As the use of technology, especially internet-connected devices, becomes ubiquitous across every industry, the number of potential risks faced by organizations daily is on the rise. As a result, effective information system risk management will become even more important in the future than it is today. Risk management is the process by which risks are identified, assessed and prioritized so controls can be put in place to restrict the risks. The first step, identification, requires an organization to generate a list of all potential risks or vulnerabilities. No matter how unlikely or ridiculous the idea may seem, it should be considered during this step. Next the risks must be assessed and prioritized. A thorough assessment would evaluate the potential of a risk to cause harm, the likelihood of occurrence, costs or consequences associated with a risk occurring, and would also provide a list of possible solutions. Based on the results of the assessment, risks are organized so they are addressed by priority. The final step is to implement solutions to control risks.
Risk controls generally fall into one of four categories: avoidance, transference, mitigation, and acceptance. Effective avoidance involves putting controls in place preemptively to limit exposure to specific risks; this could involve network controls, physical security, and keeping software patches up-to-date. There is no way to truly transfer risk, but risk can be shared or delegated to an organization better suited to control against a risk. Certain organizations build their entire business off being the best, most secure provider of a service that many other organizations utilize, and insurance companies exist for the singular purpose of hedging against potential future losses. Where avoidance attempts to prevent a risk from happening at all, mitigation is the process of being prepared to deal with and resolve a risk once it has been exploited. Mitigation is the process of responding to the incident and may require the use of business continuity or disaster recovery plans. The final control category is acceptance. If a thorough analysis has been performed and it is determined that the cost of implementing a protection from a risk is too great compared to the threat posed by the risk, it may make sense for an organization to do nothing and accept the risk.
Well thought-out risk management is especially important in the financial industry. Large financial institutions face many of the same risks as other organizations, in addition to some risks that are unique to the industry. The financial industry is a prime attack target, as a successful intrusion has the potential to be very lucrative for an attacker. Some areas that are somewhat unique to finance include phishing attacks against clients and employees, as well as mandatory adherence to regulatory requirements. While these areas fall on opposite ends of the spectrum, they require a substantial amount of time, money and training to be handled properly. If regulatory mandates are not followed a financial organization could face serious penalties; if phishing attacks are not properly mitigated the organization and it’s clients could face substantial losses.
Identifying: Identification of phishing attempts is becoming increasingly difficult due to the variety of attacks. Any phishing attempt made in other industries can be applied to the financial industry. An attacker may call the help line posing as a client; they may call repeatedly until they find a representative who does not follow procedure for verification; fake emails may be sent to clients in an attempt to obtain user names and passwords or lead them to a malicious website.
Assessing and Prioritizing: All phishing attempts should be a high priority. Anecdotally, for a financial firm that works with clients the likelihood of phishing attempts occurring is virtually guaranteed. If a phishing attempt is successful there is the potential for substantial harm to occur if controls were not in place.
Avoidance – There is no real way to truly avoid all phishing attempts. By explicitly stating to clients that official emails will never contain links and the website will never ask for certain personal information, some web-based client-directed attacks could be avoided. However, many clients may still be tricked.
Transference – The risk associated with a phishing attempt has limited transference. Many firms maintain a 100% fraud guarantee, so risk cannot be placed on the client instead of the firm. Insurance can be used to share the cost of reimbursing a client in the event of theft.
Mitigation – The vast majority of controls related to phishing are mitigating risk as best as possible. This includes compliance training for employees to identify phishing attempts, restrictions on transfers or withdrawals of assets in the event of recent account information changes; even client notification in the form of a phone call or email when information is changed or money is requested are other ways these risks can be mitigated. For client web access multi-factor authentication can be enforced through the use of security tokens; daily ‘code words’ can be used inside the company as employee authentication.
Acceptance – Successful phishing attacks would cost organizations millions of dollars if they were simply accepted. It is important for an organization to accept the fact that, no matter the controls in place, there will be a successful attack and it will have to be handled. Obtaining insurance, in a sense, demonstrates that the organization accepts the potential for an attack to occur.
Identifying: The process of identifying regulatory requirements themselves should not be difficult. In some cases regulatory requirements can be somewhat verbose, so it is important for an organization to identify exactly what is being required. They can also sometimes be somewhat obtuse, which gives an organization the potential for some flexibility in how a requirement is interpreted.
Assessing and Prioritizing: Regulatory changes generally have a deadline; combining this with the estimated timeframe for completion and any budgetary concerns will determine the priority of individual requirements. As a whole, regulatory requirements will typically be one of the highest priorities. Assessment will include determining how an organization can meet regulations, what steps need to be taken, what and how systems will be impacted, as well as what is needed for any associated client notification or employee training.
Avoidance – Regulatory requirements cannot be avoided. In some cases regulations may change again before changes had been implemented, but this is unlikely to occur, and only avoids a single requirement which will be replaced by something new.
Transference – Utilizing third party software solutions could potentially transfer some of the costs associated with becoming compliant to the third party. When cost basis reporting requirements changed, for example, an organization that had their own cost basis system would have to update it. By using a third party organization that provides a cost basis system solution, the update may now involve downloading a patch instead of creating the solution in house.
Mitigation – The risk associated with failing to comply with regulatory requirements is so substantial that the only real form of mitigation is finding the fastest, easiest, most effective and efficient way to comply with the regulations. Utilizing a flexible platform that does not make it difficult to implement changes when needed is one of the best ways to be prepared to deal with changes that have a short turn-around time.
Acceptance – In some cases an organization may determine they will not be able to meet a change by its deadline. If this were to occur the organization must be prepared to accept the consequences. It is also important to accept that fact that much of the time changes to meet regulatory requirements will take precedent over other projects.
Of course, these are only two examples of what must be addressed in a successful information system risk management strategy. Security is a very high priority in the financial industry and all risks from those that may impact a client or an employee, to physical security, to data protection must be considered. Financial organizations utilize risk management daily outside of the scope of information systems when investments and predictions are made. Between the importance for high level information security and risk associated with high stakes investments, it is clear that strong risk management planning is of the utmost importance in the financial industry.