ISACA Journal
Volume 5, 2,016 


Preparing Financial Firms for Cybersecurity Threats and Protecting Their Reputations 

Peter Tessin, CISA, CRISC, CGEIT 

It is difficult to deny the impact of cyber security threats on businesses worldwide. In 2015, the average total cost of a data breach (including customer turnover, reputation losses and damaged goodwill) was US $3.79 million, up from US $3.52 million in 2014.1 In the first five months of 2016, nearly 320 million records were breached; among those breaches, 11.37 percent occurred in financial firms.2 Although 23 percent of the breaches that occurred through the first five months of 2016 were due to accidental loss, those are far outweighed by malicious acts by outsiders (58 percent), insiders (14 percent), and nation-states and hacktivists (2 percent each).3

As these statistics indicate, all businesses—including financial firms—must make a concerted effort to prepare for cyber security incidents. Strict attention to governance and business continuity is integral to organizational preparedness. This article provides insight into using governance to help financial firms prepare for cyberthreats and mitigate reputational damage if and when an attack occurs.

Cyber security breaches are increasingly causing large-scale, detrimental business impact throughout the world, including business disruption, revenue loss, damage to assets, reputational damage and information exposure. Financial firms (e.g., broker dealers, investment advisors) rely heavily on the strength of their reputation, without which attracting significant investors would be nearly impossible. If client data are compromised, the firm might find it has a difficult time convincing clients that future breaches will not occur which, in turn, undermines trust in the institution and potentially erodes future business.

It stands to reason, then, that financial firms should protect themselves from such breaches. A white paper titled Financial Firms Face Further Scrutiny of Their Cybersecurity Practice: Is Your Firm Ready?4 identified several areas where financial firms are not meeting the key requirements of the US Security and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE). In that paper, the OCIE found that 88 percent of broker-dealers and 74 percent of advisors had experienced a cyberattack and had numerous deficiencies in their cyberpreparedness.

On 15 September 2015, the OCIE issued a risk alert that detailed expanded tests of procedures and controls that are focused on cyber security efforts. The areas of focus for these examinations are: governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.

Historically, some financial firms have had little internal IT infrastructure, preferring to use third parties to provide needed IT capabilities. That can be a sound approach to risk management, along with insurance, so long as the ultimate accountability for incidents remains with the firms. Therein lies the rub. If IT resources are outside the firm, it becomes increasingly difficult for internal staff to keep abreast of what is happening and to understand the complexities. This leads to an ever-increasing lack of IT capability within the firm—potentially rendering it easy prey for cybercriminals.

Another issue publicly held firms need to pay attention to is proposed US legislation to require disclosure of cyber security expertise on corporate boards.5 If this expertise does not exist, companies will need to explain why. The objective of the bill is to strengthen and prioritize cyber security at publicly traded firms. Chief compliance officers (CCOs) would be personally responsible for damages resulting from cyber security breaches. Clearly, if this is passed and becomes US law, organizations will need to address the requirements by integrating cyber security into corporate governance structures.

Integrating Cyber security Into Corporate Governance?

Fundamentally, governance is a systematic process of evaluating stakeholder needs, directing management and monitoring the results of management to ensure stakeholder needs are met. That is a bit of an oversimplification, of course, but the point is that, conceptually, governance is not that complicated.

A well-designed governance structure provides enterprise management with visibility into IT resources and their intended purpose. It also helps to identify what key practices can be put in place to ensure a comprehensive structure is operating within the firm. COBIT 5,6 the leading framework for governance of enterprise IT (GEIT), can be used as a model to describe governance elements pertinent to cyber security similarly to how it does for other IT activities. Accomplishing that is not rocket science, but it can be a useful way to ensure that cyber security is addressed systematically and systemically.

The first step in designing a governance structure requires an analysis of stakeholder (e.g., management committee) requirements and a comprehensive risk assessment. This ensures that the governance structure created will accurately reflect the enterprise’s needs, opportunities and potential challenges. That structure will then aid in identifying business and IT-related goals. The use of a well-designed governance structure ensures effective creation and alignment of goals. COBIT 5 uses its goals cascade, which starts with stakeholder requirements and devolves them into organization goals that, in turn, precipitate IT-related goals. Aside from stronger compliance and cyber security positioning, the organization will likely find that it has greater efficiency and effectiveness in the utilization of its resources as a result of using the goals cascade process to design its governance structure.

After the IT-related goals are identified, they must be supported by various resources, or enablers. Any activity that falls outside of this mapping can be called into question. COBIT 5 identifies seven categories of enablers. They are:

  1. Principles, policies and frameworks
  2. Processes
  3. Organizational structures
  4. Culture, ethics and behavior
  5. Information
  6. Services, infrastructure and applications
  7. People, skills and competencies

Each of the enablers is used to provide resources to accomplish the IT-related goals, thus satisfying the organization goals and contributing to the overall achievement of compliance and delivering value to stakeholders.

One of the outputs of performing the COBIT 5 goals cascade is the identification of roles against specific processes. This is where who is accountable for a process and who is responsible for it is determined. Organizations may also determine who needs to be informed or consulted in each process. This step creates immediate visibility into compliance issues and facilitates rapid resolution of any imbalances identified between requirements and resources. The output of the goals cascade will go a long way toward generating evidence that written policies and procedures exist to reasonably protect the security and confidentiality of client personally identifiable information (PII) and preventing unauthorized access.

Global events can play into governance plans as well. One of the enablers financial firms use to deliver value to their stakeholders is “people, skills and competencies.” Many firms have intimate ties to banks and other firms in London, England. With the departure of the UK from the EU,7 there may be follow-on effects with respect to resources in London-based offices. The UK has long been dealing with a shallow resource pool for IT skills, the so-called digital skills crisis.8

If IT professionals in London are compelled to leave the UK (if their visas do not permit them to stay in a non-EU country), then offices in London will be working to replace skills and knowledge residing with those employees and contractors. This change in EU membership represents a potential increase in vulnerability to financial firms with UK-based operations. One aspect of preparing for cyber security threats for firms with operations in the UK will be to ensure that their human resource plans account for potential turnover in key IT roles caused by Brexit.

A good governance structure can assist in identifying threats, actors and risk management activities to prevent, detect and correct issues resulting from cyber security incidents. An effective approach is to start with a risk assessment and then plan a governance structure that is designed to deliver value to stakeholders while simultaneously providing the firm with the capability to demonstrate its preparedness to defend against cyber security threats. COBIT 5 can assist at every stage of the process.


1 Ponemon Institute, 2015 Cost of Data Breach Study: Global Analysis, 2015,
2 Gemalto, Breach Level Index (BLI),
3 Ibid.
4 External IT, Financial Firms Face Further Scrutiny of Their Cybersecurity Practices: Is Your Firm Ready?, white paper, 3 November 2015,
5 Jack Reed, US Senator for Rhode Island, “Reed, Collins Seek to Prioritize Cybersecurity at Public Companies Through SEC Disclosures,” press release, 17 December 2015,
6 ISACA, COBIT 5, USA, 2012,
7 Sald-Moorhouse, L., et al; UK Referendum: Latest Updates,, 25 June 2016,
8 UK Parliament, “Digital Skills Crisis,” House of Commons Science and Technology Committee, Second Report of Session 2016-17, 7 June 2016,

Peter Tessin, CISA, CRISC, CGEIT
Is a technical research manager at ISACA where he has been project manager for COBIT 5 and has led the development of other COBIT 5-related publications, white papers and articles. He also played a central role in the design of the COBIT online web site. Prior to joining ISACA, Tessin was a senior manager at an internal audit firm where he led client engagements and was responsible for IT and financial audit teams. Previously, he worked in various industry roles including staff accountant, application developer, accounting systems consultant and trainer, business analyst, project manager, and auditor. He has worked in many countries outside of his native US including Canada, Mexico, Germany, Italy, France, the United Kingdom and Australia.


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.