The recent Cyber Risk North America Conference, hosted by Risk.net, drew a high-level crowd of over 100 infosec professionals from banks, insurance companies, mutual funds, and other finance firms—and their regulatory agencies—for a two-day gathering in New York that was a great listening post to measure the state of play in financial services cybersecurity.
A scan of the conference agenda gives a quick read on what was top-of-mind for this group:
- A session on “preventing another banking network attack”, covering both vulnerabilities and controls, plus “what metrics should be presented to the board”.
- Two sessions on the convergence of operational and cyber risk, covering updated concepts for ERM and the three lines of defense.
- Four sessions on risk metrics, with an emphasis on quantifying risk.
RiskLens CEO and FAIR Institute President Nick Sanna was in attendance, and spoke on the “Quantifying Cyber Risk” panel discussion (with fellow panelists and veteran risk officers Robert Paolino and Evan Wheeler). Nick also led a roundtable discussion on security metrics.
Here are Nick’s notes from the event:
My 3 Main Takeaways from the CRNA Conference
“#1 Big change in the amount and type of discussion about cyber risk quantification”
Last year, the hallway and panel chatter was about whether cyber risk could be quantified, and communicated in financial terms consistent with other risk reporting to boards and senior management. And there were few sessions that covered the topic.
This year, it was about how best to do quantification, and the topic was featured in multiple sessions, including presentations of case studies.
I also heard a new, open spirit in these discussions: Everybody wanted to learn from each other’s experiences.
“#2 Operational risk officers are looking for risk models to consistently assess the various types of risk”
The operational risk managers I talked to have come to a crossroads. Their current models, focused on Basel II and Basel III compliance, are tailored mostly to assess financial risk with little application to other operational or technology domains.
They do not have proven, consistent and scalable models such as FAIR to assess all other operational risk scenarios—at a time when regulators have elevated op risk as factor that need to be assessed along all other types of enterprise risks. They’re looking at their existing controls maturity and risk management frameworks for analytic solutions but not finding good answers.
“#3 Organizations would like to use the same analytics model across cyber and operational risk scenarios”
Risk officers at financial institutions told me they feel increasingly constrained by the limits of their analytics tools. They’re looking to assess both operational and cyber risk in financial terms that would be consistent with how other forms of risks are measured, such as market and credit risk.
This would help them to provide a common language among all areas of ERM and make risk aggregation and comparisons possible.