Cyber risks are silent, deadly and often mundane
Fear of submarine-like attack overshadows more dangerous, less scary cyber threats
The military use of submarines was pioneered during the American Civil War, but Britain's Royal Navy was slow to adopt them. In 1901, Admiral Sir Arthur Wilson, the controller of the navy, described them as "unfair, underhand, and damned un-English".
Thinking about the threat faced by sailors, it's easy to see why somebody might think this way. Previously, a captain and his crew would have been able to spot enemy ships on the horizon well before they could pose a palpable threat. Suddenly, naval vessels were faced with the grim possibility of a catastrophic assault emerging from the deep, without warning, at any time.
A similar sentiment applies to cyber attacks. Like a submarine assault, the impact can be catastrophic, preventing businesses from operating properly and fatally damaging confidence in the eyes of the public. For firms, the attack is all the more scary because it is silent and stealthy. And even after the damage has been done, the shadowy perpetrators of cyber crime may remain unseen.
No surprise, then, that cyber risk cropped up as the most frequent concern of operational risk managers in a Risk.net survey of their biggest op risk fears for 2016.
Worrying about cyber security lapses has also become a leading preoccupation of regulators. "When I think about the risks that might cause the next crisis, cyber security is one that concerns me the most," said Sarah Dahlgren, the then-head of the Financial Institution Supervision Group at the Federal Reserve Bank of New York, speaking at an OpRisk conference in March 2015.
In its latest Semiannual Risk Perspective, published on December 16 last year, the US Office of the Comptroller of the Currency pointed to "the increased sophistication of cyber threats" and "pervasive technology vulnerabilities" as among its biggest op risk concerns.
At a global level, supervisors are working to address the cyber risks faced by financial market infrastructures, such as central counterparties, trade repositories and payment systems. The Basel-based Committee on Payments and Market Infrastructures (CPMI) and the Madrid-based International Organization of Securities Commissions (Iosco) published a consultation on their high-level Guidance on cyber resilience for financial market infrastructures in November 2015. Coen Voormeulen, co-chair of the group that produced the guidance and a director at De Nederlandsche Bank, stresses firms and regulators must work together to keep cyber threats at bay.
For all the emphasis on cyber risk, it's worth remembering that not all of it involves targeted attacks by shady cyber criminals. Lost passwords, unattended computer terminals and inadequate controls on sensitive data are more likely causes of cyber security breaches, say risk managers – and the consequences can be no less severe. The CPMI-Iosco guidance appears to acknowledge this, with a section on insider threats noting the need for firms to look into "anomalous behaviour" by staff using their systems and to ensure that "access... is restricted only to those with a legitimate business requirement", for example.
Those more prosaic cyber threats may not scare risk managers in the same way as a giant shadow lurking from the depths would strike fear into the hearts of seamen. The real picture is less frightening, but perhaps more dangerous. For it seems the enemy is not just undetected; they might already be in the room.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net
More on Risk management
Climate stress tests are cold comfort for banks
Flaws in regulators’ methodology for gauging financial impact of climate change undermine transition efforts, argues modelling expert
ECB official leaves door open to liquidity aid for non-banks
Risk Live: Deputy director doesn’t rule out copying UK plan to extend repo facility to pension funds and life insurers, but no imminent plans
Banks must loosen up on ChatGPT use – risk chiefs
Risk Live: ’Shadow use’ and inability to attract new hires mean restricting access to GPTs is untenable
Simm casts off Covid pain for $40 billion IM reprieve
Recalibration cuts risk weights in equity and commodities, but some credit exposures double on ABX halt
Rate risk modellers relieved as EU deposits stay sticky
Banks feared retail deposits would be flightier than during previous periods of rate hikes
Rough patch: CrowdStrike sparks an auto-update debate
Automating software updates helps keep hackers at bay but can introduce op risk; banks balance the two
Banks urged to keep regulators in the loop on AI plans for AML
Risk managers advocate five-year strategies and compliance teams’ ownership of the tech they use
Banks urged to boost third-party scrutiny amid AML crackdown
Three US regulators highlight deficiencies in banks’ due diligence on fintech partners