The two big Cs - conduct and cyber risk

Conduct and cyber risk are commonly thought of as non-financial risks. But one of the arguments on Wednesday morning’s panel at RiskMinds International 2017 in Amsterdam was that they are just as much a financial risk as any other. That’s because they nearly always have – sometimes massive – financial consequences.

Conduct risk can be quite difficult to define, but what it generally boils down to is people risk. In that respect so is cyber – it only takes one person to click on a link in an email to unleash a cyber attack. The last decade has seen an explosion in conduct-related losses. It’s a topic that needs taking very seriously.

Taking cyber and conduct risk seriously

And banks are indeed taking it seriously.

“Conduct and cyber need to be treated with the same rigour as credit risk,” stated Alan Smith, Global Head of Risk Strategy and Senior Executive Officer of Group Risk at HSBC.

Giulio Mignola, Head of Enterprise Risk Management at Intesa Sanpaolo agreed, adding that, while cyber and conduct risk were less mature than credit risk, the discipline should be exactly the same: “You have to have a risk appetite statement, formulate a response, and make policy go all the way down the line to the operating processes.”

These two risks are financial at heart but also have impacts on customer loyalty and brand value.

For many years, cyber threats were considered technical issues, but banks are digital companies nowadays, he added: “We need to manage digital risk as a primary risk.”

And losses extend well beyond those that are tangible: “These two risks are financial at heart but also have impacts on customer loyalty and brand value,” says Giulio. “This soft effect is much more difficult to quantify.”

The insurance perspective

Insurance companies are also taking these risks seriously. Underwriting cyber risks is a massive growth area.

But how do insurance companies calculate the premiums? Rachel Conran, Chief Underwriting Officer at SCOR Group, walked us through the calibrations that she uses when underwriting corporate conduct and cyber risk.

“I look at the causes that lead to that conduct,” she began. “For instance, cultural cohesion. If the c-suite is an island, an inner circle of people, or there isn’t diversity and people that will challenge the board, that can ring alarm bells. What happens at the board level trickles down; the board set the cultural acceptance of a corporation,” she explained.

If the c-suite is an island, an inner circle of people, or there isn’t diversity and people that will challenge the board, that can ring alarm bells.

So Rachel watches out for things like whether family members are employed at the corporation, and the use of the corporation’s private jet - whether for personal use - in other words, the blurring of boundaries. That also includes looking at how people are remunerated - which shows how acceptable it is within the organisation to spend corporate money.

“If they are self-serving there are generally two effects among employees: people who would like what they’ve got,  and those that want to disrupt it,” she said. “Cyber attacks can be criminal or they can be perpetrated by an insider – those institutions that have the biggest difference between top and bottom, a them and us, will cause issues like these to become more prevalent.”

Indeed, this was why Mark Lynch, Cyber Analytics lead for EMEA at Aon Benfield had added employee monitoring, specifically employee satisfaction, to his list of things to look at. “Disgruntled employees can be often be the cause. So we might look at how many times the same job has come up for recruitment. Is there a lot of churn?” he said.

Investors and stakeholders also drive the behaviour of a firm. “For instance,” asked Rachel, “How easy is it for a member of the board to move out of a high return area of equity, because it’s high risk? Will they be under significant pressure not to, from shareholders who want those high returns?”

Cyber is an area of growth

Insuring companies for cyber risk is more than simply offering financial recourse, it’s about dealing with the response and the fundamental issues that occur immediately post-event, Mark argued.

“It requires a cultural change within the insurance sector, which is used to looking at bricks and mortar,” he added. “Cyber takes on a completely different perspective because it’s across countries, jurisdictions, and insurance frameworks.”

And that cultural perspective should apply to banking too, added Alan: “You can’t expect insurers to pay out for something we don’t understand ourselves.”

Cyber takes on a completely different perspective because it’s across countries, jurisdictions, and insurance frameworks.

And we can’t assess cyber risk in isolation, said Mark. “Suppliers, lawyers, tax accountants, there are lots of access points that you can’t control. There is so much outsourcing and third party vendors, these are all concentrations of cyber risk that can blow back to us.”

How do banks get hacked?

Banking is the best industry across the board in terms of risk management, but it was also the most targeted by hackers, thanks to the value of their data.

Some of those hackers are ethical, meaning that they are hired by an organisation to test their security systems, like Freakyclown, Co-Founder of Redacted, a company that advises firms on their security, both physical and cyber.

Any doubts about the importance of cyber risk were dispelled by the time FC left the stage.

He gave us a live hacking performance to show just how easy it was to access a company’s top secrets.

Within seconds, his fictional hacker “Alice” was able to enter the desktop of office worker “Bob”, who had clicked on an innocuous email.

On average, a hacker stays for 200 days in a system before being found. That’s over six months.

Within twenty minutes, Alice had managed to source usernames and passwords from others in the firm, climb up in privilege to beyond administrative level, and change the bank details and the amount of a payment that Bob was planning to process.

Without Bob ever having a clue.

Interestingly, FC explained how most hackers don’t use the information themselves. They take that access and sell it on to multiple people. He might find eight or nine different groups in a system that have got there this way. On average, a hacker stays for 200 days in a system before being found. That’s over six months.

“Banks are considered best of the best of the best, they do security really well, but they’re still not quite good enough. Just having security doesn’t mean it’s done well.”

Physical security is so easily flawed, he continued. “I look at most companies as an armadillo. A tough outer shell, gooey in the middle. Once you are past the outer perimeter you can do anything. And the perimeter is never that secure.”

To emphasis the point, he showed how a security door that cost in the region of £60,000 ($80,000) door could be breached - simply by spending a few hours watching it. “It had been left in engineer mode, which means that it was programmed to open every 15 minutes,” he said.  “Expensive doesn’t mean secure.”

Similarly, he displayed the pointlessness of using a shredder if the bags are then left on the kerbside for collection. “This is highly confidential data, but once it becomes rubbish they don’t care. It wouldn’t take long to put those documents back together.”

Spearphishing

The biggest risk to companies now is not hacking groups or nation states, it’s spearfishing, he warned.

“Around 30% of an organisation’s staff will click on a link in an unsolicited email. With training, that number can be reduced to 1%. But in a 10,000-strong organisation that’s still 100 people.

“Even if you email them and explicitly tell them “do not click this link”, 1% still click the link,” he said.

And it only takes one for things to go wrong.

What can you do?

“Know your information assets,” advised FC, “what you have that’s of value, what you have that others want.

“Approach it with an attacker’s eye view: perform penetration tests. Plan your incident response - and test it! Remember that people are at the core of your security, have an awareness of behaviour and security. Teach from the top down, people follow the c-suite , similarly, if they have security at home they are more likely to be aware of it at work.”

But ultimately, he urged us to adopt a “hacker mindset”: “Go back and up the game at your company.”