Although boards and management committees in the wholesale banking and financial asset management sector are more sensitive to cyber, most continue to have limited familiarity with the specific cyber risks their organisations face, according to the sector’s regulator. It recommends what it calls ‘a security-centric culture which transforms cyber from an IT issue to an organisation-wide priority’.
In late 2017 and early 2018 the Financial Conduct Authority (FCA) carried out a cyber multi-firm review with a sample of 20 firms. It asked board and management committee members to describe their firm’s cyber-related risk profile or risk appetite. Almost all the board members and non-IT senior management told of how challenging it was to fully understand and explain the specific risks that their firms face. The FCA suggests firms can do more to help board members and senior managers think about cyber as a ‘global’ key risk theme. That is, one which firms should not see as an isolated responsibility of the IT function but as part of a firm’s activities and business as a whole.
Firms that rely exclusively on their IT function to own cybersecurity may find this limits the extent to which their IT strategy is independently challenged, the regulator suggests. Having an independent owner for cyber, or an ownership model that is not solely made up of IT staff, can enable challenge and deliver incident management and recovery plans which reflect the impact of cyber more widely than just that on systems and technology, according to the FCA.
Firms in the sample generally lacked board members with strong familiarity or specific technical cyber-expertise. Many said this was because of their size, low risk-profile or the limited availability of that skill-set in the wider independent non-executive director (INED) population. Given the overall responsibilities of board members, and INEDs, which include providing challenge and oversight, this raises an important question. What other steps, such as ongoing training and simulation exercises, do these firms take? Some firms have hired third-party firms or advisors to independently advise them on cybersecurity.
With more activities being outsourced, and with firms establishing more third-party relationships, it becomes even more important to have an effective approach to third-party risk management in place. For more of the findings, visit the FCA website.
Comments
Malcolm Taylor, Director of Cyber Advisory at ITC Secure said: “I think this survey confirms what we in the cyber security industry have known for some time; the cyber threat is widely misunderstood and perhaps underestimated by some. I don’t think this is limited to these sectors, either – it’s every sector and at every level. None of this is a criticism; the cyber threat is a new threat, it is in places deeply complex, and it is presented as almost existentially dangerous.
“I also think the cyber security industry has to take some responsibility for this state of affairs. Cyber security products and services have been sold by some through over emphasising the fear and the complexity of the issue, but whilst that might work for a one-off sale it doesn’t build the essential, trusted partnerships that we need, to more expertly and successfully repel attacks.
“Good cyber security can be understood and, crucially, led by boards in all sectors. It’s about risk management; understand, assess, act, repeat. Boards are good at risk management – it’s at heart what they do. It is a specialist risk, granted; but so is legal, political, physical and more. Outside expertise will, for most of the mid-tier of the economy, be essential. Get good third party help, and manage the risk.”
And Dr Sandra Bell, Head of Resilience Consulting at Sungard Availability Services, says: “Recent events, such as IT meltdowns at banks and cyber-attacks on banks in Russia show how IT glitches can very rapidly escalate to whole organisational crises. This means that financial services organisations have need to reassess how and where they manage their risks. The risk landscape has changed dramatically with threats shifting to the cyber sphere and financial services have to recognize that cyber risks are not just IT problems and take steps to make sure they are prepared for the operational fallout. This is hard as these are new an rapidly evolving risks, but Predictive Analytics could allow financial organisations to extract information from current and historical situations and analyse them in way that allows them to identify trends and calculate the probabilities of future or otherwise unknown events or scenarios.
“At an individual organisational level there is scant historic data for such risks, and the only option organisations often have for dealing with them is recovery after the event. However, by mining and analysing data from many diverse events and overlaying it with real-time operational data, risk managers at the organisational level can start to see trends emerge and understand how their individual organisations could be vulnerable to such events. As techniques such as data mining, predictive modelling and machine learning advance, risk managers will not only have enhanced situational awareness during such events but predictive analytics will allow them to model their responses in real-time and with sufficient granularity to achieve the unachievable – the ability to tailor their response in a way that minimises the negative impacts of unpredictable and uncontrollable events whilst enhancing the positive opportunities that crises inevitably bring.
“When risk management is institutionalised it tends to become very defensive and focussed on mitigating the negative impacts that the risky situation presents rather than optimising the situation for the positive impacts. This means that controls tend to be seen as a cost – or an insurance against something bad happening. Therefore rather than CIO’s simply presenting the damage that a breach would have to the IT estate and why they need more money to prevent it happening, they need to work with the business to understand the risk to the end client and collectively use dynamic risk management tools that puts the customer first.”
