Cyber risk should be a global key risk for banks – not just an IT issue – warns UK’s Financial Conduct Authority
Firms in the asset management and wholesale banking sectors acknowledge the importance of strong cybersecurity but often lack sufficient technical understanding of the risks at management and other levels. The FCA recommends that firms take “proactive steps to foster a security-centric culture which transforms cyber from an IT issue to an organisation-wide priority”.
Background of increasing cyber risk and need for greater operational resilience
“on the basis of data that the FCA is currently collecting we see no immediate end in sight to the escalation on tech and cyber incidents that are affecting UK financial services.”
Megan Butler, FCA Executive Director of Supervision – Investment, Wholesale and Specialists
Referring to the broader need for greater operational resilience she went on to comment that “zero - failure” was not the aim but that “the true test of reliance of UK finance is not the absence of incidents. It’s how well the incidents are managed”.
Review of asset management and wholesale banking sectors
Last week the FCA published its findings from that review which assessed how wholesale banking and asset management firms oversee and manage their cybersecurity, how far they identify and mitigate relevant risks and their current capability to respond to and recover from incidents and successful attacks.
Three lines of defence
- First line: IT function
- Second line: risk and compliance
- Third line: board and management committee
At the second level some firms found benefit in reassigning cyber and information security as a second level function responsible for overseeing the first level IT function focusing on the confidentiality, integrity and availability of the firm’s data. Specifically, the FCA found that firms having an independent owner for cyber – or at least a separation of function between cyber and IT – enabled independent challenge of cybersecurity policy and the delivery of incident management and recovery plans which consider the impact of cyber more widely than just on systems and technology.
The FCA recommends that there should also be enough technical understanding of risk and technology at management level to enable good decision taking and many firms need to do more to ensure that board and management committee cybersecurity decisions are based on careful consideration of the cyber risks arising from the nature, scale and complexity of the firm's activities and risk profile.
Suggestions for how firms can support management and strengthen their capabilities in this role include:
- ensuring that the board is presented with clear, concise and digestible management information on cyber risks
- appointing board members with strong familiarity or specific technical cyber expertise
- for smaller firms, hiring third-party firms or advisors to independently advise them on cybersecurity to help the board up-skill without hiring a dedicated Board member.
Firms should however also focus on developing their own in-house cyber capability and avoid over reliance on third party services.
Third party vendor risk management
Many firms have centralised security models, where cyber-controls and policies are developed, owned and administered at a central, rather than local, level. This can sometimes mean ineffective dialogue between the central and local functions, which can result in misaligned risk profiles and/or gaps between risk arrangements.
One effective approach the FCA saw in third-party vendor risk management involved the firm identifying and engaging with the relevant stakeholders across the business for each supplier. The firm then carried out in-depth reviews of key third-party service providers' controls as part of broader cyber-risk assessment frameworks.
This model, which differs from a purely centralised vendor management function, appeared to offer a range of oversight and resilience benefits.
Impact of cyber-attacks outside of the organisation
Incident management plans should reflect the likely impacts of a successful cyber-attack in a variety of ways. These included the impact on customers, on other market participants, and on markets more generally, not simply the implications for the firm's systems and technology.
Connection between cyber risk and conduct risk
Specific to wholesale banking the FCA suggests that firms should proactively incorporate cyber risk into their broader approach to “conduct risk”. Conduct and cyber risk share many similarities in that they:
- may occur in any part of the organisation, not just client facing or revenue generating
- can occur and/or be exacerbated or mitigated by staff’s actions and behaviour
- are difficult to identify and quantify because of the various different forms in which issues and related impact may occur
- cannot be addressed through applying technical contracts alone, relying on integration with the business.
The FCA emphasised the importance of embedding a “security culture” through all aspects of business services including through providing training and engaging with high-risk personnel.
Questions to ask in managing cyber risk
Cybersecurity and managing cyber risk is inherently complex due to the dynamic, ever-changing nature of the threat. In order to help boards consider the risks faced by their firms, the FCA have suggested that board members ask themselves the following questions:
1. How can I assure myself that I have sufficient grasp and understanding of the cyber risks (including those from the use of third parties) that my firm faces and the impact tolerances of our business services so that I can provide effective challenge to the business on an ongoing basis?
2. What can we, as a board or management committee, do to make sure the firm's second line of defence is able to provide effective challenge to the first line on cyber-related matters?
3. Which aspects of our approach to conduct risk management could we apply to the way we manage our cyber risk. Does this offer value?
4. How confident are we that our incident management plans would be effective in dealing with the aftermath of a cyber incident?
5. How can we best assure ourselves that we have appropriate future goals and timeframes for cyber risk?
What happens next?
The FCA have emphasised that awareness of cyber risk is best in firms that have adopted:
- a cyber-specific strategy
- a proportionate, and specific, cyber risk framework
- incident report plans that consider non-technical impacts such as reputation, clients and the wider markets.