Banks and other financial services firms need to recognize the threats of cyber risk in a different way. Many have put in place thick walls to protect themselves. But firms cannot be protected at all times from a cyber-related incident. So putting in place structures, technologies and processes to ensure resilience—or fast recovery—is as much or more important than simply putting more locks on the doors or building stronger walls. See www.accenture.com/CyberRisk for more.

1. How to make
your enterprise
cyber resilient

2. Copyright © 2015 Accenture All rights reserved. 2Copyright © 2015 Accenture All rights reserved. 2
For more information, please visit: www.accenture.com/riskstudy2015
According to respondents from the 2015 Global Risk Research Study Cyber Risks
are set to rise and are high priority on the CRO agenda
74%
of insurance respondents expect cyber and IT
risks to become more severe
65%
of Banking respondents expect cyber risk
to become more severe
58%
of capital markets respondents expect an increase
in the severity of cyber risks
Cyber & IT Security Risk in Financial Services

3. Copyright © 2015 Accenture All rights reserved. 3
What is Cyber Risk?
Cyber
Risk
Reputational Risk
• Loss of Trust (internal and external)
• Brand Damage / Loss of Intangible Value
• Time intensive / costly to repair
• Need to embrace Digital
Technology and Operational Risk
• Failure of infrastructure, processes or systems
• Inability to operate/Run the business
• Requires regular planning and oversight
• Importance of effective and current controls
Fraud and Financial Crime
• Lost revenue and profit – high cost
• High velocity and high frequency/relentless
• Need to stay close to regulatory agenda
• Requires both business and technology solutions
Sources
of Cyber Risk
• Hacktivism
• Hacker / Lone Wolf
• Nation State Attacks
• Insider Data Leakage
• Social Engineering
Internal Origins
of Cyber Risk
• Digital Banking Services
• Payments
• Electronic Trading
• Third Parties
• Technology Infrastructure
Cyber Risk can manifest itself across several dimensions, making
it difficult to detect, measure, and control

4. Copyright © 2015 Accenture All rights reserved. 4
Protecting Against the Cyber Threat
is not a New Problem
• Linear or horizontal approach
is not working
• Large Institutions lack
the facts and processes
• Challenge to understand
what information needs to
be protected and the most
effective set of defense
mechanisms
• Companies that spend more
on cyber resiliency do not
necessarily manage cyber
resilience risk in a more
mature way
Cyber resilience is a continual challenge due to the exponential rate at
which people, processes and organization are connected digitally
Historical Methods
• It’s not possible to isolate
the risk
• Cyber risk does not respect
your organizational structure
• It’s not just a technology
problem, but rather
a technology, process
and people problem
• Firm that invest in and develop
cyber capabilities to instill trust
will have an competitive edge
in the digital era
New Paradigm

5. Copyright © 2015 Accenture All rights reserved. 5
Resilience
• Downtime/Loss of service
• Theft/Fraud
• Loss of data
• Impact to reputation/brand
The ability to operate the business processes in normal and adverse
scenarios without adverse outcomes
• Secure processes and systems
• Strong controls
• A strong risk culture
• Digitized/Automated processes
Resilient businesses have: Resilience Prevents:

6. Copyright © 2015 Accenture All rights reserved. 6
A Comprehensive Approach helps Protect the Full Breadth
of Entry Points and Operations which Underpin Financial
Services Organizations
Detect
IdentifyRespond
Prevent
Detection and
Identification – Tools
and metrics to identify
and log aspects to
manage operations
Operational Monitoring –
Aligning the tools to identify and
detect threats along with their
escalation and oversight
Event Response Plan – Structure
to identify and manage action plans
Business and IT
Controls – Oversight of
the controls and their testing
programs and how to leverage
COBIT®, ISA, ISO/IEC, NIST*
controls
Operating Model –
Specifying the structure with
people, organization, roles, tools
and processes to govern.
Crisis Management –
Structure to manage incidents
and notify impacted parties
Risk Events - Scenarios
which can impact the organization
specific to Cyber threats
Risk Identification – Aggregated set
of typical risk associated with Cyber Risk
How do we
respond?
What is the
impact?
How do we
organize?
How do we
monitor?

7. Copyright © 2015 Accenture All rights reserved. 7
Measurement with a Purpose
Observations and Hypotheses
• Customers
• Employees
• Partner/Third
Parties
• Business
Process
• Support
Process
• Other Process
• Software
• Configurations
• Access
Management
1. Without the right metrics, Cyber Risk
could become diluted and mis-
aligned to business value
2. Historical key performance indicators
(KPIs) may not provide insights
3. Board-level reporting has no clear
standards and could be out of sync
with the real threats
4. Techniques to model the scenarios,
risk events and residual risk across
the firm are not focused on cyber
threats
Process Technology
People

8. Copyright © 2015 Accenture All rights reserved. 8
Measurement with a Purpose
Common categories to consider for Cyber Risk Reporting
1. Board-Level Reporting 2. IT Risks 3. Operational
4. Advanced
Analytics
Infrastructure
Third Parties
SoftwareInternal
Employee Training
Data Loss Prevention
Employee Monitoring
External
Vulnerabilities
Surveillance
Funding
Risk/Reward
Decisions
IT Operations
Fraud
Target Residual Risk
Access
Management
Physical SecurityHigh Crimes and
Investigation
New FocusRenewed focus

9. Copyright © 2015 Accenture All rights reserved. 9
Embed the first line of defense within technology organization.
Create a centralized office with technology control officers across
business lines which just focus upon IT.
Cyber Risk Operating Models
An operating model helps define the organization’s accountability for
doing the work, supporting the right decisions and measure effectiveness
Centralize an entire department as 2nd line of defense with
examinations across the lines of business. Build highly specialized
team and track similar to compliance function.
Policy setting organization and influencer similar to data and
privacy. Develop risk frameworks around IT, Data integrity, and
operations and run as 2nd line of defense.
Create an enterprise-wide risk function dedicated to identify,
measure and respond to threats.
Option 1 – Dedicated
Function
Option 0 – IT Centric
Option 2 – Cyber Czar
Option 3 – Risk Led

10. Copyright © 2015 Accenture All rights reserved. 10
Operating Model Analysis
Each option should consider the tradeoffs with the firm’s ability to Prevent
and Detect Threats
Efficiency
Ability to Prevent and Detect Threats
Low
High
High
Option 0 – IT Centric
Option 1 – Dedicated
Function
Option 2 – Cyber Czar
Option 3 – Risk Led

11. Copyright © 2015 Accenture All rights reserved. 11
Operating Model Analysis
Each option should consider the tradeoffs with the firm’s ability to Prevent
and Detect Threats
Ability to Prevent and Detect Threats
Low
High
High
ValuetoCustomer
Option 0 – IT Centric
Option 1 – Dedicated
Function
Option 2 – Cyber Czar
Option 3 – Risk Led

12. Copyright © 2015 Accenture All rights reserved. 12
Operating Model Analysis
Each option should consider the tradeoffs with the firm’s ability to Prevent
and Detect Threats
Ability to Prevent and Detect Threats
Low
High
High
SpeedtoExecute
Option 0 – IT Centric
Option 1 – Dedicated
Function
Option 2 – Cyber Czar
Option 3 – Risk Led

13. Copyright © 2015 Accenture All rights reserved. 13
1. Training and Risk Culture – Taking your unique organization and infusing
the right cyber risk behaviors
2. Controls – Where are the weak points – build robust set of controls across
operations, business and IT
3. Measurement with a Purpose – What is going on without you knowing it –
creating metrics which help expose the risks
4. Operating Model – How do you work with the rest of the organization -
assigning clear lines of accountability and ownership
5. Resilience – At some point it will go wrong, how do you get the best
outcome from the worst situation?
The Top 5 Priorities to Get Right
Cyber Risk does not fit neatly into a single organization node to then be
managed and mitigated effectively

14. Copyright © 2015 Accenture All rights reserved. 14
A risk-based approach helps to set
priorities, establish a risk appetite (and
a budget) and bring order and priority in
place of reaction
Holistic Capabilities to help Deliver
Resilient Solutions
More institutions are focusing on a
better way to address the challenges of
cyber risk, but few have mastered it
Establish effective controls for people,
process and technology to facilitate effective
surveillance and improved incident
response to deliver resilient solutions

15. Glossary
COBIT: Control Objectives for Information and Related Technology. COBIT® is
a trademark of ISACA® registered in the United States and other countries.
ISA: Information Society of Automation
ISO: International Organization for Standardization
IEC: International Electrotechnical Commission
NIST: National Institute of Standards and Technology

16. How to Make your Enterprise Cyber
Resilient
Disclaimer:
This presentation is intended for general informational purposes only and does not take into
account the reader’s specific circumstances, and may not reflect the most current
developments. Accenture disclaims, to the fullest extent permitted by applicable law, any
and all liability for the accuracy and completeness of the information in this presentation and
for any acts or omissions made based on such information. Accenture does not provide
legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice
from their own legal counsel or other licensed professionals.
About Accenture
Accenture is a global management consulting, technology services and outsourcing
company, with more than 358,000 people serving clients in more than 120 countries.
Combining unparalleled experience, comprehensive capabilities across all industries and
business functions, and extensive research on the world’s most successful companies,
Accenture collaborates with clients to help them become high-performance businesses and
governments. The company generated net revenues of US$31.0 billion for the fiscal year
ended Aug. 31, 2015. Its home page is www.accenture.com.
Accenture, its logo, and High Performance Delivered are trademarks of Accenture.

17. Learn more about cyber risk and resilience:
www.accenture.com/CyberRisk