By now, every bank with $50B or more in consolidated assets, as well as those entities’ service providers, should be aware of the new proposed enhancements to federal cyber risk management standards by the Federal Reserve, the OCC and FDIC.
Now, the big question for them is: "how do we get in front of these new requirements?"
What's In the Enhanced Cyber Risk Management Standards?
The list of proposed enhancements includes the requirement for regulated entities to:
- Assess the overall exposure to cyber risk
- Reduce their residual cyber risk to the board-approved level
- Quantitatively measure the completeness, effectiveness and timeliness of residual risk reduction
- Identify the risk associate with internal and external dependencies
- Establish incident response and cyber resilience capabilities to quickly recover from cyber events
Factor Analysis of Information Risk (FAIR) and RiskLens are uniquely suitable for the task. In this new series of blog posts, we will expose each of these standards enhancements and how using RiskLens helps meet them. In this first post, let’s explore the requirement to assess the overall exposure to cyber risk.
Example of Aggregate Loss Exposure Report
Why did regulators identify FAIR?
The Advanced Notice of Proposed Rulemaking signals regulators' awareness of the troubles inherent to using ordinal scales or other qualitative measurements to quantify IT risks. The problem compounds when banks attempt to aggregate those risks to make up an overall enterprise risk score. (For more information on why this approach is failing, watch this brief video: The Perils Of Aggregating Risk Using Scores.) One of the reasons financial regulatory bodies called out FAIR in the advanced notice is its ability to measure (quantify) risk in a “consistent, repeatable manner.” The consistency and repeat-ability of FAIR analyses allows organizations to aggregate IT risks and present loss exposure in financial terms - dollars and cents.
How can RiskLens help?
That means that we can take disconnected events with disparate outcomes, describe them consistently and aggregate them. Take these five IT risks:
- Ransomware corrupting our central data shares
- DDoS attacks against our main website and online banking websites
- Targeted phishing attacks against executives to learn about financial statements before release
- Misuse of access to steal customer data and perpetrate identity theft
- Attacks on payment networks to steal large amounts of credit card data
Each problem carries its own range of outcomes. RiskLens can measure those distinct cyber risks and describe the array of probable outcomes a bank may experience. This is possible because RiskLens leverages FAIR to factor in the likelihood and impact of each risk materializing. Once accounted for, those factors support normalizing the data. Something powerful happens at this point: the risks can be aggregated in a meaningful, repeatable way.
What are the alternatives?
Without this approach, banks and their service providers are left to continue painting a picture using color scales that don't:
- Express the range of outcomes a bank may experience
- Allow meaningful comparison within each rating
- Normalize risks in a way that allows them to be aggregated
Cybersecurity professionals in the financial services sector know these pains all to well. They experience them every time auditors, regulators, and executives ask “what’s the real risk?” It’s time for the financial services industry to take the advice contained in the advanced notice and leverage a rigorous quantitative approach to cyber risk assessments. Let us know how we at RiskLens can help you to leverage FAIR to meet these upcoming regulations.