January 31, 2020
FinTech institutions are facing more cybersecurity threats than ever before, but many remain poorly equipped to deal with them. In many startups, cybercrime is seen as a risk of doing business and is typically tackled through mitigation, governance, and compliance processes. Cyber risk analytics is a more direct approach to cybersecurity. It provides a data-driven methodology that turns potential risks (and their costs) into real, measurable metrics.
There are many benefits for financial institutions in implementing cyber risk analytics. Security professionals are able to show real-world ROI in their work, and executives are able to gain a much deeper insight into the risk landscape they face. That’s why several of the leading SaaS providers have already implemented the system.
In this article, we’ll explain what cyber risk analytics is, how it can be used to create a more cohesive security architecture for FinTech firms, and why that is important.
Cyber risk analytics is an approach to managing cyber risk that seeks to use real-world data to make investments in cybersecurity more effective and transparent.
This approach has been addressed by a number of movements in the cybersecurity industry. One is that, although complex networks are getting harder to secure, monitoring and assessment software has also given cyber analysts much greater access to data on the granular way in which such systems are functioning. Marketing and development departments are now "data-driven" by default: cyber risk analytics apply the same techniques to the management of cybersecurity.
A second issue that cyber risk analytics seeks to address is how historically cybersecurity has been regarded as two separate sets of processes. IT departments were charged with protecting systems, while risk analysis departments were charged with insuring against the damage caused by cyber breaches. Without data being passed between these two departments, it has been extremely difficult to assess the actual risk (and potential cost) of security vulnerabilities.
A good example of this is insurance against data breaches. In recent months, tensions between the US and Iran have spooked markets and led to cybersecurity premiums rising. Many firms accepted this increase on faith, because almost no analysis had been done on the actual level of risk they face, nor the consequences of falling victim to such an attack.
In practice, implementing cyber risk analytics means empowering IT and cybersecurity staff with the tools they need to monitor and assess the level of risk that your systems face. In most cases, this will require the average FinTech firm to buy a cyber analysis software suite, and budget for the time required to run security scans.
The approach taken to monitoring and testing systems should include a number of components. FinTech firms should definitely scan for intrusion attempts and catalog these by potential severity. They can also make use of chaos engineering to better understand how unplanned downtime will affect the security of their systems.
This type of analysis should include all levels of security architecture – from scanning for common website vulnerabilities to utilizing encrypted VPN services for protecting your connected systems to preventing more exotic threats like encrypted malware or insider hacking.
Once continuous monitoring of this type is in place, the results should be widely distributed across an organization. The most critical linkage in the security architecture of firms using cyber risk analytics is between cybersecurity staff and the executive level because the outcome of this kind of analysis will have a direct effect on decision-making processes.
The results of cyber risk analysis should also be distributed to marketing teams, outreach staff, and business managers in order to help them better understand the consequences of their actions in terms of cybersecurity.
Continual communication is key within the cyber risk analysis framework, but it must be undertaken in a language that is understood by target groups. Cybersecurity professionals should be able to understand the language of board members and executives, but also be able to explain to end-users the implications of their analyses.
This latter form of communication has become particularly important for tech companies, including those in the financial sector, owing to the rise of software-centric business models. As we've pointed out in our analysis of banking as a service, FinTech companies that generate income from this model needs to be able to explain to their users the importance of maintaining good cybersecurity (both in practice and at a technological level), and one of the most effective ways of doing this is to present the results of cyber risk analysis.
When looked at from the opposite perspective, cyber risk analytics also provides huge benefits for cybersecurity staff. Because this approach generates vast amounts of real-world data, this data can then be used to argue for increases to a firm’s cybersecurity budget or to justify the purchase of advanced tools to increase the resilience of systems.
Cyber risk analytics is a particularly powerful way of achieving this because the approach automatically produces the kind of data that executives understand – metrics such as the number of threats defeated per day, or the efficacy of intrusion prevention tools. The cost of these tools can then be seen in direct correlation to their efficacy, and their ROI calculated.
Though the concept of cyber risk analytics is a relatively new one, most successful FinTech firms will already have in place a management system that closely resembles the description above.
The value of cyber risk analytics is, therefore, more one of degree than of essence: by imbuing management systems with the central insights of this approach, financial firms will be able to integrate their security architectures into a more cohesive whole.