Cybersecurity Risk Assessments: A Valuable Tool in Cyber Planning

December 04, 2020

By Jason Connotillo

download button.jpg

Well-built risk management programs are designed to factor new and emerging risk drivers. As a result, risk-aware enterprises increasingly ask for advice on how to properly anticipate and prevent cybersecurity-related risk events.

Conversation often revolves around concerns over the amount of digital information clients have accumulated over the last decade, without any clear framework to properly store and protect that information. And while cybersecurity threats themselves are no longer novel, clients are taking notice that attacks appear to be rising during the pandemic and moving to a virtual work environment. The FBI reported a nearly 400% uptick in the number of reported attacks over this time. Additionally, the dependence mature customers are placing on enterprises that they do business with, as key participants in their supply chains, has increasingly led to clients needing to demonstrate a cybersecurity posture.

Enterprises also need to meet new cybersecurity compliance requirements mandated by cooperatives and regulatory agencies. Prime examples include the recent rules installed by Society for Worldwide Interbank Financial Telecommunications (SWIFT) for its 11,000 members, which must adopt the SWIFT Customer Security Controls Framework, and by the New York State Department of Financial Services (NYDFS) that require some level of cyber-compliance for 3,300 covered financial institutions. Other financial services regulators, such as the U.S. Securities and Exchange Commission (SEC), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC), have issued guidance to their registrants around installing sound cybersecurity practices. While these agencies deliberate regulation, many registrants are choosing to prepare proactively based on guidance alone.

When enterprises embark on addressing their cybersecurity needs and compliance requirements, one or more initial administrative concerns can surface. Cost is often a major factor when preparing for any type of risk management and compliance initiative. Operating budgets, and specifically IT budgets, may not have monies earmarked for this type of effort. Having insufficient (or no) internal risk management expertise or limited resources can also hinder getting things underway. An additional complexity is that many enterprises outsource administration of IT infrastructure and systems to third-parties that must be managed throughout the process.

The key to alleviating initial concerns is creating an efficient, well thought-out plan, which should ideally start with understanding an enterprise’s unique cybersecurity risk profile. This is when making use of a focused cybersecurity risk assessment is most timely and carries the most benefit. In addition to pinpointing where specific cyber risk resides within an enterprise early on, the assessment process identifies where gaps in protection exist; both of which help decision makers identify immediate areas of risk-based action and make high-impact investments sooner.

For enterprises that lack internal expertise to perform cybersecurity risk assessments or outsource IT infrastructure and systems, working with a qualified and objective assessment provider can prove most efficient. Providers help determine the right assessments for a firm’s specific needs. Based on condition and size, decisions will need to be made among assessment types that focus on broadly improving one’s security posture, those that facilitate compliance with specific cybersecurity mandates, or both.

Further efficiencies can be achieved because providers bring immediate expertise having worked extensively with enterprises facing cybersecurity needs, and can navigate coordinating with outsourced IT organizations throughout the assessment process. Providers also typically deliver a lower-cost solution to using internal time and resources, which can rack up quickly in terms of lost productivity. This condition is more often the case among small and middle market enterprises that do not have dedicated risk management and information security offices.

A properly-performed cybersecurity risk assessment will yield a cost-effective risk mitigation plan that aligns with the enterprise’s breadth of cyber activities and unique cyber needs. Whomever leads this exercise for an enterprise, it should be structured to help perceive risk events, such as what being ‘hacked’ or having operations rendered means, and encourage the installation of control over recovery should that happen.


PRTS Intelligence Newsletter - Q4 2020

About Jason Connotillo

Jason Connotillo is a Director specializing in Process, Risk, and Technology Solutions (PRTS).