lines of business for sufficient adherence to the firm’s cyberrisk tolerances.
Inevitably, cyberrisk loss data will become a more important factor in investment decisions, as well as capital and liquidity stress tests. Traditionally, loss data simply reflects the cost of remediating breaches, not the business costs of lost business or the erosion of customer trust and brand equity. By including those factors in a broader view on what constitutes loss with respect to cyberrisk, managers will be able to improve their overall decision-making.
The chief risk officer (CRO) has an important role in leading an enhanced second-line cyberrisk management team, with actions including the following:
- Management and oversight: Create a dialogue with the board and risk and audit committees.
- Organizational structure: Establish reporting relationships with chief information officers, chief information security officers (CISOs), chief privacy officers and chief compliance officers.
- Risk framework: Fit cyberrisk into enterprise-wide risk frameworks, including risk governance, risk reporting and metrics, and escalation mechanisms.
- Impact assessment: Quantify the potential impacts to liquidity, capital, or earnings from a cybersecurity event.
- Preparedness: Challenge the effectiveness of disaster recovery and business continuity efforts with respect to cyberthreats, as well as the degree in which recovery and resolution planning properly incorporate cyberrisks.
- Insurance: Assess the residual cyberrisk and decide which risks need to be addressed through insurance (externally or self-insured). CROs should report independently to the CEO and board of directors, as appropriate, when their assessments of cyberrisks differ from that of the first-line business units, or when a unit has exceeded the entity’s established cyberrisk tolerances. Such reporting is in addition to reporting from the first-line information security professionals.
Given the relative novelty of applying the 3LoD model to cyberrisk, most of the first- and second-line focus is appropriately on more effective management of these risks rather than the narrower issue of compliance. However, given the increasing volume of regulatory guidance and mandatory requirements stemming from industry, professional, and regulatory standards, cyber will increasingly constitute a material compliance risk. Accordingly, financial institutions should integrate cyberrisk compliance into second-line risk management.
THIRD LINE: EXPAND AUDITS MANDATE TO COVER BUSINESS DISRUPTERS — CYBERSECURITY
Traditionally, the main role of the third line of defense is to independently assess the firm’s risk and control environment and enhance the effectiveness of the firm’s risk governance approach. The question regulators are now asking is: How effective and how independent is a firm’s internal audit team when it comes to reviewing a firm’s approach to cybersecurity?
As a foundation, the internal audit team will need to include within its overall audit plan an evaluation of the design and operating effectiveness of cyberrisk management across the first and second lines of defense. Traditionally, industry standards (such as National Institute of Standards and Technology’s Cybersecurity Framework) have been used as the benchmark for evaluating a firm’s effectiveness. Going forward, internal audit teams may need to create their own framework or apply multiple industry frameworks. By doing so, auditors will maintain greater independence in assessing cyberrisk management effectiveness, eliminating the potential blind spots that can result from using a common standard throughout all three lines of defense.
Under the 3LoD model, internal auditors will do the following:
- Perform assessments: Report on how well the first and second lines of defense adhere to the firm’s cyberrisk management framework, compare actual cyberrisk exposures with approved risk appetite and tolerances, and assess the firm’s capabilities to adapt to evolving threats and vulnerabilities.
- Validate applications and connections: Independently validate the firm’s application inventory throughout its catalog of internal applications, technology infrastructure, business processes, and vendors; monitor connections and dependencies both internally within the firm and externally to other financial institutions and information-sharing organizations.
- Evaluate third-party risks: With a heightened focus on critical vendors and “nodes” within the financial system that have the potential to create system-wide contagion, internal audit may need to enhance its evaluation of critical vendors, such as through stronger ongoing monitoring techniques. For their part, third parties may have to step up the degree to which they issue attestation reports (e.g., Service Organization Control 2 reports) to provide sufficient information to their clients on their cyberrisk management approach.
- Conduct independent penetration tests and vulnerability assessments: At a minimum, the internal audit team may need to enhance the manner in which it independently validates the scope, quality, and remedial activities associated with the first line’s penetration testing and vulnerability assessments. But, in time, that may not go far enough. The internal audit team may have to conduct its own testing and assessments. The assessments — its own or those conducted by the first line — have to be able to adapt to a changing threat environment. This may require periodic rotation of third parties used for such assessments.
- Enhance regular audit procedures with cyberrisk considerations: Factors relevant to addressing cyberrisk should be incorporated into standard audits throughout the year. For example, as part of routine audits, internal auditors should also review business continuity and disaster recovery plans; capital and liquidity stress testing scenarios (including various scenarios related to cyber breaches); recovery and resolution plans (especially for critical vendors and internal shared services); information technology and security risk management; and impact assessments related to the adoption of new disruptive technologies or digital platforms.
- Stay abreast of threat intelligence: To align audit activities with enterprise priorities based on active risks and threats, internal auditors should collaborate with the first line to receive appropriate threat intelligence and analytics.
The board of directors is ultimately responsible for verifying that management implements an effective 3LoD approach for cyberrisks. The board and its committees — notably, the audit and risk committees — need to validate the delineation of risk management and cybersecurity oversight responsibilities across risk management, internal control, and internal audit. The board should provide strong oversight and effective challenge to management.
The board maintains oversight of the enterprise-wide cyberrisk management strategy, including an appropriately set appetite for cyberrisk. It also has to validate that cyberrisk management strategies and risk appetites have been integrated into strategic plans and risk management structures in other areas of the enterprise.
The cyberrisk management strategy needs to address these items:
- Managing inherent/aggregate residual cyberrisk (i.e., before and after mitigating controls)
- Maintaining resilience on an ongoing basis
- Identifying and assessing activities, exposures and resources that involve cyberrisk
- Establishing policies for identifying cybersecurity incidents, addressing shortfalls and responding to cybersecurity incidents and threats
- Testing and measuring cybersecurity protection, detection and response
Increasingly, regulators will expect boards to validate that cyberrisk management strategies consider the firm’s overall position, importance and interconnectedness within the broader financial market. An internal perspective will no longer be enough.
Boards should confirm that management has clear metrics for success. These includes absolute metrics such as year-over-year comparisons; goal-based metrics that assess how well the organization performed against stated objectives (e.g., if the goal is “no unscheduled downtime greater than one hour,” how often did that happen?); capability-based metrics that describe new capabilities that a firm would not have been able to do in a prior period; and peer analysis using industry-level data and surveys.
As boards evolve their cybersecurity oversight roles and responsibilities, it’s important that they evaluate whether they have adequate cybersecurity experience among their members. At a minimum, they need access to staff with such experience, or they may rely on support from third parties. Additionally, one or more board members may need enough technical knowledge to enable the board to properly hold management to account for developing and implementing a cyberrisk strategy and managing the firm within board-approved cyberrisk levels.
WE’RE ALL IN THIS TOGETHER
Regulators are pushing the 3LoD model to compel banks to improve their risk management in response to failures before and after the financial crisis. Firms have implemented the model in the area of financial risks, such as credit and liquidity. Where the industry is most challenged is in the area of nonfinancial risks, including cyberrisk.
Regulators have concluded that a 3LoD cybersecurity model is critical. Cyberrisk can no longer be considered an information risk for the information security professionals to manage by themselves. They still have a critical role to play in managing cyberrisk, working directly alongside first-line business management. At the same time, the second and third lines have independent roles to perform.
Getting this right will take time. But with system-wide cyberrisks in mind, the industry needs to move quickly to get the fundamentals in place so that, together, individual firms and the industry as a whole become better protected, more resilient, and capable of responding quickly and effectively to future of attacks.
1 “Path to Cyber Resilience: Sense, Resist, React — EY’s 19th Global Information Security Survey 2016–2017.” EYGM Limited. December 2016
2 “A Set of Blueprints for Success: Seventh Annual EY/IIF bank Risk Management Survey.” EY in collaboration with the Institute of International Finance, EYGM Limited. October 2016.
3 “Path to Cyber Resilience: Sense, Resist, React — EY’s 19th Global Information Security Survey 2016–2017.” EYGM Limited. December 2016.
About the Author:
John Doherty is a partner in Ernst & Young’s Information Technology Advisory practice with over 27 years of experience in the financial services industry managing information technology (IT) matters for international companies. He has extensive experience in IT risk management, information security, privacy, regulatory compliance, IT governance, technology operations, and project management. Doherty is the Global Leader of IT Risk Management for Ernst & Young.
Mark Watson is an Executive Director in Ernst & Young’s Financial Services Organization advisory practice. His main area of focus is risk governance, including corporate governance, risk culture, risk accountability, and risk oversight. He is actively engaged in regulatory developments, working with EY’s Global Regulatory Network of former senior regulators. He works across financial services. Watson was formerly a partner with Tapestry Networks between 2008 and 2013, where he led the firm’s financial services practice. Working closely with EY, he founded and led the Bank Governance Leadership Network and Insurance Governance Leadership Network, made up of non-executive directors and executives from the globe’s largest banks and insurance companies, as well as leading regulators, supervisors, and policymakers globally. He also worked with EY and the Group of Thirty (G30) on the G30’s report, Toward Effective Governance of Financial Institutions.