CybeRisk Management in Banks: An Italian Case Study

The financial sector is exposed to the risk of cyber-attacks like any other industrial sector. Furthermore, the topic of CybeRisk (cyber risk) has become particularly relevant given that Information Technology (IT) attacks have increased drastically in recent years, and cannot be stopped by single organizations requiring a response at international and national level. IT risk is never a matter purely for the IT manager, although he clearly plays a key role. A bank's risk management function requires a thorough understanding of the evolving risks as well as the tools and practical techniques available to address them. Upon the request of European and national legislation regarding CybeRisk in the financial system, banks are therefore called upon to strengthen the operational model for CybeRisk management. This will require an important change with a more intense collaboration with the structures that deal with information security for the development of an ad hoc system for the evaluation and control of this type of risk. The aim of the work is to propose a framework for the management and control of CybeRisk that will bridge the gap in the literature regarding the understanding and consideration of CybeRisk as an integral part of business management. The IT function has a strong relevance in the management of CybeRisk, which is perceived mainly as operational risk, but with a positive tendency on the part of risk management to the identification of CybeRisk assessment methods that are increasingly complete, quantitative and able to better describe the possible impacts on the business. The paper provides answers to the research questions: Is it possible to define a CybeRisk governance structure able to support the comparison between risk and security? How can the relationships between IT assets be integrated into a cyberisk assessment framework to guarantee a system of protection and risks control? From a methodological point of view, this research uses a case study approach. The choice of “Monte dei Paschi di Siena” was determined by the specific features of one of Italy’s biggest lenders. It is chosen to use an intensive research strategy: an in-depth study of reality. The case study methodology is an empirical approach to explore a complex and current phenomenon that develops over time. The use of cases has also the advantage of allowing the deepening of aspects concerning the "how" and "why" of contemporary events, on which the scholar has little control. The research bases on quantitative data and qualitative information obtained through semi-structured interviews of an open-ended nature and questionnaires to directors, members of the audit committee, risk, IT and compliance managers, and those responsible for internal audit function and anti-money laundering. The added value of the paper can be seen in the development of a framework based on a mapping of IT assets from which it is possible to identify their relationships for purposes of a more effective management and control of cyber risk.





References:
[1] Clusit - Associazione Italiana per la Sicurezza Informatica, Rapporto Clusit 2018 sulla sicurezza ICT in Italia, 2018
[2] J. G. March, and Z. Shapira, “Managerial perspectives on risk and risk taking,” Management science, Vol. 33, no 11, pp. 1404-1418, 1987.
[3] K.J Arrow, Aspects of the Theory of Risk Bearing. Helsinki: Yrjo Jahnssonis Saatio, 1965.
[4] J. W. Pratt, “Risk Aversion in the Small and in the Large,” Econometrica, Vol. 32, pp. 122-136, 1964.
[5] G. Bansal, “Distinguishing between Privacy and Security Concerns: An Empirical Examination and Scale Validation,” Journal of Computer Information Systems, Vol. 57, pp. 330-343, 2017.
[6] D. L. Goodhue, and D. W. Straub, “Security concerns of system users: a study of perceptions of the adequacy of security,” Information & Management, Vol. 20, no. 1, pp. 13-27, 1991.
[7] A. Mukhopadhyay, D. Saha, B. B. Chakrabarti, A. Mahanti, and A. Podder, “Insurance for Cyber-risk: A Utility Model Decision,” Decision Support Systems , Vol. 32, no. 1, pp. 153-169, 2005.
[8] H. Öğüt, S. Raghunathan, N. Menon, “Cyber security risk management: public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection,” Risk Analysis, Vol. 31, no. 3, pp. 497–512, 2010.
[9] CPMI-IOSCO, Guidance on cyber resilience for financial market infrastructures. Bank for International Settlements and International Organization of Securities Commissions, 2015.
[10] N. S. Safa, R. Von Solms, and S. Furnell, “Information security policy compliance model in organizations,” Computers & Security, Vol. 56, pp. 70-82, 2016.
[11] C. Biener, M. Eling, and J.H. Wirfs, “Insurability of Cyber Risk: An Empirical Analysis,” Working Paper of Finance, University of St. Gallen, no. 3, 2015.
[12] Deloitte, Modelli di governance dei rischi cyber e raccomandazioni di sviluppo per le aziende. Milano 2016.
[13] J. L. Hieb, “Cyber security risk assessment for SCADA and DCS networks,” ISA Transactions, Vol. 46, pp. 583-594, 2007.
[14] A. Hoffmann, and H. Ramaj, “Interdependent risk networks: the threat of cyber attack,” International Journal of Management and Decision Making, Vol. 11, no. 5/6, pp. 312-323, 2011.
[15] K. S. Hong, Y. P Chi, L. R. Chao, J. H. Tang, “An integrated system theory of information security management,” Information Management & Computer Security, Vol. 11, no. 5, pp. 243-248, 2003.
[16] P. Ifinedo, D. Olsen, “An Empirical Research on the Impacts of organisational decisions’ locus, tasks structure rules, knowledge, and IT function’s value on ERP system success,” International Journal of Production Research, Vol. 53, no. 8, pp. 2554-2568, 2015.
[17] R. Keyun, “Introducing cybernomics: A unifying economic framework for measuring cyber risk,” Computers & Security, no. 65, pp. 77–89, 2017.
[18] National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity. 2017. www.nist.gov/cyberframework
[19] J. F. V. Niekerk, R. V. Solms, “Information security culture: a management perspective,” Computers & Security, Vol.17, pp. 476-486, 2010.
[20] PricewaterHouseCoopers, Enhancing business resilience: Transforming Cyber risk management through the role of the Cief Risk Officer (CRO). 2015. www.pwc.com/financialservices
[21] H. Stewart, J. Jürjens, “Information security management and the human aspect in organizations,” Information & Computer Security, Vol. 25, no. 5, pp. 494-534, 2017.
[22] S. Kaplan, B. J. Garrick, “On the quantitative definition of risk,” Risk Analysis, Vol. 1, no 1, pp. 11–27, 1981.
[23] S. Hoo, How much is enough? A risk-management approach to computer security. CA: Stanford University, 2000.
[24] NIST, Risk management guide for information technology systems.National Institute of Standards and Technology (NIST). 2002.
[25] Z. Ramadan, “The gamification of trust: the case of China’s “social credit,” Marketing Intelligence & Planning, Vol. 36, no. 1, pp. 93-107, 2018.
[26] M.C. Arcuri, M. Brogi, and G. Gandolfi, “Ciber risk in the financial industry, the market reactions,” Bancaria, Vol. 4, pp. 35-49, 2017.
[27] A. Abbott, Methods of Discovery: Heuristics for the Social Sciences. New York: W.W. Norton, 2004.
[28] Commissione Europea, Resilienza, deterrenza e difesa: verso una ciber sicurezza forte per l’UE. Comunicazione congiunta al parlamento europeo e al consiglio, 13 dicembre 2017.
[29] EBA (a), Risk Dashboard data as of Q2 2017. European Banking Authority, 2017.
[30] EBA (b), Guidelines on ICT Risk Assessment under the Supervisory Review. European Banking Authority, 2017.
[31] G7 (a), Foundamental elements of cybersecurity for the financial sector. ottobre 2016
[32] G7 (b), Foundamental elements for effective assessment of cybersecurity for the financial sector. ottobre 2017.
[33] Banca d'Italia (d), Disposizioni di Vigilanza per le banche, to the 16th update of 285/13. Banca d’Italia , 2013.
[34] Banca d'Italia (b), Linee guida per la definizione di una metodologia di analisi del rischio informatico e di un processo di gestione del rischio informatico. Support Project adjustment to the 15th update of 263/06 - new information technology and business continuity – September 2014.
[35] Banca d'Italia (c), Policy di Metodologia di analisi del rischio Informatico, Risk Analysis methodology - Support Project adjustment to the 15th update of 263/06 - new information technology and business continuity - January 2014.
[36] Banca d'Italia (a), Nuove disposizioni di vigilanza prudenziale per le banche. Circolare n. 263 del 27 novembre 2016, www.bancaditalia.it
[37] EBA (c), Guidelines on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2). European Banking Authority, 2017.
[38] CIS Sapienza and CINI, Italian Cyber Security Report. Un report nazionale per la cyber security. Roma 2015, www.cybersecurityreport.com