Managing cyber risk is a challenge, especially for companies in financial services. This is in part because cyber risk is generally approached differently from traditional risk. For example, in cyber risk management it is acceptable to describe risk using words, such as risk profile and risk tolerance, instead of numbers, which are simpler. Cyber risk experts measure the success of their standards and frameworks based on whether there is an identifiable vulnerability in their defenses.
At times it seems that the only group with a simplified cyber model are the adversaries. They have a relatively straightforward process: find the weakness, wait patiently and then monetize stolen assets.
The New York State Department of Financial Services has determined cyber to be the No. 1 threat within its jurisdiction and made cybersecurity compliance certification mandatory for financial services firms as of March 1, 2019. A company deemed to be a “covered entity” must have a cybersecurity program that has written policies and procedures to protect itself. While the agency provides ample material outlining these regulations, it offers minimal direction in how to lower cyber risk.
Reducing this risk requires a direct proportional relationship between risk measurement and costs. Here are six steps that financial services firms in New York should consider in regard to lowering their risk profile.