Other parts of this series:
In today’s increasingly digital marketplace, strong cyber security capabilities are vital to the success – even survival – of any financial services organisation. The common aim across the industry is to achieve mastery of cyber resilience against cyber-attacks, to reduce the risks to a manageable level.
Making progress – but how much?
UK financial services firms are making progress towards this goal. Our 2018 State of Cyber Resilience research shows that 80 per cent or more of executives in both insurance and banking & capital markets are confident in the effectiveness of their security capabilities to minimize financial risk and disruption from a cyber security event.
However, other findings suggest that this confidence may be overdone. Respondents confirm that between 20 per cent and 30 per cent of their organisation is not protected by their cyber security program. And between one-quarter and one-third don’t apply the same security standards to their partners as their own business.
Monitoring cyber metrics
Such findings prompt a clear question: what measures are organisations applying to assess their own cyber security performance?
Looking across our survey results, we find that the financial services firms in the study are focusing primarily on three measures.
- Cyber IT resiliency – usually based on how many times an enterprise system goes down, and for how long.
- Cyber recovery/restoration time – how long it takes to restore normal activity after an outage.
- Cyber response time – how long it takes to identify and mobilize in the event of a cyber-attack or breach.
However, the consistency and rigor with which these measures are applied vary widely between different firms and sectors of the industry. Insurance companies in particular struggle with metrics: while they are – of course – in the business of risk management, their risk management culture doesn’t always reflect operational risk metrics. Instead, it tends to focus primarily on metrics related to underwriting losses.
It follows that a culture change has to happen if they’re to think about risk in cyber terms. And while banking & capital markets firms are generally more culturally attuned to thinking in terms of cyber risks, they too have some way to go to achieve full clarity their cyber performance.
Changing measures – and culture
So, what to do? As cyber security threats continue to grow, financial services firms need to get a clear view of their positioning and progress on their journey to cyber resilience. This means identifying and tracking the measures that really matter. Which in turn means going back to their cyber security strategy to validate what they’re trying to achieve, and then implementing metrics that reflect those objectives.
To be effective, these metrics must often be accompanied by a shift in culture, to focus on different types of risk from those they’ve prioritized the past. And specifically, cyber risks.
Most financial services firms have confidence in their cyber security capabilities – confidence that may or may not be well-founded. The only way to be sure is to apply the right measures of cyber performance. Is your firm doing so?