RSA Archer also won the Best Overall Provider of the Year award
The job of the chief information security officer, or CISO, is to measure and monitor cyber risk, and report those findings to senior levels. But, as David Walter, vice-president at RSA Archer, points out, there is a gap between how the CISO addresses cyber risk and how the rest of the financial institution manages its operational risk.
“We are really trying to bridge that gap,” he says. “We need to start thinking about cyber risk as we would any other operational risk.”
Tackling cyber risk has become a top priority for businesses, central banks and authorities in the wake of frequent high-profile attacks. RSA expects the threat of ransomware to increase over the coming year following a recent uptick in attacks, and it has also seen concern rising over data poisoning attacks which, rather than destroying data outright, involve subtly modifying data over time so that organisations gradually lose sight of the true state of their businesses.
Insidious attacks of this nature are increasing. In 2016 Hong Kong experienced a boom of hacking in which retail accounts were taken over and used to ‘pump and dump’ stock, where large scale purchases were made from multiple hacked accounts to push up prices. The same year saw losses incurred by central banks, including $81 million from Bangladesh Bank, following the hacking of the bank’s access to the Swift payment network. It is clear that criminals are testing every link in transactional chains – and with some success.
As the financial services industry has become more digital, the value that firms create is increasingly held within the data they manage, leaving them exposed to its loss or theft. The integrity of data is crucial to their success.
“Anything impacting that fidelity is a significant concern,” says Zulfikar Ramzan, chief technology officer at RSA Archer. “When it comes to security, organisations have historically focused on data confidentiality. However, as security becomes a more significant business concern, areas like data integrity and general business availability have to be prioritised as part of a business-driven security strategy.”
The RSA Archer IT and security risk management system helps users to define and enforce accountability for cyber risk and IT compliance issues, enabling collaboration between IT and lines of business. It also automates IT and security processes, and increases visibility through data consolidation.
The system has not only proven itself to be reliable and insightful, according to users, but it has also made the monitoring and control of cyber risk accessible to users across the enterprise, from non-security functions to the CISO. Sitting within the broader RSA Archer governance, risk and compliance platform, the system can be used to identify threats that may harm the entire enterprise.
“Business continuity manages their risk. Compliance and control evaluations manage their risk. RSA Archer has enhanced our ability to bring these areas together, and we’re finding that linking business continuity to security and to vendor risk provides a more comprehensive risk picture,” explains one user.
Whilst comprehensive, RSA Archer has also proven flexible in its application, so that institutions’ risk management frameworks have not had to be reconfigured in order to accommodate the platform. By avoiding a prescriptive approach, the system has even been accessible to firms with well-established methodologies.
“Larger financial firms have long-standing cultural environments about how they think and act on risk,” says Walter. “For a cyber risk firm to tell them how to rate risk, how to monitor it and measure it, is very presumptuous. That doesn’t fit the real world. Flexibility and adaptability are requirements.”
RSA Archer encourages the business to get involved in risk conversations so that the individuals closest to the operations of the business have an effective understanding of how they can best manage the risk.
“I think it’s a cyber risk management job to help educate, make aware and consult with their business partners and provide them with the most information they can to make decisions they need to make in their businesses,” says Walter.
Education encompasses risks and countermeasures, but also an understanding of innovative technologies that are enabling new ways of handling risk. Artificial intelligence and machine learning have been shaping technology for some time and helping to track, analyse, correlate and make decisions on whether any single transaction carries a risk of being fraudulent.
“It’s quite powerful to see and is forcing cyber criminals to shift their tactics because artificial intelligence and machine learning provide the capability of early detection and mitigation of financial fraud,” says Peter Tran, general manager and senior director in the worldwide advanced cyber defence practice at RSA.
Judges recognised RSA’s flexibility as well as the technical capabilities of the platform. Given the severity of cyber risk to the industry, they also acknowledged the damaging effect it can have in every aspect of financial services.
“There are companies in the world that report that they have been breached, and companies that don’t know they have been breached. There is no third option, that you have not been breached,” says Walter.
Archer has maintained support for industry standards, including its information security management system for ISO 27001 programs, compliance with the payment card industry data security standard, and support for business continuity standards such as ISO 22301.
“Implementing RSA Archer was our first step to ISO 22301 certification,” says an official at one bank. “This certification enabled us to meet compliance standards and significantly reduce our audit activities each year. Without RSA Archer, it would have required more expenditure to reach the certification.”