Accenture: Proactive strategies improve cyber security

18 May 2015 Consultancy.uk

Companies that tackle cyber security proactively, the so-called Leapfrog companies, are able to attain improved security effectiveness, research by Accenture and Ponemon Institute shows. According to the firms, companies wishing to improve their security effectiveness should learn from the leapfroggers that outperform non-proactive companies on strategy, technology and governance.

Global technology services and management consulting firm Accenture, together with research centre Ponemon Institute*, recently released a new report, titled ‘The Cyber Security Leap: From Laggard to Leader’.  For the research, the firm surveyed 237 companies around the globe and, based on their cyber security strategy employed, divided them into two categories. The ‘Leapfrog’ companies are the ones that focus on security innovation and proactively address potential cyber security threats and ‘Static’ companies the ones that focus more on cyber security threat prevention and compliance.

Accenture’s research shows that the Leapfrog companies, which have a more proactive security stance, saw their security effectiveness score improve by 53% over a two-year period, while non-proactive companies, the Static companies, saw a slight increase of 2%. The areas in which Leapfrog companies are more effective at addressing security than Static ones are strategy, technology and governance.

Distribution of the Leapfrog and Static samples by industry segment

Strategy
Leapfrog companies establish proactive security strategies that are aligned with their business objectives and focused on innovation to achieve a strong security posture, while Static companies focus on prevention, and use regulations, not strategy, to drive their security requirements.

Of the Leapfrog companies, 70% has a company-sanctioned security strategy, compared to 55% of Static companies. The divergence is even bigger when it comes to information security, with 69% of Leapfrog companies viewing this as a business priority and 45% of Static companies. To gain access to advanced technology and experience resources, 62% of Leapfrog companies outsource core security operations, compared to 47% of Static companies.

Strategy characteristics where Leapfrog companies excel

Technology
Leapfrog companies focus on securing their network, sensitive data and the cloud, and deploy technologies that facilitate digital uptake and improve the ability to counter advanced threats to enhance the user experience and productivity. For these companies, the most important features of enabling security technologies are the options to pinpoint anomalies in network traffic, prioritise threats and provide advanced warnings.

Static companies, on the other hand, focus on ‘locking things down’, and are apprehensive when it comes to new technologies. For them, most important is to be able to control devices and limit insecure devices from accessing the system. 

Features of enabling security technologies

Governance
Strong leadership and business alignment, with the correct governance measures is needed to ‘leapfrog’ ahead in security effectiveness, Accenture argues. Both Leapfrog and Static companies recognise this and place great importance on the appointment of a Chief Information Security Officer (CISO) with enterprise responsibility.

The importance placed on security by Leapfrog companies is reflected in the role of their CISO, with 71% of Leapfrog CISOs responsible for defining the security strategy and 60% responsible for enforcing the security policies. In addition, the vast majority has a direct communication channel established with the CEO and the board. Also seen as important is the deployment of metrics for the evaluation of security operations. Within Static companies, CISOs do not have the same communications with the board and less importance is placed on the evaluation of operations. Self-reporting for compliance violations is the one governance practice in which Static companies ‘outscore’ Leapfrog companies, highlighting the difference in security approach.

Governance practices of Leapfrog and Static companies

Commenting on the results, Mike Salvino, Group Chief Executive of Accenture Operations, says: “Our research shows that defending your business is a dynamic, strategic activity. To protect the business, security measures must be both proactive and adaptive, allowing your customers in, but keeping threats at bay.”

Larry Ponemon, CEO of the Ponemon Institute, adds: “Companies looking to increase their security effectiveness can apply lessons learned from the Leapfrog companies to make a significant positive impact on their security.  Starting with the C-suite, it’s time to champion and achieve a strong stance on security–effectively communicating with all employees.  By holding everyone accountable for achieving security objectives, you will eliminate security silos within your organisation.”

* Ponemon Institute conducts independent research on privacy, data protection and information security policy.

×

An 8-step framework for banks to prepare for FRTB changes

02 April 2019 Consultancy.uk

With FRTB expected to come into force in 2022, it is critical that banks implementing necessary changes remain on track for their compliance timelines. Whether a company is aiming for the mandatory Standardised Approach (SA) or the voluntary Internal Models Approach (IMA), the programs often represent a significant investment, requiring process, systems and cultural change. 

Drawing from its experience in helping banks meet the milestone set in their compliance timelines, Capco – a management and technology consultancy for the financial services industry – has developed an eight-point prioritisation framework for FRTB preparation and implementation. Natasha Leigh Giles, a Managing Principal at the consultancy, outlines the main dimensions of the framework: 

Prioritisation framework for FRTB

1. Front office operating model

For those who have already implemented the Volcker rule, the desks are well defined with monitoring and governance frameworks. However, for companies that have not been required to adhere to the U.S. regulation, there may be additional work involved in implementing desk-level controls as required under FRTB. The trading desk structure is especially important for banks planning to implement IMA, as this regime is applied at the desk level and requires that the full flow of the selected desk is able to pass the IMA requirements (including the modelability test for the risk factors). Key business decisions may be required if a desk trades complex products that are more aligned for SA treatment. 

2. Product scope

In order to reach the IMA status, products are required to be supported with additional data sets including historical market and reference data as well as risk factor pricing evidence. The opportunity for 2019 lies in refining the assessment on the feasibility of each product type to ensure a clear scope is agreed for the IMA environment. If the challenges are too complex or costly to overcome, such as access to historical market data, availability of price verification for the risk factors or significant enhancements to support computational capacities, then these products should be scoped out of the IMA program as soon as possible in order to save time and effort on continuing analysis. 

3. Client & trading activities

There is no need to wait until the FRTB implementation timeframe to undertake a holistic review of client and trading profitability – including the capital impacts. For example, running training and awareness campaigns within the front office can help the traders to understand the impacts of their activities and encourage changes in the way that they trade. By considering this holistically as a business and operational change, it can help keep the focus and resources on the primary (profitable) business in preparation for the compliance deadline. 

4. Internal controls

Methodology, reporting, auditability, and process governance for internal controls also need to be monitored in detail. We recommend having clearly defined processes accompanied by effective training across front-to-back office. For some banks, it will be beneficial to audit existing capital adequacy processes to ensure that findings are highlighted in advance of the implementation timeline and the appropriate focus is achieved within senior management.

5. Data & metrics

Financial institutions need to consider their overarching governance and ongoing management for the data (including ownership, quality control, golden source storage solutions, etc.) and the ongoing control framework for ensuring the data remains accurate and relevant for capital adequacy modeling. If there has not been a data lineage exercise already applied, this is a great opportunity to deliver business benefit, even in 2019. By creating agreed definitions, preferred sources, ownership and workflows for managing data quality, the benefits of more accurate data can already be applied to existing capital calculation models. 

Framework for FRTB

6. Model management & validation framework

In preparation for the FRTB regime, an opportunity for 2019 is to understand if there are gaps or control concerns to manage immediately. Model enhancements across SA and IMA will need to be productionized for output accuracy and refinement, however, these need to be maintained alongside existing Basel 2.5 BAU models and other concurrent changes e.g. LIBOR Transition. Business process optimization, testing environments and automation tools, documentation and model validation can all be reviewed for immediate benefits and prepare the process for a smooth implementation of the future FRTB models. 

7. Technology platform & testing environments

With regards to technology planning, the opportunity in 2019 is focusing on gaining agreement of the front-to-back FRTB future state architecture including the use of vendors as applicable. By ensuring a disciplined focus upon design and solution definition across all requirements, it provides a clear baseline for implementation planning and scheduling. Establishing a technology architecture which allows for FRTB data feeds, model enhancements, control definitions and accurate capital calculation outputs will provide the program with essential data and metrics needed for decision making. 

8. Leverging synergies

Once a baseline plan has been established, it is possible to identify synergies across other programs – such as the SA-CCR (Standardized Approach for Counterparty Credit Risk) or the IMM (Internal Models Methodology) – that could deliver overlapping benefits at reduced effort. Understanding requirements, defining the future state architecture, and implementing the change in a complex environment requires a mix of strategic principles and program management. Therefore, we consider it an opportunity for 2019 to take a centralized approach for data lineage and requirements gathering as this would be beneficial for optimizing capital costs across both the market and credit risk environment.

Conclusion

By considering each topic strategically in 2019, benefits such as data quality enhancements, strengthened internal controls and flexible test environments will not only bring immediate business value, but also set a solid foundation for a comprehensive FRTB implementation in the years to come. 

For more information on Capco’s model and the its approach in helping banks plan for FRTB, download the full whitepaper on the firm’s website.