Proposed Cybersecurity Regulations for Banking Agencies: Approach to Quantifying Cyber Risk of Section

The Federal Reserve’s Enhanced Cyber Risk Management Standards, drafted in October of 2016, provide an updated set of standards for those in the financial sector to reduce their Cyber Liability. These measures will aid in the development of risk reduction, prevention, and recovery plans in the event of potentially devastating cyber attacks. However, before agencies can begin to effectively reduce their cyber risk, they must have a means to measure their cyber risk. In the final section of the proposal, the Federal Reserve outlines methods for the development of a cyber risk quantifier, which will be an invaluable asset for covered entities to assess their effectiveness in managing cyber liability.

Building a Consistent Methodology

The Federal Reserve asks that agencies develop a term of measurement for cyber risk that is both consistent and repeatable for entities across the financial sector. At the time of writing, the agencies were not aware of any existing measurements that could be applied across the financial sector, so they currently are seeking feedback on any potential quantifiers. The ideal methodology would provide a quantifiable measurement of inherent, residual, and potential cyber risk, and would be applicable to entities across the financial sector (and would allow for comparison between entities).

Using Existing Methodologies

The agencies are considering using existing risk-measuring methodologies to aid in their development of a comprehensive methodology for their covered entities. One such methodology is the FAIR Institute’s Factor Analysis of Risk standard, which is presently the standard Value at Risk (VaR) framework for both operational and cyber risk. The standard helps risk, cybersecurity, and business executives to quantify, manage, and report on information risk, and primarily functions in the business sector. Another existing methodology is Carnegie Mellon’s Goal-Question-Indicator-Metric process, which helps organizations to identify and measure software methods to support their business goals through goal-driven measurement. These measures serve as a solid framework for developing a methodology that can specifically, consistently, and repeatedly measure cyber risk.

About FGIB

Since 1983, Financial Guaranty Insurance Brokers has distinguished itself as a provider of Professional Liability, Cyber Liability, and Crime insurance products for financial entities, in addition to providing crime insurance and general business insurance products to a number of firms across the United States. To receive timely, personalized service from a knowledgeable and experienced staff, call us today at (877) 485-4413 to speak with one of our professionals.