Financial Services - Information Security Risk Management
Reducing the Likelihood, Impact and Cost of Data Breaches
The operational, financial, legal and reputational consequences of an information security breach can be so profound that CEO’s and Boards of Directors of financial services companies are becoming directly involved in approving and funding an enterprise strategy around cyber security as a strategic element of organizations’ governance, risk and compliance (“GRC”) management framework and approach to operational resilience.
Markets and regulators may penalize unprepared firms and poor management response more severely than they punish firms for a breach itself. The goal should be to mitigate as much risk as possible, minimize impact, and prepare to respond to what essentially is the inevitability of disruptive cyber events so the company can recover its data and essential functions, assure markets and stakeholders, address regulators’ concerns, and repair reputational damage. This requires financial services companies to recognize that cybersecurity is not merely a “technical” or “regulatory compliance” issue but a complex enterprise risk management challenge that requires integrated coordination, addressing elements of prevention/mitigation, preparedness, detection, response and recovery.
Elements of an effective information security strategy include moving beyond FFIEC, FDIC or SEC compliance into sound InfoSec and risk management governance; policy development; training and cultural awareness; human resource protocols; well-exercised cyber incident response plans aligned with data classifications; the right insurance and complex forensic claims expertise; strong business continuity and IT disaster recovery plans; expert forensics, crisis communications, and reputation recovery resources; and effective baseline prevention, detection, and warning systems built into the technical environment.