Will Brandon, the Chief Information Security Officer for Bank of England, recently gave a speech at the City Week conference, on the approach financial institutions should take on managing cyber-risk.
Mr Brandon argued that understanding cyber-risk and investment in mitigating the risk were ways financial institutions can manage cyber-risk. Mr Brandon also stated that management of cyber-risk requires the same governance approach and strategies as are adopted for other parts of the business.
In order for firms to be able to assess the likelihood and impact of cyber-risk crystallising and to have a better understanding of the controls firms would need to reduce vulnerabilities or to mitigate the impact, Mr Brandon argued that firms can quantify cyber-risk if it is broken down as follows:
- Threats, differentiating cyber from other risks as cyber is adversarial and the risk derives from the capability and intent of people who might intentionally attack an institution.
- Vulnerabilities, allowing weaknesses that can be exploited by attackers, including outdated operating systems, poor patching, untrained staff, unsegregated networks and weak security monitoring. A firm should treat any failings in its ability to respond to a critical incident as a vulnerability.
- Assets, being the systems or information that underpin a firm’s critical business processes. In line with the increased emphasis on individual responsibility among senior management in the financial sector, Mr Brandon emphasised that the owners of the business processes that these assets support must be accountable for the cyber-risk relating to these assets.
Mr Brandon highlighted that the corporate consequences, including for the careers of senior executives, can be extremely serious as a result of cyber-risk.