Tthe Bank of England (BoE) published a speech by its Chief Information Security Officer, Will Brandon, on the approach financial institutions should take to managing cyber-risk on 10 May 2016.

Mr Brandon indicated that cyber-risk can be managed like anything else that can damage a firm's business, by understanding it and balancing investment in mitigation against similar investments needed in the business.

He said that addressing this risk is a leadership and a management issue, rather than an issue simply for the IT department. Firms should use the same governance approaches as they use in other areas of their business, and require clear policies and standards, good management information and a sensible approach to compliance. Firms' managers should take ownership of information security risk as they would any other risk and, consequently, should have a formal means to assess and manage it.

Mr Brandon suggested that firms can balance cyber-risk against other risks through quantifying it. This involves breaking the risk down into:

  • Threats: outlining the types of people that might want to launch a cyber-attack on a financial institution and their likely motives.
  • Vulnerabilities: Weaknesses that can be exploited by attackers, including outdated operating systems, poor patching, untrained staff, unsegregated networks and weak security monitoring. A firm should treat any failings in its ability to respond to a critical incident as a vulnerability.
  • Assets: Systems or information that underpins firms' critical business processes. These assets should be identified and firms should have a clear view on the impact of their business if they are compromised. Mr Brandon emphasised that the owners of the business processes that these assets support must be accountable for the cyber-risk relating to these assets.  

Mr Brandon said that if firms take this approach, they will be able to assess the likelihood and impact of cyber-risk crystallising and have a better understanding of the controls they need to reduce vulnerabilities or to mitigate the impact.