EY: How do you know you’re investing in the right cyber risk strategies?
Across Asia-Pacific, financial institutions are making million-dollar cyber investment decisions to mitigate threats. Such investment decisions need to rely on facts and insights to deliver the right return on investment: where threats are mitigated effectively and institutions return to their target risk appetite. We need a fact-based and structured approach to help Asia-Pacific banks, insurers and asset managers achieve this.
As more regulators require businesses to take a structured approach to managing cyber risk, few financial institutions can demonstrate they are investing in the right cyber risk mitigation strategies.
Ever since cyber threats arrived on financial institutions’ risk registers, boards and management have been making mitigation decisions based on the collective experiences of internal security experts and external consultants. But this doesn’t necessarily align to the structured approach required by regulators. Financial institutions are now expected to approach cyber risk decisions in a similar manner to the way they would approach other risk domains, such as credit risk.
The current approach sometimes results in a false sense of security, where boards may mistake action for effective protection, where managers rest easy because “we’re using the latest technologies,” and where strategies are considered successful if an institution simply avoids being “the slowest gazelle in the herd”.
A quick comparison with the strictly quantified procedures for allocating capital investment illustrates the dangers involved in continuing with this approach.
If institutions cannot quantify the value at risk from a cyber threat and the quantum a particular set of cyber control investments will deliver, how can they meaningfully decide how much to invest and where?
How do they know cyber investments are properly focused on their critical assets to mitigate their key threats?
- Develop a top-down model to quantify cyber risk, enabling board and management to understand its quantifiable impacts
- Define metrics and risk indicators that measure the effectiveness and coverage of controls on your key assets
- Connect an integrate data sources to provide the facts to support these metrics
- Automate data collection and use analytics tools to generate and communicate cyber risk insights via dashboards that support the range of views required by various stakeholders, including executives, board and control owners
- Understand how resilient you are to defend against your key cyber threats
- Identify how much a major cyber incident could cost, how much to spend and how much this will buy down risk
- Improve prioritization by recognizing when further investment provides diminishing returns
- Better forecast when you will return to risk appetite