Risk is Everyone's Business

These days, the job of managing risk for a large, multinational company no longer resides solely with the office of the chief risk officer. With the number and sophistication of threats continuing to grow, risk management must be a shared responsibility of all an organization’s executives, employees, board directors, customers, and third-party suppliers.

The increasing threats are why, at FIS, we’ve created the motto: “Risk is everyone’s business.” I have the motto in my email signature and ask everyone at our company to live by it for our company and the customers we serve.

Risk is a complex domain that can be overwhelming to consider in its entirety. For simplicity, I boil it down to five main areas, each with a c-level champion to ensure proper prioritization and management:

Strategic risk (CEO): mergers, acquisitions, divestitures, new business lines, etc.
Regulatory and compliance risk (chief compliance officer): financial services consumer regulations, anti-money laundering laws, anti-bribery and anti-corruption programs and privacy regulations around the world
Operational risk (chief operating officer): ensuring effectiveness of controls and business continuity
Financial and fraud risk (chief financial officer): credit, market, and fraud and financial crime
Cybersecurity risk (chief information security officer): unauthorized access of systems or data; the uber risk that impacts all other risks

A cyberattack impacting the confidentiality, integrity and/or availability of systems and data is an example of an event that can impact all 5 areas of risk. Such an event can impact financial risk in that the systems or data accessed can be used by threat actors to commit fraud. It can disrupt operations by corrupting or encrypting systems and/or data. It can create compliance risk if the attacker is on a sanctions list and the company decides to pay the ransom. Finally, it can increase strategic risk by impacting a company’s reputation with its customers and other stakeholders.

Cybersecurity is not just a technology issue, it's a business issue. It is important for boards to actively engage in supervising their firm’s cyber risk posture. As I recently wrote in the incident response chapter of the US-based National Association of Corporate Directors (NACD) Director’s Handbook on Cyber Risk Oversight, there are five principles boards can follow in order to help manage a firm’s cyber risk:

Approach cyber as strategic enterprise risk.
Know the legal implications.
Ensure access to cyber expertise for regular discussion.
Set expectations with management for appropriate staffing and budget.
Identify and quantify financial exposures and decide which to accept, mitigate, and transfer.

At FIS, my team and I produce a monthly summary for our board on top risks in the industry and how we are addressing them. We routinely let our board know about cyber attacks within the industry, regulatory developments, and technology trends that could impact our risk profile, such as cloud -based computing, cryptocurrencies and internet of things. We don’t wait to be asked about these issues at board meetings. This regular engagement keeps cyber risk and security on the board’s mind and helps them understand the issues, so they are better prepared to provide thoughtful feedback.

Cyber Risk: Rising for Us, Falling for Criminals

Cybersecurity risk is growing, and the financial services industry is under attack. According to Verizon’s 2020 Data Breach Investigations Report (DBIR), 86% of attacks are motivated by financial gain. Financial firms are defending immensely vulnerable systems designed to maximize speed and access. With COVID-19, the shift to digital transactions and remote working has dramatically expanded the attack surface. Using social engineering strategies like phishing and business email compromise on preoccupied customers and multitasking employees has made cybercrime even more profitable. Since the start of the pandemic, the UN estimates that phishing attacks are up 600%.

Ransomware especially is on the rise, and the amounts being paid are increasing. Officially, the US Treasury department has issued a warning that those who pay ransoms may be subject to penalties for violating sanctions against criminal groups sponsored by nation-states. However, the reality is that in the case of an attack that disables systems or encrypts critical data, firms may not feel that they have a choice. As long as firms keep paying ransoms, this attack strategy will continue.

Fraud and attacks targeting government stimulus programs such as unemployment benefits, payment protection programs, and business loans have exploded, and will continue to be targeted. In addition, malware is being hidden in resumes, medical leave forms and other types of documents now in wide circulation because of the economic impact of the pandemic.

Sadly, cybercrime is not only profitable; it is also not particularly risky - few threat actors are successfully prosecuted. Further, the availability of cybercrime tools and cyberattack programs for hire, such as malware, ransomware and DDoS, has created an asymmetric balance between cyber criminals and cybersecurity professionals. As a result, we can expect all these trends to continue, likely even beyond the pandemic.

Invest in the Basics

As a technology services provider, FIS provides our clients a range of services to assist in cyber defense such as Sheltered Harbor data vaulting, dark web scanning, endpoint protection, DDoS protection, and web application firewalls. However, there is no silver bullet in cybersecurity; every financial services firm must continuously invest in the domains laid out by NIST: Identify, Protect, Detect, Respond, and Recover. Investing in the following four areas helps firms to programmatically manage cyber risk on a continuous basis:

- Cyber Hygiene - The basics of cybersecurity: monitoring networks, ensuring email filters are configured to block phishing attempts, host-based controls such as anti-virus and ongoing patching and vulnerability management. Be prepared; for example, having a breach response firm on retainer so you can call them at a moment’s notice in case of a suspected breach. Finally, apply the same rigor you use for yourself to manage third-party risk.
- Access Management - COVID-19 has accelerated the shift to digital, and it is never going back. The financial services industry will only have more demand for faster payments and more convenience. Keeping up with consumer demand is a necessity from a competitive standpoint, but it needs to be balanced with cybersecurity concerns. Strong access controls and authentication mechanisms are critical. For example, while multifactor authentication (MFA) technology does increase user friction, it is one of the best tools we currently have at minimizing credential stuffing and other forms of cyber fraud.
- Education - Both customers and employees need continuous training, so they do not fall prey to social engineering attacks like phishing, business email compromise, and illegitimate phone calls from fraudsters pretending to be from a bank.
- Testing - Test your controls, plans, and responses continuously, and refine them. Use penetration testing to see how adversaries can get into your systems.

The Insight

Managing risk is a shared responsibility of all. Cyber risk is an uber risk that impacts all other risks to a firm. As such, boards need to engage and understand this risk in order to exercise proper oversight. Cyber risk is growing and always evolving; even firms who outsource their technology must constantly re-invest in the basics of cyber hygiene, access management, education, and testing.

November 2020

Greg Montana

Greg Montana, Executive Vice President, Chief Risk and Section 16 corporate officer, leads a team of over 1,500 FIS risk professionals responsible for the strategic development and execution of FIS’ Risk, Cyber...

Security and Compliance programs. Mr. Montana reports to the FIS Chairman, President and CEO, and is accountable to both the Risk and Technology Committee and the Audit Committee of the FIS Board. Highly experienced in risk management, Montana has spent more than 20 years successfully managing risk at some of the world’s most recognized financial services institutions, including Bank of America, Lloyds Banking Group, Deloitte Consulting and JP Morgan Chase. Montana is a Certified Chief Information Security Officer (CCISO) and a Board Member of the Internet Security Alliance, the FS-ISAC (Financial Services – Information Sharing and Analysis Center) Sheltered Harbor Organization and the World 50 Chief Risk Officer Group. He is a holder of the National Association of Corporate Director’s (NACD’s) Cyber Certificate and in March 2020 co-Authored the incident response section of the NACD Board Handbook on Cyber-Risk Oversight. Montana holds a master’s degree in business administration from the Wharton School of the University of Pennsylvania and received a bachelor’s degree, cum laude, from Boston College. He received his six sigma Black Belt Certification from Bank of America.

Insights

Risk is Everyone's Business

Greg Montana, Chief Risk Officer, FIS

Cyber Risk: Rising for Us, Falling for Criminals

Invest in the Basics

The Insight

Greg Montana

Posts by Topic

Subscribe to Insights

WANT TO CONTRIBUTE?

Subscribe to Insights

FS-ISAC members around the world receive trusted and timely expert information that increases sector-wide knowledge of cybersecurity threats.

Site Map