Regulators and policymakers are increasingly concerned about cyber risks, as attacks are becoming more frequent, damaging, and potentially systemic. While financial institutions have focused on credit, market and liquidity risks, attention must also be paid to operational and cyber risks. Responding effectively to cyber threats requires more than just technical measures - organizations must improve cyber hygiene, culture, and agility. Most importantly, preparation is key - identifying threat scenarios, gradually building capabilities, and planning comprehensive incident response, so organizations are able to manage attacks and recover when they do occur.

1. Countering cyber-security threats
Phil Huggins

2. Stroz Friedberg
2
Leading experts on cyber defence - pragmatic,
evidence-driven, strategies and tactics that work
World class response to digital trouble – and
advice on how to prepare for cyber attacks
Discrete global advisors when it matters

3. Regulators and policy makers are worried about cyber risk
3
“The focus on credit, market and liquidity risk over the last
five years may have distracted attention from operational,
and in particular cyber risks, among financial institutions and
infrastructures. This is a rapidly rising area of risk with
potentially systemic implications.” Andrew Haldane, Bank of
England, 2013
“The normal drivers of change, from regulation and
incentivisation through to insurance cover and legal liability,
are still immature. And what’s also clear is that we cannot as
a country allow this situation to continue.” Robert
Hannigan, GCHQ, 2015

4. Responding to cyber risk and regulation
4
Regulators
Curated markets for cyber capabilities
Outcomes-based testing (CBEST)
Cyber competent persons ?
Primary legislation ?
Boards
Specialist cyber NED ?
Dedicated cyber risk sub-committee
Limits of fiduciary duty vs national security
Capability sharing & Experience sharing

5. Digital business generates growth but increases exposure
5
Growth
Time
Cyber
Risk

6. Cyber attacks are going to happen
6
Average breach
cost
£2.5m
Average cost per
record breached
£101
Time to detect a
breach
206 Days
Time to contain a
breach
69 Days
Attacks
completed in
minutes
60%
Attacks spread
to second victim
in one hour
40%
Malware
samples unique
to target
70-90%
Exploited
vulnerabilities
older than 1 year
99.9%
New
vulnerabilities
exploited within
2 weeks
50%
Organised crime
attacks using
crimeware
73%
Activist attacks
targeting web
applications
61%
Chance of 1
breach every 10
years
71%

7. Resistance to cyber attack is not enough.
7
95% of vulnerabilities patched is not enough
$250m invested in cyber is not enough
1000+ cyber professionals is not enough
Constant organisational change
Competitive cyber job market
Rapidly evolving cyber threat environment
Increasingly fragile controls
Failure is often silent

8. Cyber Security
8
Cyber hygiene matters
Organisational culture really matters
Technical agility matters
They are necessary but are not enough anymore.

9. Preparation is key
9
Identify relevant cyber scenarios
Gradually build capability
Build situational awareness
Prepare for attacks
Consider key decisions before the emotion hits
Develop muscle-memory
Recover from attacks
Learn from attacks

10. Prepare for attacks
10
Plan for incident response
Define a crisis for your institution
Identify critical personnel
Write a communications plan
Define responsibilities
Review cyber risk scenarios
Create a triage process
Practice cyber crisis management
Partner with experienced experts in advance
Legal, technical & communications

11. Summary
11
Cyber attacks are going to happen
More active regulation is spreading
Don’t panic
Prepare

12. strozfriedberg.com
Phil Huggins, Vice President
phuggins@strozfriedberg.com
T: +44 207 061 2299
©2015 Stroz Friedberg. All rights reserved.