Cyber risks are silent, deadly and often mundane
Fear of submarine-like attack overshadows more dangerous, less scary cyber threats
The military use of submarines was pioneered during the American Civil War, but Britain's Royal Navy was slow to adopt them. In 1901, Admiral Sir Arthur Wilson, the controller of the navy, described them as "unfair, underhand, and damned un-English".
Thinking about the threat faced by sailors, it's easy to see why somebody might think this way. Previously, a captain and his crew would have been able to spot enemy ships on the horizon well before they could pose a palpable threat. Suddenly, naval vessels were faced with the grim possibility of a catastrophic assault emerging from the deep, without warning, at any time.
A similar sentiment applies to cyber attacks. Like a submarine assault, the impact can be catastrophic, preventing businesses from operating properly and fatally damaging confidence in the eyes of the public. For firms, the attack is all the more scary because it is silent and stealthy. And even after the damage has been done, the shadowy perpetrators of cyber crime may remain unseen.
No surprise, then, that cyber risk cropped up as the most frequent concern of operational risk managers in a Risk.net survey of their biggest op risk fears for 2016.
Worrying about cyber security lapses has also become a leading preoccupation of regulators. "When I think about the risks that might cause the next crisis, cyber security is one that concerns me the most," said Sarah Dahlgren, the then-head of the Financial Institution Supervision Group at the Federal Reserve Bank of New York, speaking at an OpRisk conference in March 2015.
In its latest Semiannual Risk Perspective, published on December 16 last year, the US Office of the Comptroller of the Currency pointed to "the increased sophistication of cyber threats" and "pervasive technology vulnerabilities" as among its biggest op risk concerns.
At a global level, supervisors are working to address the cyber risks faced by financial market infrastructures, such as central counterparties, trade repositories and payment systems. The Basel-based Committee on Payments and Market Infrastructures (CPMI) and the Madrid-based International Organization of Securities Commissions (Iosco) published a consultation on their high-level Guidance on cyber resilience for financial market infrastructures in November 2015. Coen Voormeulen, co-chair of the group that produced the guidance and a director at De Nederlandsche Bank, stresses firms and regulators must work together to keep cyber threats at bay.
For all the emphasis on cyber risk, it's worth remembering that not all of it involves targeted attacks by shady cyber criminals. Lost passwords, unattended computer terminals and inadequate controls on sensitive data are more likely causes of cyber security breaches, say risk managers – and the consequences can be no less severe. The CPMI-Iosco guidance appears to acknowledge this, with a section on insider threats noting the need for firms to look into "anomalous behaviour" by staff using their systems and to ensure that "access... is restricted only to those with a legitimate business requirement", for example.
Those more prosaic cyber threats may not scare risk managers in the same way as a giant shadow lurking from the depths would strike fear into the hearts of seamen. The real picture is less frightening, but perhaps more dangerous. For it seems the enemy is not just undetected; they might already be in the room.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net
More on Risk management
More cleared repo sponsors join Eurex ahead of cross-margining
End of TLTROs for banks and pension fund search for liquidity management tools drives uptake
Reimagining model risk management: new tools and approaches for a new era
A collaborative report by Chartis and Evalueserve on how the use of automation can combat the growing complexity of managing model risk due to regulation and market volatility
What Goldman’s appeal victory means for Fed stress tests
Decision could embolden more banks to appeal, analysts say. But others believe result is one-off
Clearing members rattled as CME approved to launch its own FCM
National Futures Association registration sharpens concerns about conflict of interest with CCP
CME files application for US Treasury and repo clearing
New entrant believes direct user access model will avoid accounting problem that hampers rival FICC
UST repo clearing: considerations for ‘done-away’ implementation
Citi’s Mariam Rafi sets out the drivers for sponsored and agent clearing of Treasury repo and reverse repo
Gensler to stick to Treasury clearing timetable
SEC chief promises to keep up the pressure for done-away trades
Clearing houses fear being classified as Dora third parties
As 2025 deadline looms, CCP and exchange members seek risk information that’s usually deemed confidential