IBM RegTech Innovations

Risk management in the cloud: A strategic imperative

Share this post:

For financial institutions, the benefits of moving away from legacy in-house systems to the cloud are obvious. A cloud environment offers financial institutions greater speed and agility than their current environments. But while mobile devices give us great power and convenience, they also create new security and privacy challenges. Financial institutions face a similar dilemma – while moving to the cloud makes sense for a number of reasons, it also presents a new set of challenges. Cybersecurity risk is at or near the top of every list of concerns for these institutions. Simultaneously, regulators and auditors are issuing new cybersecurity regulations and guidelines. To thwart cybercriminals and meet regulatory requirements while also managing costs, institutions should consider adopting a centrally managed platform and related services to create a consistent and scalable control framework.

Three pillars of cyber risk management on the cloud

A properly deployed and administered solution for managing cyber risk consists of three main pillars. Each one is independently necessary and vital, but they also work cohesively to form a complete cyber risk solution. No financial institution is the same, so each organization should consider a tailored platform to best serve their needs and business.

  1. Comprehensive risk management: Naturally, this would start with a complete risk management framework, from identifying and measuring cyber risk to incorporating cyber risk in the institution’s overall risk appetite. In addition, mitigating risks associated with moving to the cloud requires integrating cyber risk management into the institution’s enterprise risk management processes. This can provide senior management more visibility into risks and important data when understanding the risks to the enterprise.
  2. Cybersecurity: As cyber threats increase in complexity and frequency, institutions should develop a comprehensive cybersecurity program. They should focus on identifying vulnerabilities, implementing solutions that safeguard critical business data, detecting possible threats that have penetrated the infrastructure, and helping critical business applications and systems respond and recover. It’s imperative for an institution to establish an aggressive, analytics-driven solution to identify, manage, and mitigate threats, given that executives at financial organizations are under enormous pressure to maintain the integrity of their data, keep their customers’ sensitive information safe, be fully versed on evolving threats and challenges, and prepare for threats they have not yet seen.
  3. Regulatory compliance: Given these challenges, regulators from around the globe continue to act by issuing and amending guidelines on the usage of cloud and how to prevent and respond to cyber threats. Without automation, the costs of employing a risk team to stay current on these regulations will grow exponentially.

Implementing an effective, end-to-end cyber risk framework

Keeping your business’s goals in sight at all times, there are a number of core foundational steps to follow when implementing a strong cloud-security plan. It starts with developing a high-level strategic approach to assessing and managing risk that aligns with the needs of your business — there is no one-size-fits-all approach. This includes setting a realistic, practical, and attainable budget and roadmap to deployment. Next, a definition of the control environment must be established that aligns with the institution’s risk appetite and enforces the policy framework. The days of a successful governance, risk, and compliance strategy being a manual, labor-intensive process may soon be behind us. Artificial intelligence and cognitive computing tools have made enormous inroads into the industry — not replacing human intelligence, but augmenting it — while reducing human labor hours and lowering operating costs. Next comes the management and administration of GRC data. Enormous amounts of public and private data are being created every day and presenting organizations with a choice: Should they implement the tools and systems to manipulate and analyze this data to make the most informed decisions possible, or should they continue the same status-quo path of leveraging only their existing data within their figurative four walls for risk mitigation? The last piece of the puzzle is handling external communications, audits, regulatory requirements, and stakeholder requests. Knowledge is power, and the better grasp an organization has on its data, the better it can report on this information to auditors, regulators, and those who need it.

Mitigating risk while satisfying stakeholders

IBM and Promontory are launching a managed-service offering — supported by Promontory expertise and powered by IBM — that will adopt emerging cognitive tools and automation, offer a robust and effective solution that effectively helps mitigate risk, improve efficiency of compliance, and satisfy multiple stakeholders. Targeting financial institutions, the elements of the managed service will include:

  • A common regulatory obligations library curated from regulations and guidance, issued by the major financial services regulators around the world
  • The creation of a standardized technology control framework extended from the framework and established by the Cloud Security Alliance
  • The monitoring of relevant regulators for updates
  • The provision of notifications and tailored, detailed analysis of new regulations to allow rapid response by subscribing firms

This will be delivered as a fully outsourced managed service available to regulated financial institutions on a subscription-based model.

An initial launch is taking place for IT and cloud regulations with support for other regulatory offerings to follow.

IBM and Promontory can provide the personnel, tools, and knowledge to empower financial institutions to move to the cloud with confidence, while overcoming the regulatory challenges they may face, both today and in the future.

Learn more about IBM and Promontory here.

Managing Director, Promontory

Tim Roberts

Vice President and Partner, IBM Security

More IBM RegTech Innovations stories

GRC is front and center at IBM Think 2019

Many financial services organizations are struggling to manage their risk and compliance exposure in the face of ever-increasing challenges. Massive volumes of regulations are being developed across global financial market segments. The risks are varied, the data sources numerous and the relationships between entities are complex. It’s simply too much for traditional processes and infrastructure […]

Continue reading

Reimagining the first line of defense with next-gen GRC

The global financial crisis of 2008 and 2009 brought a renewed focus on the governance, risk and compliance (GRC) processes within the financial institutions, who, not very long ago, viewed GRC as little more than a necessary evil – cost of doing business, which added little value. In today’s rapidly changing business environment, managing responsiveness […]

Continue reading

Agile fraud management takes more than the right models

In recent months, some prominent organizations have begun moving away from their traditional pattern of purchasing colossal, general-purpose infrastructure technology, and have begun looking towards personalized technology options.  This well-publicized trend has also highlighted a wider change in the market, namely, the increasing importance of picking not only the right application, but also the right […]

Continue reading