Recent meetings with leading banks and thrift institutions in the US have revealed that regulators such as the Office of the Comptroller of the Currency (OCC) are requiring that their capital reserves be calculated not only on assets, but increasingly consider risk management practices (ex. pillar 2 in Basel III) and the resulting actual business risk, including technology risk.
These new requirements create a new set of challenges for these financial institutions, as they have to:
The problem is that most banks and thrift institutions do not have common methods in place to quantify and manage information risk from the business perspective.
Some companies have their IT security professionals leverage GRC solutions with the goal of managing risk, but most of their functions are meant to help meet minimum regulatory compliance, not quantify the actual cyber risk associated with key assets and business processes.
Until recently, there were no practical models to quantify information risk in financial terms. As CISOs or Chief Information Risk Officers started to get asked about contributing to the measure of enterprise risk, they found themselves surrounded by credit risk or other operational risk professionals that showed up with sophisticated Value-at-Risk (VaR) models and the resulting risk estimates. The only thing they had to offer were gross estimations based on the mental models and the guesswork of a few risk analysts.
In the last few years, standard VaR models for information security and operational risks, such as FAIR, have emerged and are allowing leading financial institutions to:
RiskLens is a platform that has been purpose-built from the ground-up on FAIR and is helping financial institutions to leapfrog from a qualitative to a formulaic and quantitative approach to information risk. Discover how.