Cybersecurity threats to the banking industry are increasing and require an effective approach to model risk management.
Cybersecurity issues have driven authorities in Europe and the US to issue notifications to financial institutions to strengthen practices, remain vigilant and demonstrate resilience. The sooner banks start their journey and establish cybersecurity solutions the quicker they will be able to manage risk and establish controls, the European Central Bank announced.
With cyber attacks becoming more frequent and increasingly sophisticated, financial institutions are using more analytical solutions and tools to analyse and mitigate cyber threats. As the use of cyber models grows, so too do the risks related to the design and use of those models. This is why the focus on model risk management (MRM) for cybersecurity solutions is on the rise, in an effort to identify key risks in organizational cyber solutions and to help mitigate them. MRM monitors risks from potential adverse consequences of decisions based on incorrect or misused models.
The first step of MRM is to identify the use of these analytical tools and include them in the model inventory. Financial institutions across the globe are adding cybersecurity solutions to their model inventory, with banks in North America leading the way compared with banks in Europe, the Middle East, and Africa (EMEA).
According to a 2021 McKinsey survey, 70 per cent of the respondent banks in North America are aiming to include cyber risk model types into the scope of MRM governance. On the other hand, 38 per cent of the respondent banks in the EMEA region have plans to include cyber risk model types in the MRM scope.
Cybersecurity solutions are used in banking for the following three priorities: safeguard web and mobile applications, identify risk exposure, and review existing cyber defences.
Safeguard web and mobile applications. Cybersecurity solutions are required to fulfil a set of objectives including detection and prevention of intrusions, data and messaging security, and access management. A range of solutions from advanced analytics (for example, ML) to rule-based approaches (for instance, expert-driven non-models) can be leveraged to fulfil these objectives.
Identify risk exposure. To measure the risk, organizations start by qualitatively creating a catalogue of cybersecurity risk areas the organization is exposed to. Next, risk is simulated across a range of scenarios and compared against the risk appetite of the organization. Then, controls are designed and identified to mitigate or reduce risk.
Review existing cyber defences. Finally, with the dynamic nature of cybersecurity, banks need to periodically review and challenge existing cybersecurity defences. To achieve this, certain tools and solutions are used to simulate an attack to identify system vulnerabilities. Qualitative approaches are used to set up a review and challenge framework around the cybersecurity landscape. In addition, a security incident process is established to investigate potential cyber attacks and act as a feedback loop
The importance of model risk management of cybersecurity solutions is now clear and will only continue to grow in the future. Banks have begun to understand the cyber analytics landscape and customize their MRM standards to incorporate the specifics of cyber solutions. The sooner banks start their journey and establish an effective approach, the quicker they will be able to manage risk and establish controls.
