Notes on Cybersecurity and Operational Risk
Last week one of the country’s top banking regulators published its semi-annual report on risks to the financial system, and to no surprise cybersecurity risk was near the top. The more one ponders the findings, however, the more you can see insights about cybersecurity, internal control, and innovation that are worth the time of a compliance professional in any sector.
The report comes from the Office of the Comptroller of the Currency, chief regulator of consumer banking in the United States. OCC publishes a high-level review of risks every six months, and this was its second report for 2021 — 32 pages, not too technical, and a good summary for anyone who wants to understand how macro-economic trends might affect the financial sector.
What caught my eye, however, was how the OCC report described cybersecurity threats: as part of operational risk. In fact, the OCC didn’t just say that cybersecurity threats as part of operational risk; the agency framed rising cybersecurity threats as driving operational risk: “Operational risk remains elevated as cyber attacks evolve, become more sophisticated, and cause damage to a variety of industries.”
Why does that sentence jump out at me so much? Because it brings into sharp relief the usually subtle point that modern business operations rely on technology to work, so you can’t address operational risk without effective cybersecurity. For all practical purposes, the two concepts are one in the same.
Right away, then, compliance, internal audit, and risk management professionals have a powerful argument about why you should be included in the senior management team’s strategic deliberations. Those deliberations are all about how the business should operate to achieve its objectives — but if the success of those operations depends on effective cybersecurity (and its fraternal twin, effective privacy), then you executives in charge of cybersecurity and privacy compliance can’t be an after-thought. To assure strong business processes, with minimal risk to successful operations, a company must consider cybersecurity and privacy risks from the start.
I have no illusions that some senior management teams won’t agree; or they’ll politely say “of course we believe that!” and then relegate cybersecurity and privacy to second-class status anyway. Well, that unholy fusion of cybersecurity and operational risk doesn’t care whether your C-suite grasps the point. The point still remains that cybersecurity risk now drives operational risk, and you need to respond accordingly.
What ‘Accordingly’ Means in Practice
The other reason I recommend the OCC report is that immediately after presenting cybersecurity as a driver of operational risk, the report moved on to the risks of complex supply chains and innovation in products and services.
But, when you think about it, aren’t those just subsets of operational risk? Because last time I checked, all businesses are moving into environments of extended enterprises and digital transformation. Retooling your operations in such a manner is how you stay competitive in today’s world.
So any time the senior management team talks about restructuring operations to embrace the cloud, or upgrading business processes to make them totally digital, or innovating new products and services to drive future growth — we’re still back to operational risk, and therefore to cybersecurity.
The tension that’s going to emerge (that probably has already emerged at many enterprises) is how management balances the drive for innovation in business operations with the need for strong cybersecurity. That will be true whether we’re talking about internal operations to boost efficiency, or customer-facing operations such as product development to drive more revenue.
For example, consider the innovations that OCC report lists in banking:
Examples of areas of continuing innovation include faster and real-time payment products, increased use of mobile and digital technologies to deliver financial services, application programming interfaces, data aggregation services, and contactless payment devices. Distributed ledger technology and digital assets, including stablecoins and other crypto-assets, may broaden delivery channels and the functionality of financial services.
Yes, if a bank could successfully deliver on all those ideas, the benefits would be enormous: faster transactions, higher customer satisfaction, lower support costs for legacy IT, lower real estate costs for physical branches, and more. But the cybersecurity and privacy challenges swirling around those possible innovations — they boggle the mind. They’re also the things the enterprise of the 2020s will need to tame if it wants to survive.
What Becomes Important
I often try to think about emerging issues in risk and compliance by asking, “What capabilities will an organization need to have to solve these problems two to five years in the future? What becomes more important to have, or to be able to do?” That’s a useful exercise here, too.
First, you’ll need more tools and techniques to support transparency into your supply chain. You’ll need to know…
- Who those suppliers are;
- What they supply to your organization;
- The criticality of those services to your own operations;
- Which IT systems of your enterprise they might access;
- The cybersecurity posture of those suppliers, with increasingly better assurance into that posture depending on the sensitivity of the systems they access at your enterprise.
That’s partly a technology problem, and I’m sure any number of GRC vendors would be happy to talk with you about how to solve it. It’s also partly a process problem, which you’ll need to solve yourself. For example, you’ll need contract language to assure that vendors will cooperate with you on these issues, and then mechanisms to assure that your own employees actually put that language to proper use.
Second, you’ll need better risk assessment capability for whatever innovations the First and Second lines of defense want to introduce. For example, if your business wants to move from an in-house sales force to a network of third-party sales people who access corporate data through an online portal — that’s a significant innovation to both lines of defense simultaneously. The CISO, compliance officer, privacy officer, head of sales, and IT director will all need to participate in an assessment of the risks there, and you’ll need robust remediation and documentation systems to assure that everyone knows what they’re supposed to do to address the risk, and then does it.
But third, and perhaps most important: compliance and audit executives will need superb communication skills to work with senior management and the First Line of Defense, to explain to them why your role is so relevant in the modern world.
So often we see voices out there stressing that compliance and audit executives must “know the business.” I would take it further: you need to know why cybersecurity and compliance are so important to the business, and explain that importance in practical terms.
No longer is the answer a simplistic, “We’ll be fined if we don’t do this!” It’s more like, “This technology that could make us rich will also derail us, if we don’t understand how it truly works and how to channel it through the real world of cybersecurity and compliance risks everywhere!”
I’m not saying any of this will be easy. But there are worse problems a profession can have than being crucial to the success of large enterprises for years to come.