On 10 May 2016, the Bank of England (BoE) published a speech given by Will Brandon, BoE Chief Information Security Officer, on the approach financial institutions should take to managing cyber-risk.
Mr Brandon argues that cyber-risk can be managed like anything else that can damage a firm’s business, by understanding it and balancing investment in mitigation against similar investments needed in the business.
He states that addressing this risk is a leadership and a management issue, rather than an issue simply for the IT department. Firms should use the same governance approaches as they use in other parts of their business, which will require clear policies and standards, good management information and a sensible approach to compliance. Firms’ managers should take ownership of information security risk as they would any other risk and, consequently, should have a formal means to assess and manage the risk.
Mr Brandon suggests firms can balance cyber-risk against other risks through quantifying it. This involves breaking the risk down into:
- Threats. Mr Brandon outlines the types of people that might want to launch a cyber-attack on a financial institution and their likely motives.
- Vulnerabilities. These are the weaknesses that can be exploited by attackers, including outdated operating systems, poor patching, untrained staff, unsegregated networks and weak security monitoring. A firm should treat any failings in its ability to respond to a critical incident as a vulnerability.
- Assets. These are the systems or information that underpin firms’ critical business processes. Firms must identify these assets and have a clear view on the impact of their business if they are compromised. Mr Brandon emphasises that the owners of the business processes that these assets support must be accountable for the cyber-risk relating to these assets.
Mr Brandon argues that if firms take this approach, they will be able to assess the likelihood and impact of cyber-risk crystallising and have a better understanding of the controls they need to reduce vulnerabilities or to mitigate the impact.
Loading...