P2.T10.21.3. Cyber risk (according to BIS) in the financial sector

Nicole Seaman

Director of CFA & FRM Operations
Staff member
Subscriber
Learning objectives: Define cyber risk and describe the elements that constitute it. Describe and compare causes of cyber risks and methods of enacting cyber-attacks. Identify and explain the effect COVID-19 has had on the level of cyber threat. Assess how the financial sector in particular has been threatened by cyber risk during the pandemic. Identify changes in cyber risk landscape and ways to mitigate risks to financial stability.

Questions:

21.3.1. Ben is developing a typology of risks and their interactions for his employer, a financial services firm. He is aware that cyber risk is an important and ascendant type of operational risk. His first draft itemizes the following four causes of cyber attacks or cyber vulnerabilities:
  • Man-in-the-middle (MITM) attacks interfere with (i.e., circumvent) the mutual authentication between two parties
  • Phishing attacks steal the victim's credentials (or other sensitive data) by fraudulent means such as a deceptive email
  • Zero-day vulnerabilities are sensitive machine-to-machine transactions that can be exploited as the remaining contractual term to maturity approaches zero days.
  • Distributed denial-of-service (DDoS) attacks flood targeted computing resources (e.g., servers) with traffic or requests in an attempt to overload or disrupt systems
Three of Ben's definitions are correct. However, one of his definitions is incorrect. Which definition is incorrect?

a. Man-in-the-middle (MITM)
b. Phishing attacks
c. Zero-day vulnerabilities
d. Distributed denial-of-service (DDoS) attacks


21.3.2. Before the pandemic, financial institutions already grappled with an array of cyber risks. As the Bank for International Settlements (BIS) points out, the pandemic, in general, increased the exposures to--and multiplied the threats implied by--cyber risk. According to BIS, which of the following was a major contributor to greater cyber risk exposure associated with the pandemic?

a. Higher prevalence of work-from-home (WFH) arrangements
b. Lack of qualified cybersecurity vendors due to regulatory impediments
c. Climate patterns in particular the re-emergence of regional SolarWinds
d. Migration of parts of IT operations from public cloud to on-premise environments


21.3.3. In regard to cyber risk, each of the following is true EXCEPT which is false?

a. Cyber incidents are intentional; i.e., by definition, cyber incidents do not include accidents
b. Simulations of cyber attacks (and war games) can help identify vulnerabilities and enhance preparedness
c. As a result of the pandemic, more companies have increased their cloud usage and/or plan a more strategic use of cloud
d. Bad actors include outright criminal and terrorist organizations, industrial spies, hacktivists, or state and state-sponsored players

Answers here:
 
Top