Other parts of this series:
We believe a strong approach to cyber resilience means building holistic capabilities across risk and security.
So far in this blog series on cybersecurity and the banking industry, I’ve discussed the overconfidence many institutions have in their security capabilities, and then a way to combine maturity assessments and attack simulations to develop better defenses. Here, I want to talk a bit about cyber resilience.
In the face of severe cyber threats, financial services firms should now think differently about digital risk management. The protective steps they are taking are important but not enough. Cyber-attacks are not an “if” but a “when and how.” The threats are too frequent and too varied. Many criminals may already be inside your company.
These attackers are nimble and adapt quickly. They require little capital investment and resources to devise and mount their attacks.
In short, breaches are probably inevitable. Traditional preventative measures can slow them down but not ultimately stop them. That means that firms should think differently. In addition to improving their traditional preventive measures, they also should make themselves cyber resilient.
Cyber resiliency is the ability to operate a company’s business processes in normal and adverse scenarios without adverse outcomes. Specifically, resiliency strengthens the firm’s ability to identify, prevent, detect and respond to process or technology failures and then recover quickly—reducing customer harm, reputational damage and financial loss.
Some firms may limit cyber resilience and risk management to just an exercise of “being prepared” for a worst-case scenario. Being prepared is certainly an important part of resilience because having a plan can help shape a proper response in a stressed scenario.
However cyber risks are multi-dimensional. So cyber resilience should focus on managing three types of risks in particular:
- IT systems and infrastructure risks. Technology systems and infrastructure are often “ground zero” for cyber-attacks and other breaches, so technology risk management is increasingly important to a cyber-resilient firm.
- Operational risks. Operational risks refer to the potential for a firm’s business processes or technology infrastructure to fail, with adverse consequences such as being unable to communicate with customers, generate transactions or conduct billing. Operational risks also impact reputation, leading to the potential for losses in intangible value as well as actual sales and revenue.
- Fraud and financial crime. Fraud and financial crime can result from the exploitation of vulnerabilities in payment systems, digital banking services, electronic trading and failed controls in business processes, technology and even third-party organizations. Furthermore, cyber criminals often rely on the financial institution’s infrastructure to perpetrate and carry out their schemes, masking themselves as legitimate customers.
We believe a strong approach to cyber resilience means building holistic capabilities across risk and security. Accenture’s methodology targets the multiple entry points and angles at which financial organizations should build readiness.
Four actions are critical within this methodology:
For more on this methodology, visit our cyber resilience page.
Organizations cannot protect themselves at all times from all the potential attacks coming at them from multiple channels. So, putting in place structures, technologies and processes to build resilience—or fast recovery—is critical to operating effectively in today’s connected world.