These days, the job of managing risk for a large, multinational company no longer resides solely with the office of the chief risk officer. With the number and sophistication of threats continuing to grow, risk management must be a shared responsibility of all an organization’s executives, employees, board directors, customers, and third-party suppliers.
The increasing threats are why, at FIS, we’ve created the motto: “Risk is everyone’s business.” I have the motto in my email signature and ask everyone at our company to live by it for our company and the customers we serve.
Risk is a complex domain that can be overwhelming to consider in its entirety. For simplicity, I boil it down to five main areas, each with a c-level champion to ensure proper prioritization and management:
At FIS, my team and I produce a monthly summary for our board on top risks in the industry and how we are addressing them. We routinely let our board know about cyber attacks within the industry, regulatory developments, and technology trends that could impact our risk profile, such as cloud -based computing, cryptocurrencies and internet of things. We don’t wait to be asked about these issues at board meetings. This regular engagement keeps cyber risk and security on the board’s mind and helps them understand the issues, so they are better prepared to provide thoughtful feedback.
Cybersecurity risk is growing, and the financial services industry is under attack. According to Verizon’s 2020 Data Breach Investigations Report (DBIR), 86% of attacks are motivated by financial gain. Financial firms are defending immensely vulnerable systems designed to maximize speed and access. With COVID-19, the shift to digital transactions and remote working has dramatically expanded the attack surface. Using social engineering strategies like phishing and business email compromise on preoccupied customers and multitasking employees has made cybercrime even more profitable. Since the start of the pandemic, the UN estimates that phishing attacks are up 600%.
Ransomware especially is on the rise, and the amounts being paid are increasing. Officially, the US Treasury department has issued a warning that those who pay ransoms may be subject to penalties for violating sanctions against criminal groups sponsored by nation-states. However, the reality is that in the case of an attack that disables systems or encrypts critical data, firms may not feel that they have a choice. As long as firms keep paying ransoms, this attack strategy will continue.
Fraud and attacks targeting government stimulus programs such as unemployment benefits, payment protection programs, and business loans have exploded, and will continue to be targeted. In addition, malware is being hidden in resumes, medical leave forms and other types of documents now in wide circulation because of the economic impact of the pandemic.
Sadly, cybercrime is not only profitable; it is also not particularly risky - few threat actors are successfully prosecuted. Further, the availability of cybercrime tools and cyberattack programs for hire, such as malware, ransomware and DDoS, has created an asymmetric balance between cyber criminals and cybersecurity professionals. As a result, we can expect all these trends to continue, likely even beyond the pandemic.
Managing risk is a shared responsibility of all. Cyber risk is an uber risk that impacts all other risks to a firm. As such, boards need to engage and understand this risk in order to exercise proper oversight. Cyber risk is growing and always evolving; even firms who outsource their technology must constantly re-invest in the basics of cyber hygiene, access management, education, and testing.
© 2023 FS-ISAC, Inc. All rights reserved.
Greg Montana, Executive Vice President, Chief Risk and Section 16 corporate officer, leads a team of over 1,500 FIS risk professionals responsible for the strategic development and execution of FIS’ Risk, Cyber...Read More
Security and Compliance programs. Mr. Montana reports to the FIS Chairman, President and CEO, and is accountable to both the Risk and Technology Committee and the Audit Committee of the FIS Board. Highly experienced in risk management, Montana has spent more than 20 years successfully managing risk at some of the world’s most recognized financial services institutions, including Bank of America, Lloyds Banking Group, Deloitte Consulting and JP Morgan Chase. Montana is a Certified Chief Information Security Officer (CCISO) and a Board Member of the Internet Security Alliance, the FS-ISAC (Financial Services – Information Sharing and Analysis Center) Sheltered Harbor Organization and the World 50 Chief Risk Officer Group. He is a holder of the National Association of Corporate Director’s (NACD’s) Cyber Certificate and in March 2020 co-Authored the incident response section of the NACD Board Handbook on Cyber-Risk Oversight. Montana holds a master’s degree in business administration from the Wharton School of the University of Pennsylvania and received a bachelor’s degree, cum laude, from Boston College. He received his six sigma Black Belt Certification from Bank of America.