Organizations, regardless of their service offerings or sector, are fundamentally exposed to risk because of their business processes. This unavoidable exposure – or “inherent risk" – applies to all entities whether they are a privately-owned business or a government-mandated organization. Understanding the nuances of your business is crucial to recognizing the cyber risks related to your services offered.
For instance, financial transactions and the handling of personally identifiable information constitute significant aspects of many organizations, and both bring with them inherent risks. If we examine a pension fund for example that provides services to active contributors and retired individuals, a broad spectrum of risk is dispersed across the entity.
Pension funds are usually recommended or required to conduct an annual actuarial assessment. This exercise involves meticulous scrutiny of various components like contributions, membership composition, and investment returns to determine funding levels. As pension funds supply this information to the actuary, they also inherit the third-party risk based on the actuary’s risk mitigation capabilities.
Similarly, pension funds that deal with investment managers are exposed to third-party cyber risk. If these investment managers lack strong cyber controls, assets could inadvertently end up in the hands of threat actors (as we have written about in detail here). Likewise, providing member self-services, such as allowing members and annuitants to access information electronically, apply for loans, or update beneficiaries, could also expose organizations to cyber threats.
Of course, the issue of third-party risk is not unique to pension funds but is inherited by any organization receiving external services. So, how can organizations effectively manage this risk?
Watching the news and worrying or reacting to the latest security breach is not a preventative risk management strategy. Instead, developing a comprehensive risk management and mitigation approach is a more proactive solution. This process begins with a detailed risk assessment to determine the current likelihood of threats based on an organization's policies and operational activities.
Next, organizations should evaluate potential mitigation strategies. These could include implementing risk management controls that are aligned with recognized risk management standards, transferring risk to other organizations either through insurance or another means, or avoiding certain risks altogether. For example, opting not to offer a service such as refunds through a member self-service portal that exposes the organization to risk, unless a mitigation strategy is in place such as strong identity management capabilities.
After risk assessment and mitigation, the following critical step is continuous risk management. This ongoing process involves regularly reviewing and updating risk management strategies and practices, reflecting evolving threats and organizational changes.
Understanding your business's inherent risk and cyber threats associated with its operations is vital. However, merely understanding isn't enough. Implementing a holistic risk management approach, which includes risk assessment, risk mitigation, and continuous cybersecurity governance, is essential to navigating the terrain of inherent risk. Remember, the goal is not to eliminate all risk – an impossible task – but to manage it effectively, maintaining a balance between security and operational effectiveness.