One of the breakthroughs of cyber risk quantification through FAIR™ is to finally place cyber on a par with the other risks that roll up into enterprise risk management (ERM) instead of remaining in its own special silo. But to get to that place takes an effort at communication and coordination and even some org chart changes – as some experienced hands at crossing risk management boundaries discussed at the 2019 FAIR Conference, with Evan Wheeler, CISO at Edelman Financial Engines, moderating:
- Greg Barna, Executive Director of Operational Risk Management at DTCC
- Yael Nagler, Advisor to CISOs at Strategic Security Advisory and Former Global Enterprise Information & Technology Risk at BlackRock
- Michael Kenney, VP of Operational Risk at Freddie Mac
Among the topics covered:
Panelists agreed on the need to embed cyber risk in ERM. “It goes across the enterprise,” said Yael, and all other parts of the organization “influence or are influenced by cyber risk and information risk. If we think of it just as technology risk, we are losing sight of the business.” Michael added that cyber is a “complex risk that the organization is just starting to get its head around.”
A good starting point for ERM integration, particularly in finance: adding cyber to the Risk Control Self Assessment (RCSA) process.
Greg described how DTCC has adapted its organizational structure for integration. The CISO is part of the ERM team and each business unit has a Business Information Security Officer (BISO) tasked with communicating cyber in business terms to the general manager and the rest of the organization. BISOs also do quarterly information risk profiles that become part of the wider ERM reporting.
To bring cyber risk, operational risk and other teams together, Freddie Mac runs tabletop exercises gaming what would happen, for instance, if a critical application went down and interfered with payments processes. “We’re looking at it not just as a cyber event, but it could also have a privacy impact or involve legal or regulatory reporting. There might be a fraud or money laundering angle…So we are also looking at do we have the right response mechanisms involved.”
Panelists also said that risk quantification in general and FAIR in particular was beginning to spread in their organizations beyond cybersecurity, in particular at DTCC, Greg said, where the model is in use for documenting forms of loss, magnitude of impact and likelihood and in scenario analysis, incident management, and accepted risk programs. “We’re not using it across the board, but it could definitely help bridge the gap and help us communicate on the same level.”
See more of the discussion on combining cyber risk with enterprise risk management: Watch the video now.
Membership in the FAIR Institute includes executives and analysts from more than one-third of Fortune 1000 companies. Join them!