Managing operational risk and cyber risk means getting certain things right. Resilience is high on the list, but what other priorities can firms address? See www.accenture.com/CyberRisk for more.

1. RiskMinds
Operational Risk:
Building Cyber Resilience

2. Copyright © 2015 Accenture All rights reserved. 2
• People are often the weakest link – employees, vendors, customers
• Attacks span the traditional defenses – physical security, manipulation
of staff, fraud, application security, malware
• Digital assets create more entry points
• It is not a matter of IF but to WHAT EXTENT you are compromised
Building Cyber Resilience
We have heard from multiple #RiskMind2015 presentations that this is a
growing problem

3. Copyright © 2015 Accenture All rights reserved. 3
Global Regulatory Landscape
The Regulatory Landscape is changing rapidly to address these concerns.
(FFIEC)
Pilot
Cybersecurity
Assessment
(FINRA)
Equities Trading
Initiatives and
Securities trader
Registration
Q4 2014 Q1-3 2015 Q4 2015 2016
(SEC)
Cyber Exams,
Issues Risk Alert
(FFIEC)
Cybersecurity
Assessment
Tool
(CFTC)
Cybersecurity
Requirements
(Fed)
Cybersecurity
Information
Sharing Act
(SG CSA)
National Cyber
Security
Masterplan 2018
(SEC)
IM Cybersecurity
Guidelines
Future/Proposed Rules
Current Rules
(NIST)
Cybersecurity
Framework
Q3 2014 2016
(CFTC)
High Speed
Trading Rules
(SEC)
High Frequency
Trading Rules
(HKMA)
Cybersecurity
Risk
Management
Circular
(BoE)
CBEST
Vulnerability
Testing
Framework
Source: Accenture analysis based upon publicly available data.

4. Copyright © 2015 Accenture All rights reserved. 4
1. Training and Risk Culture – Taking your unique organization and infusing
the right cyber risk behaviors
2. Controls – Where are the weak points – build robust set of controls across
operations, business and IT
3. Measurement with a Purpose – What is going on without you knowing it –
creating metrics which expose the risks
4. Operating Model – How do you work with the rest of the organization -
assigning clear lines of accountability and ownership
5. Resilience – At some point it will go wrong, be prepared
The Top 5 Priorities to Get Right
We will discuss 5 priorities and determine as a group if these are the top
priorities

5. Priority #1 – Training and Culture

6. Copyright © 2015 Accenture All rights reserved. 6
Cyber Risk Culture
View of the Organization
How does your organization’s culture span these quadrants?
High Sociability
Low Sociability
High SolidarityLow Solidarity
Networked Cohesive
Fragmented Task Masters
The “Investment Bank”
The “Outsourced” Bank”
The M&A growth
“Regional Bank”
The Organic growth
“Retail Bank”
Influence of relationships
Influence of the “drive” to meet
common goals

7. Copyright © 2015 Accenture All rights reserved. 7
• Dynamic
• Ideas flow freely
• Metrics driven
• Centralized
Cyber Function
• Decompose and
define
approaches
• No single
solution
• Identify
problem
segments
High Sociability
Low Sociability
High Solidarity
Low Solidarity
Networked Cohesive
Fragmented Task Masters
The “Investment
Bank”
The “Outsourced”
Bank”
The M&A growth
“Regional Bank”
The Organic growth
“Retail Bank”
Influence of relationships
Influence of the “drive” to meet
common goals
Training and Culture
Cultural View of the Organization
How does your organization’s culture span these quadrants?
• Consensus driven
• Proud of brand
• Emulate role
models
• Tone from the top
• Individual
accountability
• Incentives distort
risk and culture
• Based on strong
controls
• Clear metrics

8. Copyright © 2015 Accenture All rights reserved. 8
Cyber Risk Pulse Check
A highly engaging and dynamic diagnostic that rapidly assesses employee
understanding of Cyber Security best practices and provides data-driven
insights and benchmarking for your firm.
E N G A G E
M O T I V A T E
A N A L Y Z E
Designed with advanced learning
methods and game mechanics to
create an immersive experience
First ever NYSE benchmark on Cyber
Security that will allow for comparative
analysis against cross-industry
participants
Dynamic diagnostic environment that
highlights the critical importance of
Cyber Security, driving behavioral and
cultural change
http://pages.s6.exacttarget.com/page.aspx?QS=c76003443ff9837d
8ef9974a19a99cfa5f994776888b6bfc6115f9e9e82e4c33&campaig
n=701E0000000xb2E
NYSE

9. Priority #2 – Controls

10. Copyright © 2015 Accenture All rights reserved. 10
Controls
(Cyber Risk Enhancements Requirements)
Traditional control frameworks evaluate effectiveness through an
operational risk approach focused on residual risk.
1. Business / IT
Process
2. Risk
Identification and
Inherent Risk
3. Control
Identification
and Rating
Impact
Frequency | Severity
Risk Type
4. Residual
Risk Scoring
Process
Control Effectiveness
Attributes
Key, Type
Control Layer
Business
Domains
Scorecard
Dependencies
Applications
Cyber Scenarios and
Trigger Events Active | Passive Risk
New FocusRenewed focus
Key Risk Indicators
Target Residual Risk
Value
Control Assessment Types
Risk Control Self Assessment | Third Party | Applications | Infrastructure | Regulatory

11. Copyright © 2015 Accenture All rights reserved. 11
Scenario:
• Disgruntled employee
with access to customer
data
• Employee working
during non-working
hours
• Downloading of files
which vary from peer
group
• It is month end and high
IT usage is expected
Example Controls
Use case: Identifying insider threats based upon system and physical
access to firm-wide assets with privacy data.
Controls to Mitigate:
• Security – Abnormal physical access
records vs normal patterns
• HR –Poor recent performance from
supervisors, LinkedIn® resume updated
• IT – Alerts with network, server or
database patterns which are historically
misaligned to normal business operations
• Business – Correlate data usage by peer
group for high impact activities related to
reporting/extracts
• IT – Abort or suspend reporting when
thresholds are reached for exporting or
querying data
C1
C2
C3
C4
C5
Risk Score:
68/100
67/100
35/100
75/100
45/100
Investigate

12. Priority #3 – Measurement with a
Purpose

13. Copyright © 2015 Accenture All rights reserved. 13
Measurement with a Purpose
Common categories to consider for Cyber Risk Reporting
1. Board Level Reporting 2. IT Risks 3. Operational
4. Advanced
Analytics
Infrastructure
Third Parties
SoftwareInternal
Employee Training
Data Loss Prevention
Employee Monitoring
External
Vulnerabilities
Surveillance
Funding
Risk/Reward
Decisions
IT Operations
Fraud
Target Residual Risk
Access
Management
Physical SecurityHigh Crimes and
Investigation
New FocusRenewed focus

14. Priority #4 – Operating Model

15. Copyright © 2015 Accenture All rights reserved. 15
Embed the first line of defense within technology organization.
Create a centralized office with technology control officers across
business lines which just focus upon IT.
Cyber Risk Operating Models
An operating model defines the organization’s accountability for doing the
work, supporting the right decisions and measuring effectiveness.
Centralize an entire department as 2nd line of defense with
examinations across the lines of business. Build highly specialized
team and track similar to compliance function.
Policy setting organization and influencer similar to data and
privacy. Develop risk frameworks around IT, data integrity, and
operations and run as 2nd line of defense.
Create an enterprise-wide risk function dedicated to identify,
measure and respond to threats.
Option 1 – Dedicated
Function
Option 0 – IT Centric
Option 2 – Cyber Czar
Option 3 – Risk Led

16. Copyright © 2015 Accenture All rights reserved. 16
Operating Model Analysis
Each option should consider the tradeoffs with the firm’s ability to Prevent
and Detect Threats.
Efficiency
Ability to Prevent and Detect Threats
Low
High
High
Option 0 – IT Centric
Option 1 – Dedicated
Function
Option 2 – Cyber Czar
Option 3 – Risk Led

17. Copyright © 2015 Accenture All rights reserved. 17
Operating Model Analysis
Each option should consider the tradeoffs with the firm’s ability to Prevent
and Detect Threats.
Ability to Prevent and Detect Threats
Low
High
High
ValuetoCustomer
Option 0 – IT Centric
Option 1 – Dedicated
FunctionOption 2 – Cyber Czar
Option 3 – Risk Led

18. Copyright © 2015 Accenture All rights reserved. 18
Operating Model Analysis
Each option should consider the tradeoffs with the firm’s ability to Prevent
and Detect Threats.
Ability to Prevent and Detect Threats
Low
High
High
SpeedtoExecute
Option 0 – IT Centric
Option 1 – Dedicated
Function
Option 2 – Cyber Czar
Option 3 – Risk Led

19. Priority #5 – Resilience

20. Copyright © 2015 Accenture All rights reserved. 20
A Comprehensive Approach Helps Protect the Full Breadth
of Entry Points and Operations which Underpin Financial
Services Organizations
Detect
IdentifyRespond
Prevent
Detection and
Identification – Tools
and metrics to identify
and log aspects to
manage operations
Operational Monitoring –
Aligning the tools to identify and
detect threats along with their
escalation and oversight
Event Response Plan – Structure
to identify and manage action plans
Business and IT
Controls – Oversight of
the controls and their testing
programs and how to leverage
COBIT®, ISA, ISO/IEC, NIST
controls
Operating Model –
Specifying the structure with
people, organization, roles, tools
and processes to govern
Crisis Management –
Structure to manage incidents
and notify impacted parties
Risk Events - Scenarios
which can impact the organization
specific to Cyber threats
Risk Identification – Aggregated set
of typical risk associated with Cyber Risk
How do we
respond?
What is the
impact?
How do we
organize?
How do we
monitor?

21. Copyright © 2015 Accenture All rights reserved. 21
Resilience
The ability to operate the business processes in normal and adverse
scenarios without adverse outcomes
Intgerated:
Identify,Prevent,Detect
Response:
Everyscenario

22. Glossary
CBEST: Bank of England vulnerability testing framework
CFTC: U.S. Commodity Futures Trading Commission
COBIT: Control Objectives for Information and Related Technology. COBIT® is a trademark of
ISACA® registered in the United States and other countries.
IEC: International Electrotechnical Commission
ISA: Information Society of Automation
ISO: International Organization for Standardization
Fed: Federal Reserve System
FFIEC: Federal Financial Institutions Examination Council
FINRA: Financial Industry Regulatory Authority
HKMA: Hong Kong Monetary Authority
NIST: National Institute of Standards and Technology
SEC: Securities and Exchange Commission
SG CA: Cyber Security Agency of Singapore

23. RiskMinds Operational Risk:
Building Cyber Resilience
Disclaimer:
This presentation is intended for general informational purposes only and does not take into account the
reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims,
to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of
the information in this presentation and for any acts or omissions made based on such
information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible
for obtaining such advice from their own legal counsel or other licensed professionals.
About Accenture
Accenture is a leading global professional services company, providing a broad range of services and
solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and
specialized skills across more than 40 industries and all business functions—underpinned by the world’s
largest delivery network—Accenture works at the intersection of business and technology to help clients
improve their performance and create sustainable value for their stakeholders. With more than 358,000
people serving clients in more than 120 countries, Accenture drives innovation to improve the way the
world works and lives. Visit us at www.accenture.com
Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Rights to trademarks referenced herein, other than Accenture trademarks, belong to their respective
owners. We disclaim proprietary interest in the marks and names of others.

24. Learn more about cyber risk and resilience:
www.accenture.com/CyberRisk