RISK REPORT: FINANCIAL SERVICES
The Human Element in
Banking Cyber Risk
The financial sector is
not alone in seeking
ways to identify how
employees fall for
cyber phishing scams.
Efforts are underway
to bring different
together to better train
By Dan Reynolds
In 2016, all it took was one cleverly worded email for cyber thieves to bilk the Belgian bank Crelan out of more than $75 million. The phishing scam, in which schemers fabricated a demand-for-funds email that looked like it came from the company’s CEO, was one of thousands of cyber- attacks that buffet banks every day.
Financial institutions can invest millions in cyber defenses, but it’s now known
that most cyber losses are the result of human error. In the Crelan case, tens of
millions in funds were erroneously transferred in response to a phony demand
email, never to be seen again.
THE HUMAN ELEMENT
Efforts are now underway to address the human element of cyber risk in
finance to improve company cultures and reduce the chances an employee will be
fooled into transferring money to a fraudulent recipient.
“All organizations face a challenge,” said Josh Ladeau, the global head of
technology E&O and cyber, Aspen Insurance.
“For the revenue-producing areas of an organization, there is typically a tug of
war between ease of doing business and the thoughtful implementation of security
controls; by default these concepts often run counter to each other, not just within
financial institutions, and that creates natural friction when trying to culturally
integrate security consciousness,” he said.
Addressing the human element of cyber risk, how cultures and individuals can
be both a company’s worst cyber security weakness or its most stalwart defender,
is an area of concentration for Adeola Adele, director of integrated cyber solutions
and thought leadership, Willis Towers Watson (WTW).
Adele and her colleagues are leading client meetings intended to break
down the walls between human resources, risk management, compliance and
information security staffers, pursuing how traditional human resources strengths
like training and testing can be brought into an alliance with risk management.
“I do believe that there is an appetite there for HR to become more involved in
this issue,” she said.
When the insurance brokerage Willis merged with the human capital specialist
Towers Watson in early 2016, one of the stated goals of company leaders was to put
Towers Watson’s human resource experience to work in the field of risk management.
Adele said WTW is now using employee engagement surveys as a tool to
measure cyber security weakness.
“We did a human element study a couple of years ago and one of the things
that we found was organizations that lack a focus on the customer experience are
more likely to suffer a breach,” she said.
DEPARTMENTS PUT STOCK IN COLLABORATING
The “customer experience,” Adele explained, includes such things as how well
companies respond to customer complaints, how they service customers, how their
products speak to their customers, how
they solicit customer feedback and “in
the context of cyber security, that would
include the measures they have in place
to protect customer data,” she said.
Adele said WTW is also using
analytical tools to assess incoming talent
on how well it will be able to perform in
the area of cyber security, in the context
of a severe shortage in the areas of
engineering and data science.
“We know that many financial
institutions have not done this type
of analysis,” she said. “We are helping
organizations address this issue, because
• Behavioral science tools help
determine how well employees
can perform cyber security
• More than 60 percent of cyber
frauds succeed due to human
• Some financial sector companies
are embracing cultural change to
strengthen cyber security.
“... organizations that lack a
focus on the customer
experience are more likely
to suffer a breach.”
— Adeola Adele, director of integrated cyber
solutions, Willis Towers Watson
The financial services sector increasingly looks to break down silos between HR, risk management and information security
to better defend against phishing scams.