6 Tips for Aligning ERM & Cybersecurity
Financial institutions aren’t the only organizations constantly evaluating their cybersecurity. As we were reminded in December with the SolarWinds breach (which enabled Russian hackers to infiltrate the Treasury and Commerce departments’ email system), government agencies are also targets that need to manage cyber risk—and they could benefit from enterprise risk management.
A July 2019 Government Accountability Office (GAO) found half the agency chief financial officers it reviewed didn’t look holistically at cyber risk across the agency. Since then, the GAO says “ensuring the cybersecurity of the nation” is a high-risk area that has regressed since 2019.
Now a working group of The Partnership for Public Service, a nonprofit, nonpartisan organization that strives for a more effective government for the American people, and Deloitte has issued six suggestions for how government agencies can better integrate ERM into cybersecurity. It’s in the report Better Together: How Integrating Enterprise Risk Management Can Strengthen Federal Cybersecurity.
While these tips are directed at the federal government, they are valuable cybersecurity best practices that can benefit organizations including banks, credit unions, mortgage companies, and fintechs, among others.
1, Speak the same language. People can’t collaborate to identify, assess, measure, mitigate, and monitor cyber risks if they aren’t using common terminology. Make sure everyone, including the board, management and tech experts, all use the same terms so they can communicate clearly and understand each other.
2. Information should be actionable. Cyber risk assessments are useless if they are academic exercises, and nothing is done with the results. Information about cyber risks should be analyzed and then shared across the organization. Put practically, it means using assessments to identify high-risk areas and developing and monitoring controls to mitigate that risk.
3. Leadership, risk management, and IT need to collaborate. ERM and cybersecurity should use the same risk assessments, scale, and interconnected processes and regularly communicate. If there is a change in the cybersecurity posture, that risk should be communicated across functional areas.
4. Incorporate risk appetite and risk tolerance. IT should be aware of the risk appetite and risk tolerance set by the board and use it as a guidepost when assessing cybersecurity risk. It will help them understand which risks are acceptable to the institution and which aren’t.
5. Cybersecurity and ERM tools should be connected. Communication and strategic decision making go a lot smoother when those in charge have access to the most recent and relevant information. Information about cyber risk should tie into and impact risk assessments of other areas such as vendor management.
6. Examine risks at all levels. It’s not enough for each area of an institution to evaluate the risks its face. All risk management data needs to be brought together to paint a complete picture of risk at the institution.
For more information on cybersecurity best practices and other trends that hit risk management in 2021, we invite you to check out our on-demand webinar.