Arvest Bank

Arvest was managing cyber risk using cyber control frameworks and multiple security assessment products to keep the bank – and its customers – safe. While the control based assessments highlighted security gaps, they stopped short of illustrating the impact those gaps could have on the business and did not provide management with a clear understanding of their security posture. Specifically, Arvest’s senior management wanted to better understand the overall effectiveness of their cyber risk management program, as well as which controls and technologies would be most effective against their most financially impactful risk scenarios. This required cyber risk quantification, so they could mature their risk management program from one that primarily relied on a controls-based approach to one that translated their cyber risk into financial context.

Although Arvest leadership had considerable technical information, they wanted to translate this into a financial context, so they could better align their cyber risk strategy with the bank’s overall business goals. Arvest’s security team also recognized that translating cyber risk into financial language would help build better business cases for program improvements while enabling non-technical executives and board directors to better understand the risk exposure.

Arvest Bank worked with VisibleRisk to mature its cyber risk management program by adding cyber risk quantification (CRQ) to their control-based approach. Using an automated and validated methodology, the VisibleRisk CRQ platform collected and analyzed data on behalf of Arvest from a variety of sources, including internal network and signal data collected by APIs, attack surface and threat intelligence data, business profile and loss data, as well as information gleaned during management discussions. VisibleRisk’s platform fed this unbiased data set into their CRQ risk model, enabling Arvest to measure the frequency and impact of cyber events in the context of its governance, fortitude and outside in signals. This approach illustrated the economic impact of cyber risk by assigning financial exposure figures to identified risk scenarios while also providing peer benchmarks for context and comparison.

Arvest was then able to catalog, prioritize and implement the most effective controls for reducing the economic impact of specific risk scenarios. Arvest was also able to communicate more effectively about cyber risk by aligning it to business goals and risk appetite.

Arvest’s security team saw an opportunity to evolve their cyber risk management program by aligning it to financial impact so they could better engage senior executives in the organizations cyber risk management efforts. By leveraging VisibleRisk’s innovative CRQ platform, Arvest Bank was able manage material cyber losses to an appropriate level relative to their enterprise risk appetite. Furthermore, Arvest’s security team was better able to communicate the economic impact of their cyber risk strategy in clear financial terms to key executives and their board of directors, enabling them to secure more resources for their program while improving enterprise-wide cybersecurity decision making processes.