I don’t envy regulators their task of ensuring the firms they supervise are managing their cyber risk well.
The increasing dependence of firms and whole sectors on information technology (IT) and operational technology (OT) was always a creeping concern but has accelerated dramatically as a result of the ‘digital’ movement in large firms and the oncoming storm of the ‘Internet of Things’ (IoT). Governments around the world have woken up to the potential systemic and infrastructural threats to national security and national economies and have tasked regulators with ensuring these risks are appropriately addressed.
The executive management and boards of most firms are full of competent and even effective financial managers and business leaders. However, few people in these roles are ‘digital natives’ and so there is little true understanding of the nature of their increasing exposure to cyber risk. Regulators are in a similarly precarious position and find themselves responsible for ensuring the appropriate management of risks they don’t understand by firms who themselves don’t understand those risks where there is little or no science or even effective standards to rely on.
Traditional supervision of information security as an operational risk relied on checklists or control standards, with a punctuated series of reviews that identified gaps from these lists and then focused on large programmes to ensure these gaps were mostly filled. This was no inherently bad thing, ask an airline pilot if they should stop using checklists, but cyber and the active adversaries we now face has upended this approach. Leading defensive practices are developing ahead of standards, given the pace and scale of breaches in the real world there is no confidence that the checklists or standards we have used actually reduce the risk materially as we face adversaries that seize upon any tiny gap or weakness to attack us. There is no ‘good enough’ in cyber risk any more.
The UK government has signaled on a number of occasions that their ‘leave it to the market to solve’ approach to cyber has not delivered the results they were hoping for. The frustrations among those responsible are palpable. There is likely to be more regulation and potentially even legislation around cyber risk as the government tries to tackle what appears to be a lack of will to take cyber risk seriously. In defence of many boards there are few (if any) material realised cyber risks visible in published company accounts and almost no executive management and board level casualties of cyber risks to drive engagement with the issue as a fiduciary responsibility, the publicised breaches all tend to be survivable, relatively small risk events, the larger breaches are not publicised.
More engaged regulators such as UK financial services regulators the PRA and the FCA have moved to an outcomes-based measurement of risk management. Making the assumption that perfect security cannot be achieved they have established schemes such as CBEST to measure how well firms respond to serious cyber attacks. Making the assumption that supervised firms are not gaming these results then the results effectively measuring a firms resilience to a real world risk scenario provides as good a measure of cyber risk management as can likely be achieved for now.
My understanding is that regulators outside of financial services are looking at the CBEST intelligence-led red-teaming approach and considering a similar form of measurement. There are already issues as to how CBEST itself will scale to non-systemically important financial institutions (The CBEST 2.0 question) and extending the approach to other sectors is going to run into a severe shortage of skilled red teamers. We may also want to ask whether we want to drive the development of a large corps of individuals with red team skills.
These exercises are still producing a series of punctuated reports full of gaps and recommendations to be addressed. These irregular drops of supervisory criticism lead to the non-specialists on supervised firms looking at cyber as a series of regulator-driven programs with clear end dates. Unfortunately cyber risk doesn’t have a start and and a stop, it is an environmental risk that will always exist to varying degrees and adopting a stop start response to that risk will increase the possibility that a firm is always playing catch up, never quite achieving the ‘just good enough’ they think they are buying with their money and time.
I think it is likely that the future of cyber regulation will need to adopt a less punctuated process and become a more continuously monitored risk. There are interesting early signs of regulators looking at data platforms and technologies to consume feeds of measurements from supervised firms provide near-real time views of market and credit risk in financial services and it is not a leap to consider a similar approach in cyber risk supervision. There has been a rapid take up of cyber monitoring as a potential defensive detective control and extending the cyber monitoring capabilities of firms to provide feeds of data to regulators is a hard problem but by no means a wicked problem. Making sense of those feeds… that’s a different matter.
There is another opportunity here, one of the problems in a firms cyber risk management is frankly their inability to reliably judge their cyber risk dependencies among their cyber counter-parties such as other market players or suppliers. A regulator with access to continuous monitoring of cyber risk can feedback on a firms cyber risk in their dependencies, in the organisations they don’t control and currently have limited visibility of but to whom they entrust data and processes or trust with privileged access. That feedback loop might move the market to start addressing some of the systemic risk issues that worry governments.
I think it won’t be enough for regulators to sit outside the industries they regulate and point out the obvious flaws that specialist practitioners on the inside are already aware of and frankly are documented regularly in the Financial Times, I think regulators will have to take an active role in providing cyber risk intelligence to their supervised firms. A rising tide lifts all boats.