He raised a number of interesting points which are in line with some of the issues we have discussed in our recent white papers on “board of directors’ responsibilities for cyber” and “the cyber cultural security firewall”.
Dr Dombret confirmed that it has been a struggle to ensure a wider appreciation of cyber risk awareness, as it was widely assumed that IT is something for specialists or simply an internal support factor for the firm.
Given recent high-profile attacks, however, he believes cyber threats are no longer an abstract notion as boards and executives begin to talk about criminal acts like phishing, Trojan-horse attacks, distributed denial of service attacks and man-in-the-middle attacks.
Not unsurprisingly, he emphasised that awareness does not imply either understanding or the steps to follow. In his experience, cybersecurity is often a name tag with a budget, yet cyber resilience is a myth.
He also pointed out that “the digitalisation of banking has led to a shift in the economics of financial crime; vast values are now stored on bank servers and no longer as cash in safes, and hacking is becoming an increasingly lucrative venture”.
Dr Dombret discussed three ways cyberattack can harm a financial institution:
- An integrity breach (manipulation of data)
- The theft of personal information (confidentiality breach)
- An availability breach (denial of services)
Critically he believes that the financial sector is not only a major target but also vulnerable to almost every conceivable type of cyber risk, and that furthermore, cyberattacks have the potential to ruin a bank’s reputation.
Interestingly, he admits that the Bundesbank itself is a target of cyberattacks. As a regulator, it has gained insights into cyber incidents, risk cultures and institutional preparedness across financial institutions. Lessons learnt include:
- There is a tradeoff for every innovation; to assess the tradeoff, you have to know what elements are being traded off against each other
- There simply is no such thing as 100 percent cybersecurity
- Defending from cyber risks requires a considerable degree of foresight and ingenuity
He emphasised that, from a governance point of view, setting the right priorities can make a huge difference. The Bundesbank has seen cases in which banks expend a lot of resources on deterring sophisticated assaults while omitting the most basic of measures—specifically the human factor: “Humans are often the weakest link in IT processes; targeting “digital carelessness” among customers and staff is usually a good way to achieve fast results in mitigating risk”.
The Bundesbank, like other regulators, has incorporated these insights into regulatory and supervisory practice. Dr Dombret points out that “regulation cannot give a detailed prescription for cybersecurity because cyber is so agile that technical details can quickly become obsolete; in addition, there is no one-size-fits-all solution that can cover the diversity of the types and sizes of institutions”.
He points out that there is more to cyber resilience than a functional first line of defence. Tone from the top is instrumental in raising staff awareness of security issues and includes “breaking down the ‘accountability firewall’, where nobody assumes responsibility for the many intersecting aspects of cyber risk. We therefore demand that banks clarify what is at stake and how the risks are supposed to be governed. This is called a cyber strategy, and every bank is required to have a convincing one”.
In concluding, Dr Dombret spelt out a number of key tasks for senior management:
- Recognise cyber risks as part of your risk appetite and define a convincing and comprehensive cyber strategy
- Ensure that responsibilities remain clear in a changing cyber and corporate environment
- Raise awareness among your staff and set an example in promoting secure cyber behaviour
BRG recently launched its own Cybersecurity Preparedness Benchmarking Study. The study is designed to deliver security scorecards and specific benchmarks to survey respondents and will aid firms to strengthen their security performance management program based on objective, fact-based metrics, as well as compare how their security programs measure against internal organizational goals, approved risk-management profiles, industry peers and best-practice companies.
The study is open until the end of February. A broad range of industries will be represented in the study. Information submitted by respondents will be held in the strictest confidence. All study results will be anonymous and will be shared only with participants.
Additional information about the study can be found on the BRG website.