Applying the Enterprise Risk Mindset to Navigate Cybersecurity Threats - New Risk Mindset Series

Financial institutions and securities market participants continue to face escalating cyber threats – in frequency, volume, and severity. The many reasons for the escalating risk include:

• Financial services companies are high-value targets. They aggregate large volumes of sensitive and valuable data, and they have and move large sums of money.
• The increased length of the software supply chain, including the use of third-party applications, has expanded the attack surface for bad actors.
• The interconnectedness of the modern financial services industry exposes companies to the risk of business disruption or data loss from third-party cyber incidents, such as incidents at other financial institutions’ vendors and customers, exponentially expanding the impact of incidents.
• Threat actors continue to grow both in number and in sophistication. They are quick to adopt new technology, such as AI.

Enterprise risk management therefore requires considering a range of risks. A data breach of confidential information brings significant legal risk and reputational harm. Particularly severe outcomes include a costly disruption to business operations that can impair the functioning of the broader financial system or securities markets. Major incidents are complex, high-stakes, and stressful.

An enterprise risk mindset approach to cybersecurity is:

Proactive

Address cybersecurity on an ongoing basis. Not only are threat actors constantly upgrading their tools and techniques, but the regulatory requirements are multiplying. If you are standing still, you will start to fall behind.

Holistic, enterprise-wide

Involve all decision-makers, including senior executives. Organizations cannot relegate cybersecurity risk to a technology issue; cyber-attacks can affect the entire organization, so mitigating the risks requires input, knowledge, and buy-in at all levels. Moreover, many regulators, from the Bank of England to Federal Reserve, now require boards and senior management to oversee the organization’s operational resilience and cybersecurity programs.

Up-to-date

Stay abreast of what’s changing, including how other organizations are handling these risks and how financial services regulators across the globe are increasing their scrutiny, regularly releasing regulatory guidance and writing new rules.

Practice

Identify the steps to take in the event of an incident, who will be responsible for each task, and practice executing the plan. Tabletop exercises are an excellent way to identify gaps, assign responsibilities for actions (such as communicating with stakeholders, making legal decisions, and notifying regulators), and practice response scenarios. Financial services regulators, such as the Bank of England, using scenarios that are “severe but plausible.” Also, involve all senior leaders and the board of directors—don’t have an actual incident be the first time a key decision-maker interacts with a cyber incident response plan.

It should include:

Governance protocols

Develop internal protocols to help board members and senior leaders stay abreast of cyber risk. Cybersecurity risk is an enterprise risk, so senior leaders need this information to provide direction on how to balance cybersecurity risk against cost and business need.

Staffing and Technology

Take a thoughtful approach to hiring, developing, and retaining key employees of experienced cybersecurity professionals during a widespread shortage. And keep investing in the technical tools to keep up with threat actors’ expanding capabilities.

Third-party advisors

Get third-party help with legal, technology, and communications, areas critical to navigating cyber risks. Select and onboard these third parties as part of the incident preparation process, which will save valuable time when third-party help is needed during an incident.

Guardrails

Apply risk-based approach to find guardrails that make sense for your sector, stakeholders, size, geographic location, and consumer and regulatory expectations, among others.

Delays in communications may give regulators, clients, and the public the impression that the organization is ill-prepared for a crisis, is not taking the issue seriously, and cannot comply with applicable regulations, particularly those involving public disclosure or operational resilience under SEC, NYDFS, and OCC rules. Before an incident:

• Assemble a clearly defined team of “first responders” who have authority to work with outside counsel and other advisors to serve as the voice of the institution, coordinating and approving communications.
• Ensure that all employees understand that during an incident only approved communications should be shared outside the company.
• Prepare alternative communications channels in case of technical outages.

Additional Authors from FTI Consulting

Meghan Milloy, Managing Director

Matt Saidel, Managing Director

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.

FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.

FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political & regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. www.fticonsulting.com