Resistance to cyber attack is undoubtedly valuable and can produce effective outcomes. However, resistance is expensive and there is a law of diminishing returns on the investments made in resistance, Moreover, because the preparations and mitigations employed in resisting attacks are often specific to particular, point-in-time threats, ongoing resistance is both complex and fragile — unexpected shifts in attacker tactics can bypass existing defences and leave organisations struggling to deploy new controls at an appropriate pace. Faced with the total capabilities of nation-state attackers or state-sponsored cybercriminals, many organisations are unable to deploy effective controls quickly enough or spend enough money to completely mitigate the totality of the threats they face.
“Financial firms should assume they will be subject to destructive attacks and develop capabilities and procedures to resume operations. Financial firms also need to be ready to quickly restore computer networks and technology-enabled operations in response to known or unforeseen threats that could cause catastrophic disruption.” Financial Stability Oversight Council (FSOC) 2015 Annual Report
Similarly the assumption that an organisation will be able to function near normally and recover quickly in the face of a cyberattack has been challenged thanks to the growing systemic and endemic exposure to cyber risk in our digital society has been identified by regulators and cyber reinsurers who look beyond single organisational boundaries.
“Current preventative and disaster recovery measures may not be able to stand up against a large-scale and co-ordinated attack.” Cyber-crime, securities, markets and systemic risk, IOSCO Staff Working Paper, July 2013
The systemic risk from cyber attack has come into focus for financial services regulators who have as a result of the 2008 financial crisis identified the interdependent, inter-connected and non-substitutable nature of the services that power the sector. The Financial Stability Board, guided by the G20 leader’s commitment in Washington in 2008, has been building a more resilient financial services sector. This has happened against a backdrop of increasing cyber-attacks and visible targeted attacks which has highlighted to regulators the emerging systemic cyber risks. Financial services regulators are now reaching consensus on the need for regulated Cyber Resilience in their sector.
“The focus on credit, market and liquidity risk over the past five years may have distracted attention from operational, and in particular cyber risks, among financial institutions and infrastructures. This is a rapidly rising area of risk with potentially systemic implications. It calls for a system-wide response.” Andrew Haldane, Executive Director of Financial Stability at the Bank of England, Written submission for the House of Commons Treasury Committee, June 2013
Building cyber ‘levees’ is no longer enough; leading cyber professionals and regulators are starting to consider the cyber equivalent to ‘shelters and evacuation plans’ to address the inevitable situations when levees are breached. A move from purely resisting damage to also absorbing damage; from continuing to operate normally, to planned, graceful degradation; from no disruption to unavoidable delay in recovery; and from simply preventing attacks to limiting the scope and damage caused by unpreventable attacks.
This is not to say that resistance is no longer important, or that resistance and resilience should be viewed as mutually exclusive concepts; rather, companies must strike a balance between resistance and resilience, driven by clearly articulated risk appetites and efficient use of limited budgets.
“Customarily, organisations have focused on protection against cyber-attacks. However, a resilience-based approach to cyber-attacks is vital for organisations to better adapt to change, reduce exposure to risk, and learn from incidents when they occur.” Cyber resilience: Health check, Australian Securities & Investments Commission, Report 429, March 2015
Effective cyber security strategy employs resistance to the extent practically possible, and resilience where resistance is not practically feasible.
This complete blog series can be found here: