The digitalisation of the financial industry is advancing: the importance of IT will change fundamentally in the coming years. The use of new technologies, artificial intelligence, the automation of processes and the networking of value chains will determine our everyday working lives.
What does this development mean for the information processed by credit institutions and insurance companies - the so-called “information assets”? What changing or new threats are they exposed to? What are the key information risks that affect them? How quickly can information risks be identified and properly assessed? How quickly will the necessary measures be implemented?
In a digital world, risks affecting corporate information cannot be excluded. It is therefore important to establish and continuously develop a flexible, rule-based and proactive management of information risks. In this way, information can be protected appropriately and in an economically sensible manner based on criticality and the individual threat situation with regard to its availability, confidentiality, integrity (incl. authenticity).
Establish holistic information security and risk management
The first step is to define a target picture for information security and information risk management (ISM and IRM) in order to effectively manage the security of your information assets. In practice, current implementations are often driven by regulatory requirements and external findings identified during BaFin or ECB audits. The processes and methods developed as a result often involve a great deal of manual effort and many media interruptions. This slows down the identification and assessment process for information risks and can distort the informative value of the overall risk situation in terms of time and content. In the digital world, this is one of the biggest threats to credit institutions and insurance companies.
Therefore, the information security and information risk management processes should be consolidated and revised to simplify and accelerate them.
We help you develop a holistic view of information security and your information risk management so that you are ready for the demands of the digital world.
Nadine Schmitz
Partner, Financial Services
KPMG AG Wirtschaftsprüfungsgesellschaft
Top trends in information security and information risk management
What options do financial service providers and insurance companies have in the digital world to adequately and efficiently protect the business entity’s critical information assets?
- Simplification
The individual processes to be mapped in information security and information risk management often result in a high level of complexity and effort for all those involved in the respective processes.
An important step towards both more efficiency and consistency is the harmonisation and merging of processes.
For example, information risk management, business impact analysis and data protection measures are based on the assessment of the criticality of processes and information. These processes share the same starting point among different approaches. In addition, each of the disciplines mentioned is dependent on the preliminary work of IT with regard to the relevant IT architecture that lies behind the corporate information.
We set up a continuous process with you for all disciplines and integrate your IT within our approach. This relieves your departments as much as possible, and you receive consistent, comparable results.
- Automation
Currently, there is a progressive shift away from the use of self-created, decentralised files. Instead, integrated GRC tools or specialised tool solutions are sought. These enable information security and information risk management to be mapped end-to-end and the results from the individual process and assessment steps to be interlinked. The additional mapping of digital workflows that simplify processing enables those responsible to obtain a quick and holistic overview of the information risk situation.
In addition to the question of the use of tools, discussions are increasingly taking place about the methodology used for the assessment of information risks. These range from more traditional qualitative methods to semi-quantitative and entirely quantitative methods. Qualitative methods for information risk management correspond to the traditional approach and include qualitative aspects of related information risks. In the case of quantitative methods, assessments are made on the basis of a sometimes complex quantitative assessment scale. While qualitative assessments are primarily based on expert opinions, which are therefore more difficult to automate, a more quantitative, rule-based approach can support automation.
- Cost savings
A decision to implement necessary measures to achieve a desired level of protection of your information assets involves investment.
In order to be able to use the investments for risk-reducing measures where they achieve the optimal effect, i.e. the maximum risk reduction, the comparability of the risk-reducing effect of the measures should be ensured. The assessment of information risks should be based on uniform methods that are valid throughout the company.
Often, predominantly qualitative categories are established. However, in order to support the investment decision on the basis of a business cost-benefit assessment, quantitative methods are preferable. Here it is important to take a differentiated view of loss distribution. The exclusive consideration of the maximum damage - as often applied in the protection requirements analysis - is not meaningful in this context.
- Transparency
Due to the dynamic nature of threats and information risks, it is often difficult to obtain a transparent picture of the ideal level of protection and the actual information risk situation.
Often, the consequence of this dynamic is that information assets are not adequately protected and new types of threats, especially in connection with cybercrime, lead to reputedly surprising consequences.
To reduce unpleasant surprises, a calculation of the level of protection and impact of each threat and measure, substantiated by an expert, should be made as early as the conception of the information security and information risk management framework. In addition, appropriate measuring points and meaningful key performance and key risk indicators are necessary to be able to make transparent and informed decisions.
The approach allows for a timely, informed and accurate response to the dynamic situation.
However, the approach also requires that all information be interlinked and available in a timely manner. The automation trend is key to this.
Current challenges with respect to information security and information risk management:
- How do we develop information risk management so that it meets the challenges of a networked, fast and digitalised world?
- How do we identify and assess information risks more efficiently?
- Do we really know what information is critical, how critical it is, and where it should be placed?
- Is your threat landscape is constantly changing, for example, due to rapid developments in cybercrime?
- Is digitalisation advancing relentlessly, and do you want to use cloud services?
- Is your information security and information risk management based on ancient Excel spreadsheets and “isolated solutions”?
- In the end, do you always lack transparency in interactions with your service providers?
- Is there uncertainty about responsibilities, especially between the departments and IT?
- Is your protection requirements analysis lacking quantifiable metrics as well as methods for an accurate and cost-saving protection requirements determination?
- Do your target measures for protecting your information assets result solely from the protection needs determination?
- Are you not sure if your measures are sufficient to protect the information across the entire information network?
- Is your information security system and information risk management system considered in isolation because they are not integrated with other business areas such as OpRisk/NFRM, BCM, service provider control, and data protection?
Are you wondering how to overcome the challenges?
With a wealth of experience and know-how, as well as a structured approach, KPMG can help you get your information security and risk management ready for the digital world. With a focus on risk, we support you in your information risk management to always make sound and resource-efficient decisions and to prevail in the fight against information risks, as our information security management protection methods are specifically adapted to credit institutions and insurance companies:
1. Digital Maturity@IRM / ISM:
This involves a fitness check of your existing information security and information risk management processes, concepts, methods and interlinking with other relevant processes.
The results of this analysis show you the possibilities for how you can align your information security and information risk management for the future without any surprises.
2. Selecting and implementing a methodology:
Together we develop sensible options for improvement and alternatives to the information security and information risk management methods you use. In doing so, we draw on extensive national and international experience and comparative models. The aim is to use progressive automation to transparently underpin your investment decisions.
3. Dovetailing information security and information risk management processes and establishing clear governance:
Through coordinated and standardised (sub-)processes, we ensure the necessary efficiency within your information security and information risk management processes. The consistent implementation of processes according to the 3 Lines of Defence model not only enables regulatory requirements to be met, but also creates clear roles and responsibilities and meets operational requirements.
We always try to continue using the existing roles in order to reduce the process-related expense.
4. Tooling: Collaborations/alliances
We can help you implement tool-based integrated process solutions. With the help of the highest possible degree of automation, we jointly develop your information security and information risk management.
Thanks to our many years of experience and cooperation with popular tool providers, we can help you find the optimal provider for your requirements, one that meets the needs of your existing application landscape and IT architecture.
5. Interface issues:
We help you to identify necessary interfaces to other processes (e.g. OpRisk/NFRM, outsourcing, BCM, operational IT security) and result objects (e.g. CMDB) and to implement their harmonisation in order to create a holistic information security and information risk management system.
The many years of experience of KPMG staff - with clients of different sizes and business models - ensures that the structure of information security and information risk management takes into account not only the regulatory and market requirements but also the individual entrepreneurial framework conditions.