Other parts of this series:
If carriers are going to become resilient to the strengthening storm of criminal cyber activity, they will have to take a broader look at their risks.
As Accenture explains in its report, Making Your Enterprise Cyber Resilient, carriers should focus on managing three exposures in particular: information technology (IT), operations, and fraud and financial crime.
Since IT systems and infrastructure often are ground zero for cyber attacks, managing technology risk is critical. Carriers should be implementing a variety of measures that address both loss prevention and loss response. At a minimum, we suggest application development standards designed to reduce risk; systems and data surveillance techniques designed to identify, assess and respond to potential vulnerabilities or breaches; and a schedule of penetration testing to both gauge an infrastructure’s resilience to attack and identify vulnerabilities.
A successful cyber attack against a carrier’s operations can interrupt its ability to generate transactions, bill, and communicate with customers or agents. In addition to significant downturns in sales and revenues in the short term, operational risks include long-term harm to a company’s brand and reputation.
To build resiliency against unrelenting and ever-evolving cyber attacks, carriers should build operational risk management programs that are nimble, flexible and proactive in regard to how governance, policy, technology and processes are implemented. The programs should incorporate a risk-appetite level; routine examinations for gaps in controls of business processes, products and services; effectiveness assessments of controls designed to prevent or detect cyber risk-related losses; and an integrated framework to identify, prevent, detect and respond to cyber risks.
Critically, to quantify the risk exposure, the chief risk officer, chief information officer and chief operations officer will have to work together to encourage proper investment, maintenance and control across multiple points of entry and attack.
Fraud and financial crime losses can result from either large, one-time events or small, frequent low-cost events, which are more difficult to detect. A company that suffers a successful cyber attack also often has to cover costly services to protect customers whose credit card and other personal information was compromised. Cyber criminals, often masking themselves as legitimate customers, will attempt to exploit an organization’s vulnerabilities in, among other things, its payment systems and controls over business processes, technology and third-party organizations.
A resilient organization should look for anomalies inside the institution, implement business processes designed to both ensure regulatory compliance and detect criminal or nefarious activities; and share attack data industry wide in an effort to improve detection and response techniques.
Next time: The challenges to carriers’ cyber security.
- Download Making Your Enterprise Cyber Resilient (PDF)