top of page
Writer's pictureAnthony Peccia

Technology and Cyber Risk



The important and difficult job is never to find the right answers, it is to find the right question.”

—PETER DRUCKER


The Practice of Management. Should be studied by

all business managers



So what is the right question for managing Technology and Cyber risk management?


Since risk management is identifying the exposure, implementing controls to contain the potential financial and reputational losses within the Risk Appetite, having the resources and plan to rapidly recover from a loss after it happens, and having the right governance to manage these effectively, we will start with exposure. The right question then is: what is the exposure?


A quick search for types of cyber risk on the internet will produce a long list such as

  • Data breaches,

  • Phishing attacks,

  • Malware attacks,

  • Ransomware attacks,

  • DDOS attacks,

  • Password breaches,

  • Insider threats,

  • IoT threats,

  • Cloud risks, etc.

  • Read more

If you search for technology risk the list will include data breaches, cyber-attacks, and system failures.


Familiarize yourself with each of these and test your understanding by explaining each to one of your group members.


After you have completed this exercise, consider the following questions:

  1. Is technology risk and cyber risk the same? From the above, there seems to be at least some overlap.

  2. Can the list be structured as a MECE? Perhaps breaches, attacks, threats?




All you need to know about Cyber Risk:


Cybersecurity management is the application of the ECRG framework to ensure that information is available to whoever is authorized to access the information, that sensitive information is kept confidential, and that the information has integrity.






The State of Cyber Risk Management And Industry Survey by Deloitte


The shift toward remote work and virtual customer engagement in the financial services industry appears to have fueled not only digitalization but also several changes to the cybersecurity landscape. This article takes a fresh look at cybersecurity through the lens of a leadership survey and reveals what changes might be ahead for the sector. Read more




Quantifying Cyber Risk: Factor Analysis of Information Risk (FAIR)


The FAIR approach to quantifying Cyber Risk, see:


the FAIR Institue site is a valuable resource to explore cyber risk topics, especially the quantification of cyber risk:



283 views58 comments

58 Comments


Last week, I came across a report discussing how bots create fake social media accounts to spread negative misinformation, which contributed to a surge in withdrawals at First Republic Bank. Does this have any connection to the CIA?

Like

How can the institution ensure that the scenario testing conducted on its existing defenses is sufficient for risk management, given the rapid advancements in technology within the computer science industry? Is it necessary for the company to conduct scenario testing whenever there are new developments in cyber-attack techniques?

Like

The Deloitte survey suggests that remote work and digitalization have reshaped the cybersecurity landscape. In what ways can businesses adapt their cyber risk strategies to account for these shifts, and what unique vulnerabilities might these trends introduce?

Like

The role of the ECRG framework in cybersecurity is a key point, as it emphasizes ensuring the availability, confidentiality, and integrity of information-at the heart of financial institutions' particular vulnerability to cyber threats in today's digital environment. But given that more and more banks are now doing digital transformation, what are some of the practical ways that financial institutions can strike a balance between maintaining strong cybersecurity and rapid digital transformation?

Like

zoey.zhu
Oct 31

The FAIR model offers an interesting approach to quantifying cyber risk, moving away from traditional qualitative assessments to a more data-driven methodology. Another question is how companies handle data limitations when using the FAIR model. If there isn’t enough historical data for certain risks, does the model still provide reliable insights?

Like
bottom of page