|
Part-time or new to
the role
No dedicated
resources to project
management
Project criticality
Low
Medium
High
Project complexity
Low
Medium
High
Mitigating action
plans
Completed
On track, but not yet
in place
Missing or not
started
Dependencies/single
point of failure
(e.g., key people)
None
One
More than one
Deliverables
All on time
1–3, non critical
One or more key
deliverables overdue
Testing phase (IT
deliverables)
As planned
Expected to be
reduced
Reduced by
>
15%
CHAPTER
18
Information Security Risks
C O N T E X T
Information security risks (ISR) and cyber risks have probably been the greatest
concerns for operational risk in recent years. The community of operational risk
practitioners, through the yearly risk.net survey, designated cyber risk as the number
one risk for three years in a row (2015–2017). In 2018, cyber risk was separated into
IT disruption (voted number one), data compromise (voted number two) and fraud
and theft (voted number four).
Today’s information and data are yesterday’s gold bullions. Value has changed and
so has the means of transfer and the associated opportunities for crime. Unlike gold
or physical values that can be spent only once, information can be used and traded
multiple times even when its usage remains invisible to some parties, including its
owner. And when it becomes visible, the damage to reputation can be significant, and
sometimes fatal.
Contrary to what some people claim, cybersecurity is not all about behavior and
people risk. However, cyber risk cannot be minimized through technical solutions
alone; cyber criminals will always find ways to profit from the mistakes and careless-
ness that are part of human behavior. Moreover, information can be lost, disclosed or
corrupted by many other means apart from cybercrime.
This chapter explores different types of information security risk and some of the
key controls that resulted from a thematic review of information security risks I con-
ducted in a European organization in 2017.
D A T A B R E A C H E S A N D H E A D L I N E N E W S
The box presents four public case studies of data breaches: two resulting from
cyberattacks and two from internal leaks, including through a third party. They
illustrate the types of reputational damage that can follow large data breaches; all
193
Operational Risk Management: Best Practices in the Financial Services Industry, First Edition.
Ariane Chapelle.
© 2019 John Wiley & Sons Ltd. Published 2019 by John Wiley & Sons Ltd.
194
RISING OPERATIONAL RISKS
the firms mentioned here made the news, but with different intensity, reflecting their
brand recognition. Unsurprisingly, the Facebook scandal generated the most attention,
even though it wasn’t a cyberattack. Paradise Papers made the headlines for a few
weeks, due to the high profile of the personalities involved, who included royalty.
Interestingly, the company at the center of the hack survived. Equifax was laughed
at in many circles, replaced all its senior management and is facing a class action
lawsuit, but the company’s future doesn’t seem in jeopardy. Very few noticed the
hack of the U.K.-based insurance company in our fourth case study, apart from the
regulator and some of the company’s clients, therefore I do not mention the company’s
name here. The company suffered internally and with its regulator, but there were few
news reports. Cambridge Analytica is the only company to have filed for bankruptcy
in this sample. Crises, resilience and reputation will be addressed in the last chapter
of this book.
C A S E S T U D I E S : I N F O R M A T I O N B R E A C H E S
A N D T H E I R I M P A C T
1.
The Paradise Papers
In the second largest data hack in history, 1.4 terabytes of private
information from an offshore law firm tax advisor was leaked to the media
(International Consortium of Investigative Journalists).
Appleby, an offshore legal firm, was the victim of a major data leak
regarding offshore structures and the wealth of thousands of A-list person-
alities and firms. Three hundred and eighty journalists dedicated a year to the
investigation of documents spanning 70 years. Top personalities, members
of government, corporations and even countries were exposed to reputation
damage and public outcry. At the time (November 2017), it was the largest
leak since Wikileaks. Appleby’s clients include all major banks. The com-
pany is still in operation in 2018.
2.
Equifax
The credit-scoring firm was the victim of a hack that exposed the data
of 145.5 million customers, the equivalent of half of the U.S. population.
The cause was an external intrusion on Equifax servers following an
unpatched (known) vulnerability. The vulnerability should have been
patched in 48 hours according to company policy, but was unresolved two
months later when the intrusion started (May 2017). The company noticed
the breach in July 2017 but did not make it public until September 7 of
that year. The concealment attracted heavy criticism. The chief information
Do'stlaringiz bilan baham: |
