The risk of a fatal blow due to the impact of a cyber security attack is real.
The foundation of most - if not all - financial services players is the trust and reputation which comes from their brand. Increasingly, players are engaging in a full scale battle to protect this critical core asset. In a digital world, they are not just fighting against cyber assailants. While cyber risk presents a significant challenge for the industry, digital disrupters, mandatory data breach proposals and changing community attitudes are also closing in on the incumbents and threatening to erode hard won trust and reputation.
And all of this is happening against the backdrop of expanded oversight from regulatory authorities such as ASIC, APRA and the Privacy Commissioner. This, in turn, gives rise to new liability issues - not least of which is a greater propensity for class actions.
The battle lines are drawn. The threat of damage to reputation and trust in the brand demands a tactical response.
Incumbents have long seen the trust and reputation in their brand as a barrier to entry for new players - and, as such, a core asset which provides them with a competitive advantage. However, this asset is under constant attack in the digital world.
The attack is coming from a number of fronts:
- Cyber assailants are increasingly finding new and sophisticated ways to circumvent traditional technological and operational security measures. And, whilst the rise of new technology platforms - such as mobile and cloud computing - and data analytics tools have opened up a world of opportunity for incumbents to digitise their products and services, the unintended consequence is that the attack surface increases due to the growing openness of information systems and the huge amounts of data being collected and processed by those systems. The potential rewards for cyber assailants have never been greater.
- Digital disrupters are harnessing technology - and, in particular, the mobile channel - to disrupt established ways of doing business, often striking a new balance between privacy and openness with consumers. These disruptors are wrestling market leadership from incumbents by exerting control over the growth and pace of innovation. While trust and reputation often takes many years to build, it can be accelerated by those clever enough to tap into the right disruptive technology, respond to a pressing customer need and amass enough of a customer base. Take Uber and Airbnb for example. True, they may not be custodians of sensitive customer data in the same way as financial services players. That said, there do exist other players like PayPal which, in the space of 15 years, has managed to amass in excess of 230 million accounts worldwide.
- The impending introduction of mandatory data breach laws in Australia could not come at a more challenging time. The fact is that data breaches are not infrequent, and are only likely to become more prevalent in light of the above forces. Having to notify affected customers of data breaches will impact on reputation and trust in the brand at a time when disruption is at its peak.
- Community attitudes to technology adoption, and the attendant privacy risks, are changing. Customers are generally more inclined to give up some of their privacy if they consider the benefits of adoption outweigh the privacy risks involved.
- Inflexible and entrenched legacy systems continue to hold established players back and make it much more difficult to respond to the growing pressure for IT simplification and adoption of new technology solutions, like cloud and mobility, that facilitate innovation and continual business changes.
- Regulators are increasingly flexing their muscle in the area of data security and cyber risk - be it ASIC in its Cyber Resilience: Health Check (March 2014), APRA in its Information Paper on outsourcing involving shared computer services (including cloud) (June 2015), or the enhanced powers of the Privacy Commissioner as a result of the reforms to the Privacy Act 1988 (Cth) which came into effect in March 2014. Failure to take appropriate steps risks regulatory enforcement action, both at the regulated entity level as well as individually for officers and other responsible persons.
- Exposure to liability is increasing due to:
- more regulation
- changing community expectations
- the expanding scope of people with standing to sue.
A tactical response to cyber-security seeks to defend against, and mitigate the impact of, each of these fronts. It is essential that the response is driven from the top down, and supports a "whole of enterprise" approach. This includes:
Those engaged in best practice are actively establishing an enterprise-wide governance framework for managing cyber risks - one which is led by the Board, with appropriate accountabilities, and which filters down not just through IT, but also through various business lines and risk teams within the organisation.
It is important that the executive management team assumes a leadership role in setting the proper tone and structure within the organisation for enabling cyber resiliency.
Increased engagement by insurers means:
- the scope of stand-alone cyber risk cover has greatly improved
- opportunity exists to negotiate bespoke cover for specific risks or transactions
- a more sophisticated offering with associated services such as claims management, media consultants and forensic services.
Stand-alone data risk insurance is now a viable risk management tool, and can be used as a mechanism to drive organisational change.
Enterprise wide cyber risk management
Transformation to a "whole of enterprise" cyber risk management framework involves:
- connecting the dots between teams - IT, risk, marketing and communications, PR, legal and the business units
- establishing business programs that integrate processes, technologies and risk methodologies
- creating the platform for sharing intelligence across the enterprise, and breaking down information silos
- defining lines of responsibility
- developing, testing and regularly updating incident response plans and playbooks to reflect the evolving threat environment.
Examples of best practice enterprise-wide programs include:
- embedding structural changes to protect customer privacy, such as mandating privacy impact assessments for all projects involving the use of customer data and analytics
- developing and implementing equivalent risk methodologies in relation to data security
- undertaking updated due diligence reviews to ascertain the organisation’s cyber-perimeter and points of vulnerability, particularly with respect to third parties, outsourcing and cloud arrangements.
Due diligence reviews assist in getting an enterprise-wide view of:
- what data assets actually exist
- where the critical data assets reside
- where they are located at any given time
- who has access to them
- decisions on IT spend and the right level of protection to be given to those assets
- the internal and external controls which exist
- who, within the enterprise, is best placed to make decisions in relation to those assets.