The CRO-CISO Waltz: The Adjoining of Cybersecurity and Operational Risk Management in FIs

The increasingly complex regulatory environment, along with ongoing technological gains largely propelled by the new emerging industry of fintech, have transformed the very nature of financial fraud and given rise to a new breed of adversary more technologically advanced than in decades past. Over the past two decades, the chief risk officer (CRO) and chief information security officer (CISO) fought different foes on disparate fronts. However, the change in adversarial motives in the cybercrime epoch while still harboring the same anomie has evolved from website defacements over the last 20 years to a US$1.5 trillion global shadow economy equal to the gross domestic product (GDP) of Russia that trades in data as the new commodity—now more valuable than oil. If cybercrime was a country, it would have the 13th highest GDP in the world.

This requirement for unification between the two silos is bringing together two sides of the corporate isle in financial institutions (FIs)—operational risk management and cybersecurity. Over the last few years, the first studies that change the global perspective of cybercrime as a marketplace in which entropy reigns supreme to a well-organized, autonomous system of negentropy fueled by revenue flow and profit distribution in a well-funded global economy have begun to surface.

The role of the CRO is to maintain a risk register based on the identified applicable laws and regulations, fraud schemes, and anti-money laundering concerns. His or her job is to assist in the execution of the corporate compliance, fraud, and Bank Secrecy Act (BSA) risk assessments by identifying key risks and assessing mitigating controls to determine the risk profile of the organization. Ultimately, her role in the organization is to track the progress of remediation of control weaknesses identified by internal audits or control assessments, monitor the risk profile of the company and develop and monitor key risk indicators, identify emerging risks, coordinate and analyze the collection of risk information, and develop and maintain policies and procedures.

While the CRO is responsible for the macro view across the total landscape of operational risk management, the CISO is responsible for managing risk within his or her domain of IT and managing vulnerabilities in the company’s IT on-premises and cloud infrastructures. Much like the CRO, the CISO has purview over IT risk assessments, internal and external audits, compliance, and technological and administrative control assessments and monitoring. While this may be a morass, understand that while these sound similar, they are different. As a matter of fact, both roles historically reported to different individuals in the C-suite.

Historically, the CISO reported to the chief information officer due to the historical belief that it was a technology-focused role. Some organizations—in my view—mistakenly have the CISO report to the chief technology officer, which is something I hope is quickly becoming a dying practice. However, as the CISO position has evolved and the court of public opinion has weighed in on cybersecurity no longer being viewed as a technology problem, more organizations are moving the CISO reporting structure lines to the CRO, shifting the world view of cybersecurity for the CISO to a risk-based lens rather than purely technological.

Because cybersecurity is a people problem, this requires the CISO to sit at the same dinner table as the rest of the C-suite and have a seat in the board room. Read more on this systemic gap in the C-suite reporting structure in a recent article I was quoted in by Brian Krebs on this very issue.

Historically, adversaries on the fraud and cybersecurity side of the house differ in the tactics, techniques, and procedures that were used, which is now beginning to converge into a single adversary. Because of this, the line between the fraud department and the cybersecurity department fueled largely by fintech is becoming increasingly blurred, and so have the security controls to counter it.

Two decades ago, the objective of hackers in compromising a target was website defacement. Today it’s for-profit payment card or personally identifiable information data breaches, ransom, or nation-state warfare. This has increasingly created a growing audience for vendors offering a litany of anti-fraud solutions to FIs that require both the CISO and CRO in their audience.

The estimated global average cost of a data breach exceeds US$3.62 million. Cyberattacks, financial crime, and fraud are becoming increasingly more targeted, intricate, and persistent—and intertwined. While technologies have made advances in risk management, cybersecurity, and fraud prevention, a recent IBM Institute for Business Value report reveals that 42% of banking executives believe that their fraud operations are in dire need of an overhaul.

The fact is that companies need to develop a joint operational risk management (ORM) strategy that aligns both fraud and cybersecurity to cope with the shared threats emanating from online criminals, hacktivists, or nation states looking to destabilize payment and financial systems, especially those targeting large-scale FIs that sit at the apex of our nation’s financial system. Today, though, FIs are struggling to connect the technical aspects of cybersecurity around technological controls with the people and process risks that the CRO is responsible for.

The evolution of ORM to include cybersecurity threats is being driven by three major trends: the rise in number and complexity of cyberattacks that pose a threat to an FI’s profits, reputational damage, and regulatory fines; boards and the C-suite realizing cybersecurity is not a technology problem but rather includes the broader context of people and processes within the FI; and a poor cost-to-income ratio driving banks to consolidate their silo-based risk management functions.

This "new norm" of expanded ORM that aligns cybersecurity, fraud, and anti-money laundering disciplines was made painstakingly obvious in the Dyre Wolf malware attacks against banks. This convergence was long overdue, proving phishing, malware, fraud, money laundering, and business disruption all coexist and therefore require a similar coordination between cybersecurity and ORM strategy.

In summary, the alignment of these two functions in the organization is increasingly becoming an existential imperative for FIs to ensure both are aware of their specific responsibilities and how they align within the broader context of the enterprise risk management strategy. Connecting these dots and aligning the strategy is key and starts with the FI adjoining these two historically siloed functions and bringing both under a formal standards framework, such as International Standards Organization (ISO) or National Institute of Standards and Technology (NIST), that ensures CISOs and CROs coexist under the same umbrella of operational risk management.

How can we help?

If you have a question specific to your industry, talk with an Aite Group analyst.  Call us today to learn about the benefits of becoming a client.

Talk to an Analyst

Receive email updates relevant to you.  Subscribe to entire practices or to selected topics within

Get Email Updates