Cyber-risk is an area of massive concern for the financial services industry. Incumbent players are starring down the challenge of disruptive companies impacting their bottom line while managing the increased risks of sophisticated and well resourced threat actors.
At the recent Cyber in Business conference held in Melbourne a panel discussed these issues. The panel was moderated by Mike Trovato, a managing partner at Cyber Risk Advisers. The four panelists were Tania Motton, the general manager for corporate and commercial banking at ANZ, Kate Healy from Aleron Consulting, Daniella Traino from Data 61 and Puneet Kukreja from Deloitte.
Trovato opened the discussion by asking how financial institutions should behave given these challenges and changes.
Kukreja said financial institutions need to become more agile and react faster. That means security reporting can't just focus on what's happening today but needs to look at risks in the medium and long term. By taking a longer view at the potential disruption and risks, companies can look at how an managing risk can be enabler that combines and integrates business transformations.
As the discussion turned towards the challenges of risk and compliance, Traino said the days of the risk and compliance team being the "No Team" are behind us. She noted managing risk and compliance were often seen as obstacles to innovation. However, Traino said they could be used as guide rails rather than roadblocks.
Innovation can't happen without risk, she said. "You just have to be smart about it".
Healy reiterated the need for risk and compliance teams to become enablers and not blockers. But in order to do that they need to do a better job of understanding and contributing to the broader business strategy and then focus on becoming enablers.
Today's fast moving world posed a challenge according to Motton. Risks change and companies need to be adaptable to evolving and changing risks. Her suggestion was to start from the customer' service perspective, putting customer service first and supporting them in running their businesses. This built on the enablement theme that all the panelists agreed was critical.
Healy and Traino said one of the challenges is improving awareness and education. In particular, there’s a need for companies to ask tougher questions of third parties. A great deal of trust is placed in the hands of service providers but managers and executives are often unable to ask the right questions when it comes to how they manage risks.
Traino suggested ana executive boot-camp about risk and compliance with third parties was a good place to start but all the panelists agreed that the lessons needed to percolate through the entire business.
Kukreja said another issue was the lack of an established framework or methodology. When there’s a fire drill, he said people know how to react to the various sirens and who to follow and where to meet.
“No one questions the methodology. Why is cyber different?”, he asked.
Over time, he said the “cyber” from cyber resilience will be dropped as companies matured and focussed on corporate resilience.
The language used to express cyber risks need to be changed so that they are meaningful to executives and boards. Healy suggested different way to express patching as an example.
Rather than saying 80% of systems are patched, Healy advocated using language such as a business process is vulnerable to an attack over the next 30 days unless remedial action is taken.
Looking ahead, all four panelists agreed the current way of managing cyber risks was difficult to sustain. Traino noted there are over 1400 vendors in the security market with many businesses engaging dozens of different solution providers.
Simplification will be important said Kukreja. Motton added there is a need to understand investments made today may not be right in a year’s time. The days of contracting a solution for three or five years are behind us. We need to be prepared to rapidly deploy a solution and then supersede it when the threat landscape moves on.