Managing Information Risk in Financial Services Webinar Feb 26th 2014
presented by Colin Lobley
http://manigent.com/uk.linkedin.com/pub/colin-lobley/2/7/563
Many of the fines issued by the FCA over the past few years can be attributed to poor information management. The threats from external cyber-attack and malicious insiders are escalating, with your corporate and client information being the primary target of the cyber criminals. The legal requirement on UK businesses will evolve with the proposed EU data protection regulation likely to come into force next year. It is therefore critical to implement robust information risk management.
Uneak White's Personal Brand Exploration Presentation
Managing Information Risk in Financial Services
1. Managing Information Risk
Putting the ‘I’ back in IT: Creating Tangible Value from the Intangible Asset
Colin Lobley
Director Information Strategy & Risk
2. Webinar Aims & Structure
Aims:
Provide evidence for taking an information risk approach rather than an
IT/cyber security approach
Introduce practical concepts and approach to managing information risk
Why Bother with Information?
The Information Opportunity
Threats and Risks
Managing Information Risk
Current Approaches, Weaknesses and Common Barriers
Overcoming the barriers: concepts and approaches to managing information
and information risk management: Processes, Systems, Governance and
Culture
Page 2
3. Manigent & Me
Director of Information Strategy & Risk.
14 years in strategy, programme and risk
management; 6 years focused on the cyber
threat environment.
2007 – Business Continuity Journal, Vol. 2,
Issue 3: Ascertaining the behaviors and factors
driving investment in high impact risks.
2008 – Manigent’s CEO created the Risk-Based
Performance Management methodology.
Today – Building business resilience and
enhancing performance by managing strategy
and risk in today’s continuously turbulent,
information-centric operating environment.
Page 3
5. The Value of Exploiting Information: FTSE 350 View
A potential gain of £44bn gross operating profit per annum across the FTSE
350 from enhanced information exploitation.
Page 5
Source: The Information
Opportunity Report – Cap Gemini
6. The Value of Exploiting Information: Sector Comparison
Page 6
Source: The Information
Opportunity Report – Cap Gemini
7. The Value of Exploiting Information: Function
Comparison
Other functions with >20% of respondents saying it would be a function of
greatest potential: Marketing, HR, Logistics & Supply.
Page 7
Source: The Information
Opportunity Report – Cap Gemini
8. Information Risks: Personal Data Breaches per Sector
$215 (£129) per capita in financial services (direct).
But the indirect impact on financial services is huge – insurance and compensation
claims.
Page 8
Source: Cost of a Data Breach Survey
2013, Ponemon Institute
9. Personal Information Risk: Evolving Legislative Environment
New legislation and regulatory oversight likely to make this worse
Current: Data Protection Act (UK)
Information Commissioners Office enforces
Maximum fine of £0.5m
To date largely a public sector focus (& Sony - £350k in a £170m+ incident)
FCA also have the ability to fine
Zurich - £2.3m in 2010
New EU Data Protection Regulation in 2015 (est.):
Fines of 5% turnover?
Criminal Prosecution?
Page 9
10. Information Risk: Financial Services Case Studies
J.P.Morgan International Bank Limited, 2013, £3.1 million – direct fine by the FCA
for systems and controls failings. Highlighted issues:
Client files which were not kept up to date
A computer based record system that did not allow sufficient information to be retained,
suitability reports that failed to contain relevant client information.
A 2 year persistent failing during which “JPMIB’s senior management did not have
sufficient information and oversight tools to identify and address these deficiencies”.
Sesame Limited, 2013, £6m - fine for failings between 2005-2009 during which
the:
“vast majority” of sales were flawed because of a “mismatch between customers stated
investment objectives and attitude to risk and the product sold” and
“the suitability letters provided to customers stated incorrectly that income or capital
growth was guaranteed”
Many others – TJX, Citigroup, Barclays, De-Vere Group, NASDAQ …… and the list
goes on.
Page 10
11. Information Risk: Evolving Regulation in FS
Emerging Financial Services Regulative oversight (UK) likely to lead to increased
frequency and size of fines and stricter reporting.
FCA Risk Outlook 2013: “Increasing reliance on technology without fully
understanding the consequent risks and dependencies”
UK’s Financial Policy Committee stated that: “market participants had increasingly
highlighted concerns about operational risk, including threats of cyber-attack”.
(June 2013) and “the boards of the relevant supervisory bodies to ensure that
there was a concrete plan in place to deliver a higher level of protection against
cyber-attacks for each institution at the core of the financial system, including
banks and infrastructure providers.” (Sept 2013)
Waking Shark II report: “The PRA and FCA will coordinate to ensure dual-regulated
firms are fully aware of the regulators’ incident reporting requirements and
update frequencies.”
Page 11
12. Information Risk: Linked with Conduct Risk
Customer Management was the #1 area businesses felt could be improved through better
information exploitation
Root cause of many FCA fines can be identified as poor management and analysis of
customer data
Conduct Risk Agenda: To make relevant markets work well so consumers get a fair deal.
Consumers get financial services and products that meet their needs, from firms they
can trust;
Markets and financial systems are sound, stable and resilient, with transparent pricing
information; and
Firms compete effectively, with the interests of their customers and the integrity of the
market at the heart of how they run their business.
The risk of poor information management will lead to bad conduct.
Page 12
13. Conclusion: Information Exploitation and Risk
“Early adopters of effective information exploitation strategies
are seeing real and tangible business performance
improvements. Those that chose to do nothing have seen the
gap between themselves and the market leaders widen.”
There are significant risks to:
Page 13
The information you have driven by the cyber threats
Failing to exploit what you have already
Not having the right information to exploit
Compliance with changing laws and regulation
15. The Traditional Approach …..
HACKERS
CHINA
IT (CYBER) SECURITY
LED BY CISO / IT DIRECTOR
REACH FOR A STANDARD (ISO 27001)
Page 15
LOSS OF REPUTATION
….. Is immature and
clearly not working.
16. Barriers to Exploiting Information
1. PROCESSES (110)
Page 16
Source: The Information
Opportunity Report – Cap Gemini
2. SYSTEMS (66)
3. PEOPLE – governance
and culture (121)
17. Barriers to Managing Information Risk
The Survey says …..
Poor alignment between:
Information security strategy and business strategy
Information security strategy and risk appetite or tolerance
Security policies and business objectives
Security spending and business objectives
Budget constraints / Insufficient capital funding
A lack of leadership from the CEO or Board
A lack of vision on how future business needs will impact security
I say ….
PROCESSES: Complete failure of many businesses to articulate, manage and report the value
of information and information risk linking the benefits and risks to business drivers
SYSTEMS: Too much focus on IT systems and not enough on information systems – the asset
of real business value
PEOPLE: CIO’s focus on technology not information; lack of Board engagement on an “IT
issue”; no ownership of information assets
Page 17
Source: EYs Global Information Security Survey;
PwC Global State of IT Security Survey 2013 and
associated PwC blog
18. Information-centric Business Systems & Processes
ICT & more importantly, information, are the key enablers of any modern business.
STRATEGIC OBJECTIVES
DECISIONS
STRATEGIC
KNOWLEDGE
OPERATIONAL
USE
ACCESS
OPERATIONS
STORE
(ACQUIRE)
INFORMATION
ANALYSE
PROCESS
COLLECT / GENERATE
DATA
Page 18
19. People: Changing the Information Culture
Think of information as an asset of value:
“The value of the server [...] is probably negligible—it can be replaced quickly or
its function can be moved to another server—however, the information asset
stored on the container is not as easily replicated if compromised, and the impact
to the organization is much more extensive.”
“An information asset is a body of information, defined and managed as a single
unit so it can be understood, shared, protected and exploited effectively.”
“60% of the senior executives felt that the information within their organisation
was being used for retrospective reporting rather than to point a path to the
future – a clear sign of failure to use information for competitive advantage”
Page 19
Source : Information Asset Profiling; James F. Stevens; June 2005,
Carnegie Mellon University; The National Archives – Information
Asset Factsheet; Harnessing information to enhance business
performance, Cap Gemini
20. Process: Determine Information Value Drivers
“An organisations information assets were felt to be unique and therefore impossible to
compare to the information assets of other organisations.”
Valuing information is unique to each business, depending on its business drivers.
Other drivers identified by
businesses we have worked
with include:
- Brand value
- Revenue generation
- Contribution to UK
National Security
- Supplier expectations
Page 20
Source: Harnessing information to enhance business
performance, Cap Gemini; Manigent assignments
21. People: Governance of Business Systems & Processes
STRATEGIC OBJECTIVES
Main Board & Operating Board /DECISIONS
Exco
STRATEGIC
KNOWLEDGE
OPERATIONAL
USE
ACCESS
COO
STORE
OPERATIONS
CIO & KIMs
(ACQUIRE)
INFORMATION
ANALYSE
PROCESS
COLLECT / GENERATE
CTO
Page 21
DATA
22. Risk Systems & Processes
REVENUE
REPUTATION
POOR DECISIONS
OPERATIONAL DOWNTIME
INFORMATION UNAVAILABLE
THEFT OR LOSS OF
INFORMATION
LOSS OF INFORMATION
INTEGRITY
UNAVAILABLE ICT
THEFT OR LOSS OF DEVICE OR SYSTEM COMPROMISED
EXTERNAL THREAT / INCIDENT
MULTIPLE THREAT VECTORS
MULTIPLE THREAT ACTORS
Page 22
INSIDER THREAT / INCIDENT
MALICIOUS
NON-MALICIOUS
23. People: Changing the risk culture
“Before the risks to an information asset can be assessed,
the tangible and intangible value of the asset must be
known.”
“The existence of a significant [IT] vulnerability does not
mean that an organization is at a significant risk. A
vulnerability is only significant if it places a critical asset at
risk. This is an important distinction because assets and their
value to the organization determine the context for risk
rather than the vulnerability itself.”
Page 23
25. People: Risk Governance
REVENUE
REPUTATION
Board
POOR DECISIONS
OPERATIONAL DOWNTIME
COO
INFORMATION UNAVAILABLE
CRO & Risk Managers
THEFT OR LOSS OF
INFORMATION
LOSS OF INFORMATION
INTEGRITY
UNAVAILABLE ICT
THEFT OR LOSS OF DEVICE OR SYSTEM COMPROMISED
CIO, CTO, CISO, Physical Security, Personnel Security / HR
EXTERNAL THREAT / INCIDENT
MULTIPLE THREAT VECTORS
MULTIPLE THREAT ACTORS
Page 25
INSIDER THREAT / INCIDENT
MALICIOUS
NON-MALICIOUS
26. Risk-Based Performance Management (RBPM) puts it all together
What are we trying to
achieve?
What is our Risk Appetite?
Strategy
Management
Appetite
Are we on track?
Performance
Management
Risk
Management
Governance & Communications
Culture
Page 26
Are we operating
within appetite?
27. The Risk-Based Performance Management
methodology
Business Drivers
Our People
Our
Environment
Our Operation
2. Manage
Performance
1. Set
Strategy
Appetite
Page 27
Compliance
Our Economic
Profit
5.Governance
4. Appetite
Alignment
3. Manage
Risk
Shareholder Value
Exploitable
Reserves
Appetite
7.Culture
6.Communications
Sustainability
Image
Profit
28. The Risk-Based Performance Management change process
Execution
Formulation
Define
Strengths &
Weaknesses
Define
Strategic
Goals
Define
Business
Drivers
Align Risk
Appetite &
Strategy
Board
Define
Strategic
Controls
Define
Strategic
Objectives
Define the
Strategy
Define the
Business
Model
Page 28
Define
Strategic
Risks
Define Risk
Appetite
Define
Indicators
Define
Assets,
Systems &
Processes
Define
Initiatives
Define
Operational
Risks
Define
Operational
Controls
Executive
Assess Risks
& Controls
Monitor
Appetite
Alignment
29. Summary & Conclusion
Enhanced Information Exploitation offers huge opportunities – +27% operating
profit in Financial Services, £44bn across the FTSE 350
Failure to manage the risks to your information and information processes leads
to poor decisions, operational downtime and will ultimately have significant
financial and reputational impacts
The regulatory environment is changing – act now to future proof your
organisation and move beyond compliance to information performance
Managing information risk can help manage conduct risk
To embrace the opportunity and manage the risks we need to enhance our:
Processes, Systems, and People
An integrated strategy and risk approach would be beneficial in develop a robust
framework and implementing change.
Page 29
30. Thank You for Listening! Future Events
Managing Information Risk in FS Workshop.
More detail and practical tools and techniques for managing information and its risks
More detail on the threat and additional case studies
Detailed discussion on the Information Lifecycle
Methods and approaches to identifying information assets and value
The use of value profiles to monitor and report on both value and risks / losses
Practical hands-on sessions
Date: 16th April
Time: 09:00 – 17:00
Location: London
Cost: £500 per delegate
Future webinars and workshops
Risk Based Performance Management
Driving Value from Conduct Risk
Integrating Balanced Scorecard and Risk Management
Building better indicators
If you want to talk further please get in touch
Colin Lobley | Tel: +44 (0)77 9519 6283 | E: colin.Lobley@manigent.com
Page 30