Cyber-resilience should be an ongoing effort in financial institutions

Cyberattacks have become an inevitable digital hazard that even the most mature financial institutions will never be able to completely eliminate, no matter how much they invest in the latest security technology.

Financial institutions, in particular, are exposed to the cascade impacts of technology failures, human errors, and natural calamities due to their increased reliance on digital technologies. It is critical that these institutions develop an intuitive grasp of where and how they could meet cyber danger in this context.?

The growing sophistication, frequency and severity of cyberattacks targeting financial sector institutions highlight their inevitability and the impossibility of completely protecting the integrity of critical computer systems. In this context, cyber-resilience which is the capacity to withstand, recover from and adapt to the external shocks caused by cyber risks offers an attractive complementary alternative to the existing cybersecurity paradigm.

Cyber-resilience has become one of the most hyped concepts in discussions of cybersecurity, despite or perhaps because of its nebulous meaning, which makes it difficult to rigorously define and measure. Its popularity is undoubtedly linked to the numerous headlines about cyberattacks and data breaches that adorn the front pages of newspapers and technology websites, trumpeting information about new and massive hacks that reveal the vulnerability of our digital infrastructures and organizations' inability to protect the personal data we entrust to them. Even the most technologically advanced and security-conscious businesses are vulnerable to catastrophic cybersecurity disasters. Consider the case of the unauthorized access to Pegasus technologies, an aggregator of MTN Uganda, Airtel Uganda, Stanbic Bank and Bank of Africa as the biggest cyber scandal of 2020. This incident shows 11 billion lost between October 2nd and 3rd?2020.

The 'predict and protect' paradigm that has dominated information security for the past few decades is being challenged by cyber-resilience. Faced with the grim reality that no digital system can guarantee impregnability in the face of repeated attacks, businesses are recognizing the need to develop processes and technology that can assist victims of catastrophic attacks.

This explains why “an organization can have cybersecurity without being resilient, but not the other way around” according to the 2018 Conference Board of Canada; Building Cyber Resilience. The need to apply resilience thinking and practices to the digital ecosystem may seem superfluous, since the internet was designed to be a resilient distributed system

Cybersecurity experts often refer to highly publicized cyber-incidents that have made the headlines over the past few years (MTN, Airtel, Stanbic and Bank of Africa were robbed of Shs7b) to illustrate the disruptive potential of adverse events on financial institutions.

Although the ISO27000 set of standards does not specifically include resilience as a goal, it does advocate a number of steps that help an organization's cyber-resilience, including; information security awareness, education and training, information backup, planning information security continuity and learning from information security incidents to name a few.

Despite its national origins, the National Institute of Standards and Technology established the second cybersecurity standard that has sparked widespread worldwide attention (NIST). Because the NIST Cybersecurity Framework is free and does not have a formal conformance evaluation procedure, it can be modified to the specific needs and capabilities of each adopting enterprise. While it is intended that this non-binding approach will gain a wider and faster adoption than the ISO standard, implementation coherence and consistency cannot be guaranteed. The Framework is built on a "Core" of five functions, each of which is divided into 23 objective categories and 108 result subcategories. Each result is linked to equivalent measures or controls in other cybersecurity standards like ISO/IEC 27001.

Acknowledging that organizations differ greatly in their capacity to adopt the Framework, four “Implementation Tiers” are provided: Partial, Risk Informed, Repeatable, and Adaptive. Each tier marks a progression in the degree of cyber-resilience toward more holistic, adaptive, and networked capacities.

Both standards implicitly assist an organization to build its resilience through its requirements and checklists. It's no coincidence therefore that resilience has become a crucial response to major cybersecurity concerns that threaten our societies' futures. Financial organizations must acknowledge their inherent fallibility and learn to anticipate, withstand, and adjust to hazards. This necessitates a shift in thinking, where tolerance for graceful decline replaces the illusion of safety and predictability to quickly adopt the resilience measures existent in the standards highlighted above.