Executive Summary

To retain competitive standing in the volatile cyber domain, we need to orient our risk thinking and include cyber risk faced by our clients in our risk strategy. Broadening our cyber eco-system from “island” thinking to “continent” thinking has not been considered in any peer organization and would set a new exemplar standard.

This brief paper outlines the context, the challenges for financial institutions, and an industry-leading innovative way forward that utilizes our existing client and supplier relationships but a new way of uniquely serving them in a way that reduces risk to Citi and enhances our trust and value in those relationships.

The Context

Maturation of cyber security and assessed risks across organizations has resulted in the development of digital ecosystems – with internal interdependent organizations, datasets, and functions as islands in relative isolation. FIs, clients and supplier organizations operate in a similar fashion, with information sharing on a limited basis within appropriate channels and organizations.

According to the 2019 Ponemon Cost of Data Breach study, the probability of organizations being breached is 29.7%, on average costing the victim US$3.92M. If an organisation has roughly 55k clients and suppliers, it can expect a total loss of over US$65B if the averages remain constant. 

Unfortunately, we are seeing a steady increase in the number of compromises, with the percentage of organizations breached having increased by a third, within the last six years examined in the Ponemon report. The risk of significant losses to cybercrime is present and growing, requiring a new paradigm for risk surfacing, assessment, prevention and mitigation.

The Challenge

For every client or supplier compromised in cyber, a bank loses money.

Indirectly, they lose money from clients and suppliers through interruption of service and through necessary recovery efforts including third party response, compounded by an average US$1.42M in lost business with 3.9% average customer turnover.

Directly, they lose money from resources spent in assessing event details, potential risks, and control decisions with incomplete data. Costs incurred and hours used are not calculated by either the direct or shared resources found in our businesses, these efforts are event-driven with no deliverable to measure against.

Further, cybersecurity is considered an acceptable overhead delaying an inevitable loss. We factor cybersecurity into losses and insurance policies but fail to consider its potential as an opportunity for strategic growth.

The Proposed Path Forward

Reducing cyber risk and loss requires culture shifts inside and established trust outside.

Building a shared framework of preventative measures in cyber security practices would offer greater clarity and alleviate risk and loss for both FIs and our clients and suppliers. This will require us to incorporate client/ supplier considerations and inputs in our business continuity planning. It would help us identify and alert clients and suppliers to potential disruption to their products and services, prior to event, and help their understanding of what to expect if disruption occurs. Such support would further foster deeper trust leading to mutual inclusion as part of business continuity planning.

Raising understanding on cyber threats across our supplier/client ecosystem could further reduce the probability of victimization. By recursively sharing collected, non-proprietary information with both clients and suppliers, we increase the baseline knowledge of our connections. The shared data may be nothing new to wealthy clients, however it may well be useful for less affluent clients. The practice of openly sharing non-proprietary data creates trust and communications allowing other organizations a venue to share findings they see otherwise absent in our communications or hitting their network defences. Automated sharing could offer reduction in risk via increases in deflected compromise attempts, leading to a stronger overall security posture throughout our connections.

Many other opportunities exist and await exploration. Both efforts shown would shift the culture to give purpose in helping others, charting an area no one else in our industry has undertaken. Giving employees a cause to believe in with positive results can break new ground, while setting unprecedented standards helps shift mindsets – emerging from isolated “islands” to create a “continent” cyber ecosystem.

-scl