The European Central Bank (ECB) concluded its first Cyber Resilience Stress Test in July 2024. The exercise entailed testing the ability of 109 regional and global banks operating in the EU to respond and recover to a “severe but plausible” cybersecurity incident. The exercise involved a fictitious scenario in which the databases of each organization’s core banking system were successfully compromised by an attacker.
Until now, the ECB’s stress tests have focused on banks’ resilience and ability to stay afloat in the face of financial and economic shocks. However, a surge in cyber incidents reported to the ECB over the last couple of years has focused its attention on digital and cyber risk; so much so that it’s now one of the bank’s top supervisory priorities, alongside macro-financial, geopolitical and environmental risks.
Tackling Cyber Risk
The results of the ECB Cyber Stress Test revealed that, while banks generally had response and recovery frameworks in place, several important areas still require improvement. Some key domains called out—such as business continuity and third-party risk—are neither new nor revelatory, yet they are continually being emphasized. Why? Because of their importance and prevalence in terms of the risks they represent, as well as the complexity of mitigating those risks (not least because it requires significant cross-silo collaboration and effort beyond cyber and technology teams to include business resilience and third-party/outsourcing functions). Regulators are aware of these challenges, as are most organizations. Yet for many, robust and sustainable solutions to manage the associated risk are still lacking.
So where do organizations start? The reality is there is no beginning or end to cyber risk management. It’s a continual process and discipline that requires a combination of structure and flexibility to adapt to emerging threats and business-specific risks. Structure often comes to the fore on the proactive and preventive side, as a form of enterprise risk management; for example, knowing, documenting and evaluating your key cyber risks and the critical processes and assets they can impact, and formulating strategies, treatment and transformation plans accordingly. Flexibility takes on particular importance with detection and response/recovery; for example, enhancing and testing your organization’s ability to identify, respond to and recover from inevitable cyber incidents and data breaches as and when they occur.
Each capability and control implemented—be it proactive/preventive, detective or responsive/recovery-related in nature—typically requires a blend of people, process and technologies to be fully effective. These controls also require good governance and metrics to provide ongoing assurance that they’re working properly and delivering return on investment—and identify when they are not. Deming’s much-quoted line “If it can’t be measured, it can’t be managed” is applicable here. This is a never-ending process that’s bolstered by regular, auxiliary activities such as security assessments, audits, penetration tests, red-teaming and tabletop exercises.
The Many Faces of Cyber Risk
Cyber risk management is complex and multifaceted. Organizations are affected by different levels and types of risks depending on myriad factors, including business operations, brand, technologies, supply chain, geographical footprint and, of course, current security posture and maturity. There are also different areas—and corresponding suites of controls—that need to be shored up in parallel (attackers will, after all, target the weakest link in the chain), which can be categorized into three broad domains: proactive/preventive, detection and response/recovery.
This is further complicated by the reality that organizations are constantly expanding and evolving. Strategies are routinely updated and companies are acquired or divested, while innovative technologies such as AI, blockchain and quantum computing are continually being developed and implemented to keep up with—or ahead of—the pack. Increased digitalization, remote work and cloud adoption—key initiatives that often support these endeavors—are simultaneously shifting and dissolving the boundaries of organizations’ networks, resulting in a perimeter (read: attack surface) that’s difficult to define and thus defend.
Even more complexity is introduced by the threat landscape, which consists of an endless array of nefarious actors using and developing different tactics, techniques and technologies (including AI, crypto and, in the future, quantum computing) to steal data or money or simply cause operational disruption and/or reputational damage. Some are affiliated with nation-states with geopolitical motivations; many are cybercriminals with financial and/or fraudulent objectives; and others, less sophisticated and more opportunistic in nature, are persistently scanning for vulnerabilities to exploit.
Simplify the Complex With Kroll’s Cyber Risk Retainer
To cater to this complexity, and the reality that no two businesses are the same, Kroll has developed a comprehensive cyber risk retainer to support and streamline organizations’ endeavors to protect themselves now, while shoring up their security posture and maximizing the value of their investments over time.
The retainer is founded on Kroll’s 24 hours a day, 7 days a week, 365 days a year incident response and forensic support services. As the world’s leading incident response provider, responding to thousands of incidents a year, our team of elite experts respond to, contain and remediate incidents.
The Kroll cyber retainer delivers added value and flexibility by allowing organizations to use credits across our full suite of cyber services. Configurable to your needs and environment, regardless of the technologies in use, the retainer includes proactive support such as designing and implementing a multi-year cybersecurity strategy as well as more focused initiatives and assessments that span proactive/preventive, detection and/or response/recovery. The retainer enables companies to identify and prioritize the key areas they would like to assess and enhance within their security program and bring in Kroll services to support as needed.
To further enhance this offering, Kroll has recently expanded its retainer menu to include additional and related offerings from complementary service lines, including enterprise security risk management and business continuity. These offerings enable your organization to leverage the full strength of Kroll’s cross-service line capabilities to holistically address its needs, all under a simple, upfront pricing and service structure.