Pub. 8 2019 Issue 4

l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s 10 T here are many types of risk including strategic, financial, operational, reputational and compliance risk – one key type of risk that is quickly coming to the forefront and exponentially growing for organizations of all sizes is cyber security risk. A cyber security incident will have wide-ranging impacts on other aspects of any business. One: Be Aware Cyber Security Risk Exists Cyber risk in the context of cyber security is no different than other types of risk in that you must be aware that it exists and understand the potential implications. You cannot manage risk that you do not know exists. The days of being able to claim ignorance at the operational or leadership levels of a company are long gone as key business partners, customers and various laws and regulations expect that these cyber security risks are adequately addressed. It is important to know that cyber security is not solely an IT problem, but a business risk at its core, which should be addressed by business leadership like other financial and operational risks. Two: Be Able to Assess Cyber Security Risk No matter the risk, every organization should determine the likelihood and potential impact the risk might have on the entity. Related to information technology risk (including cyber risk), a best practice is to complete an annual IT risk assessment process which might include the following steps: • Identify Key Processes, Applications and Assets • Identify Potential Threats • Determine Risk & Impact • Consider Current Control Environment • Determine Likelihood • Calculate Risk Rating No matter who performs the risk assessment, our recommendation is to sponsor the risk assessment at the executive leadership level and assign ownership of all identified risks to a business unit. This will ensure that the entire organization is educated on the process, output and any expected mitigation activities. Performing a risk assessment will help your organization: • Develop a risk register to be used to track known risks • Drive actionable mitigation strategies • Keeps the organization focused on known vs. perceived risks. • Align business goals, objectives and budgets with the risk assessment output. Discovering a security risk through a self-assessment process is better than having an external party find and exploit that risk. Three: Be Willing to Address Cyber Security Risk Once you are aware of a business risk, addressing the risk is the next step in managing risk. Unbelievably, many successful businesses ignore their known risks or attempt to utilize insurance only to mitigate the potential monetary losses. These two strategies can be short sighted as they do not consider operational disruption, reputational risk, or legal and regulatory consequences. There are three ways we see businesses addressing cyber security risk: Control the Risk Create a business process or implement a technology solution that will reduce or eliminate the risk. Internal controls are the policies and procedures which management utilizes to control the business environment. Key goals of an internal control program include: • Safeguard company assets • Ensure the reliability and integrity of financial and operational systems • Ensure compliance with internal policies and external regulatory requirements • Provide a mechanism to monitor key controls and business objectives While most internal control programs are focused on a compliance paradigm, a better approach would include goals to encourage efficient and effective business operations. Essentially, the focus becomes a better business process that includes internal controls. Proactively designing a business process or application with cyber security in mind takes longer, but it is significantly cheaper than reactively designing a bolt on solution. The foundation of any information and cyber security controls program should be based on a solid IT General Controls (ITGC) program which By Brian Howell, CISA CYBER SECURITY 3 KEY STEPS TO MANAGING YOUR CYBER SECURITY RISK