Cyber risk management in finance

CLIVE WEBB, ACCA senior professional insights manager

The nature of cyber risk is ever evolving. As technology changes, the nature of the attacks you face become more sophisticated. However, the principles of management of the risk remain fairly constant. Finance teams need to be alert to the risks and the sensitivities of the data that they hold.

Finance teams own sensitive data. Be this financial data or details of customers and suppliers. Like any part of the organisation finance needs to be alert to the threats and have appropriate prevention and security procedures in place.

Any cyber breach needs to be appropriately managed. With increased focus by regulators and the media on the management of breaches, organisations face potentially severe reputational damage which needs to be managed. Effective and rehearsed plans to deal with the impact and aftermath of a cyber-attack are an essential part of any risk management strategy.

Implementing cyber risk management

As a first step any organisation needs to understand the data that it holds and the relative sensitivity of it. While there is a need to protect the organisation, understanding your data gives you context. Additionally, while an individual needs to be charged with overall responsibility, protecting the organisation is everybody’s responsibility.

The activities that an organisation need to undertake fall into three categories:

1. Resilience: protecting the organisation, as far as possible, from the impact of an attack utilising policies and procedures.

2. Recovery: the process of managing after an attack has occurred to recover to business as usual as soon as possible.

3. Contingency: testing procedures that need to be activated once an attack has occurred and learning lessons from the simulations.

Organisations should not underestimate the recovery phase and the investment required to return to business as normal can be significant. Moreover, as the sophistication of the attacks increase, the recoverability process becomes a greater challenge.

As our data flows become ever more complex we will need to rethink our resilience and recovery strategies to ensure that we have managed the risks inherent in our global networks and our supply chains. Established guidance such as that in ISO27001 can provide the basis for a cyber-risk management strategy that takes into consideration, resilience, recovery and contingency.