Risk-aligned cybersecurity makes a bank more resilient
Understanding where its most critical information assets were at risk allowed a North American bank to improve its resilience to hostile attacks.
A large North American bank suffered a major distributed-denial-of-service (DDoS) attack that shut down its online system for hours and left thousands of customers without access to their accounts and unable to process transactions, pay bills, or access other digital services.
As the blackout spread, management found itself scrambling to determine if the attack was limited to the DDoS event or if other data and systems were compromised. Without any predefined understanding of who should lead the cybersecurity response, senior executives from IT, corporate security, and risk management rushed in with their teams to identify who in the bank knew which information assets were most at risk, where that data were stored, what systems were involved, and whether customer data had been exposed. Bank staff were bogged down fielding multiple requests for the same information. The confusion led to inconsistent responses from different groups and delays in updating customers and other stakeholders.
Although IT restored service later that day, management knew that hackers often used such events to test the strength of a bank’s defenses, and they felt in the dark about the kinds of vulnerabilities the attack might have revealed. To protect sensitive information, the bank enlisted McKinsey’s help to develop a more coordinated approach.
The McKinsey team began by taking stock of the bank’s most critical exposures, using interviews and diagnostic assessments to identify high-value information assets and then charting all the systems, applications, and people that could access or touch that data.
When testing existing procedures, the team discovered a mismatch in the bank’s security protocols. Some routine tasks that concerned relatively low-value data had so many security layers that it was taking relationship managers an excessive amount of time to assist customers with basic transactions. By contrast, several critical systems were connected to mobile applications and databases that had inadequate security measures.
Using interviews, benchmarking data, and specialized software-enabled modeling tools, we worked with the bank to pinpoint critical risks, gauge the strength of current cybersecurity capabilities, and identify where the most significant gaps were with respect to protecting sensitive data assets. That process revealed a number of critical information assets and enterprise systems that required additional protection.
To help the bank prioritize, we sat with senior bank officials and business-unit leaders to discuss the bank’s risk posture and clarify its cybersecurity vision in light of its overall market strategy and needs. With stakeholders aligned, we helped the bank create a cyberresilience plan that was designed to support the institution’s growth strategy by mitigating a core set of digital risks and vulnerabilities.
To put the plan through its paces, we also conducted a war-game simulation to stress-test the bank’s communication links, business decision making, and technical blind spots during a cyberattack. The simulation flagged a handful of areas where clarifying accountability and the right sequence of actions could sharply improve performance and responsiveness.
Over the course of 12 weeks, the bank succeeded in identifying approximately 30 information assets and 20 critical systems that were vulnerable to overt attacks, such as other denial-of-service events, as well as a range of increasingly sophisticated back-door intrusions. By aligning on a clear cybersecurity vision and committing to an accelerated implementation plan, senior management accelerated its responsiveness and safeguarded its most valuable assets.