The Australian Prudential Regulatory Authority (APRA) is the latest financial regulator to publish draft regulations regarding the resilience of operations[i]prompting me to gather my thoughts on how a Balbix-style Cyber Risk Quantification (CRQ) solution could help meet these regulatory obligations.
A short story
For those of you unfamiliar with financial services regulation or operational resilience requirements that have emerged in recent years, here is a brief history.
As always, regulation tends to follow lived experience; when harm has been caused to customers or the financial system and regulators need to introduce requirements to protect consumers and the financial system. Such was the case in 2017 when, following a number of high-profile incidents – including Wannacry and the Equifax leak – G20 finance ministers and central bank governors determined that cyber risk had the potential to disrupt the financial system on a supranational level. ladder.
In addition, in the UK, a number of major customer disruptions were determined to be due to poorly managed IT upgrade programs at a number of leading banks. This led to the publication of a discussion paper on building operational resilience by the Bank of England[ii] and the creation of a working group by the Basel Committee on banking supervision.[iii] Finally, the Bank of England[iv] and the Basel Committee[v] published its operational resilience policy in March 2021. Since then, a number of financial regulators around the world have either published similar policies or are in the process of doing so.
What is Operational Resilience?
So what is operational resilience and what are the demands placed on financial services companies? The Basel Committee defines operational resilience as the “ability of a bank to carry out critical operations in the event of disruptions”.[vi] The Bank of England goes one step further and explains that operational resilience refers to the “ability of businesses, financial market infrastructures (FMIs) and the industry as a whole to prevent, respond to, recover from and learn from operational disruptions”. .[vii]
Similarly, the working paper recently published by the Australian Prudential Regulation Authority (APRA) places operational resilience at the heart of good operational risk management. In doing so, operational resilience is seen as minimizing the potential impact of events and ensuring that “entities can continue to operate despite disruptions and provide key services to customers”.[viii]
Operational resilience regulation in practice
All good, but what do these regulations actually mean for regulated companies? In the UK, the policy published in 2021 obliges companies to:
- Identify and map important business services
- Identify possible vulnerabilities in their operational resilience
- Set impact tolerances for each important business service
- Undertake scenario testing to validate impact tolerances
- Demonstrate by testing their ability to stay within impact tolerances
Companies had until 2025 to demonstrate full compliance, but initial identification, mapping and definition of tolerances had to be completed by March 2022.
In Europe, the EU’s Digital Operational Resilience Act will similarly require companies to identify their “critical or important functions” and map their assets and dependencies. It also requires companies to set risk tolerances for information and communications technology (ICT) disruptions, which must be underpinned by key performance indicators and risk metrics. It will also require companies to “continuously identify all sources of ICT risks…and assess cyber threats and ICT vulnerabilities”.[ix]
I could go on, but in short, most operational resilience regulations around the world require companies to identify their critical business services; understand their dependencies (IT assets, people, buildings, suppliers, etc.); understand their vulnerabilities; takes the necessary steps to ensure that they can operate within the stated tolerances; and prove it through scenario testing.
How does cyber risk quantification help?
Alright, I hear you say, so where could Cyber Risk Quantification (CRQ) help?
In almost every case, cyber threats have been at the forefront of regulators’ thinking. They are not the only potential driver of ICT disruption, but experience shows that the impact of cyber threats can be quite widespread and have significant consequences for consumers and for the broader financial system. Therefore, regulated companies will need to fully understand the susceptibility of their critical business services to cyber threats, and be able to demonstrate that they are able to manage their vulnerabilities to keep the risk to an acceptable level. They will also have to demonstrate that they do so on a continuous basis. This is where the dynamic CRQ comes in.
For me, the potential uses of a CRQ tool such as Balbix to help meet operational resiliency requirements fall into three key areas: visibility, vulnerability management, and risk assessment. There are probably others, but I believe those are the three main ones.
By listing all of a company’s IT assets, CRQ tools like Balbix provide visibility into complete software and hardware inventory. The inventory is dynamic and continuously updated. When important business services (IBS) information is overlaid with technical inventory data, companies are able to demonstrate to regulators that they have a complete understanding of the IT elements supporting each IBS. This then enables both vulnerability and risk assessments to be performed and reported, not only across the enterprise, but by each IBS. Since solutions like Balbix use continuously observed data, they are always up to date.
After establishing a comprehensive inventory and mapping it to IBS, identified vulnerabilities within the fleet can easily be reported for each service. CRQ solutions are also essential for enabling prioritization of vulnerability remediation, as well as demonstrating that a company is effective in managing its vulnerabilities to keep its services within stated tolerances.
CRQ tools such as Balbix, which continuously calculate risk exposure based on data observed in the enterprise ICT environment, are able to track the reduction in risk exposure as the correction of the vulnerability is over. This enables the production of a key metric to determine the health of a company’s ability to manage its vulnerabilities. This metric is what I would describe as an average attenuation time. It would measure the period of time between the identification of a threat or vulnerability that brought the calculated risk exposure above acceptable levels and the reduction of exposure to an acceptable level through the closure of vulnerabilities. It could become a key benchmark metric across the organization, if not more broadly.
A final note
An accurate risk assessment is also key to understanding the susceptibility of a company’s infrastructure and business services to cyber threats for the CISO, CFO, and the rest of the management team. In addition to providing operational and risk probability metrics, CRQ solutions like Balbix can also quantify the cost of a breach in dollars (or other currencies) by calculating the financial impact that could result. By flagging risks in terms of potential financial exposure, the CISO, CFO, and the rest of the management team can discuss cybersecurity risks in the C-suite and with the board using a common language: l ringing silver!
[i] APRA Consults on New Prudential Standard to Strengthen Operational Resilience | ARPA
[ii] dp118.pdf (bankofengland.co.uk)
[iv] Bank of England – Policy Statement ‘Operational Resilience – March 2021’
[v] Press release: Basel Committee publishes principles for operational resilience and risk (bis.org)
[vi] Operational Resilience Principles (bis.org)
[vii] dp118.pdf (bankofengland.co.uk)
[viii] Discussion paper – Strengthening operational risk management | ARPA
[ix] AG (europa.eu)