I just wrapped an engagement analyzing a bank’s top 10 risks with RiskLens, and the results were surprising: One of the risks the bank’s infosecurity team most feared turned out to be not much of a concern while another risk that was flying under their radar in fact had the potential to do them serious harm.
How did the risk analysis clear up the picture? It came down to employing each of the two key components of risk (or loss exposure in FAIR parlance):
When thinking through “scary” scenarios, it’s easy to overweight magnitude (“just imagine if they get access to application X, they’ll be able to do anything they want!) but frequency is just as important in determining loss exposure over time (typically one year).
Here’s how that played out for two risks in the bank’s top 10 risks analysis:
A bank may make hundreds of transactions a day, each involving hundreds of thousands of dollars through their SWIFT inter-bank messaging system. The impact from a fraudulent SWIFT transaction could be very high. In 2016, thieves used SWIFT to lift $81 million from the Bank of Bangladesh’s account at the New York Federal Reserve. Naturally, our client assumed that a fraudulent SWIFT transaction would turn out to be one of the top 10 risks.
What is rarely considered when a client thinks of a fraudulent SWIFT transaction are the many controls, (i.e. preventative, detective, checks and balances, etc.) that are in place because the stakes are so high. As a result, a malicious external threat would need to carry out any number of a very complicated series of steps in order to crack the system. This reduces the risk scenario’s frequency to a low point.
Risk Analysis Conclusion: High Magnitude, Low Frequency → Relatively Low Risk
Fraudulent client transactions due to compromised customer credentials seem to be a concern to almost all financial institutions that we work with. Most, if not all have robust fraud departments with any number of detection and recovery capabilities to safeguard their clients. Yet, it may be due to these efforts that this scenario more or less flies under the radar from a concern perspective. Let me elaborate…
The number of customer accounts at the bank that are compromised due to social engineering runs into the hundreds per year, which means there are just as many initiated fraudulent transactions. For each fraudulent transaction, the bank engages several teams: Fraud, Cyber Security, Wire Investigation. The teams thwart about one-third of the attempted compromises but every successful fraudulent transaction costs the bank $15,000 in person hours—not much per incident but multiply by number of incidents and it’s death by a thousand cuts.
Risk Analysis Conclusion: Low Magnitude, High Frequency → Relatively High Risk
A good risk analysis takes many factors and data points into account, but if we spend a little time balancing both the magnitude AND the frequency of loss, we gain a much better understanding of the risk scenarios–and which risks really belong among the top 10.