Malcolm Taylor, Director of Cyber Advisory at ITC Secure

The main aim of the new FCA review was to assess how wholesale banking and asset management firms oversee and manage their cybersecurity, how far they identify and mitigate relevant risks and their current capability to respond to and recover from incidents and successful attacks. All the firms acknowledged the importance of strong cybersecurity.

But there were different degrees of understanding of the many potential ways that weak cybersecurity can badly affect business activities and lead to harm to clients and the wider markets. This was particularly the case at the Board or Management Committee levels.

Awareness is lower in firms that do not have a cyber-specific strategy and proportionate cyber risk framework, where cyber is not part of their broader risk management framework, and where their incident response plans take little account of non-technical consequences such as the impact to their reputation, clients and markets more broadly.

Main observations:

  • Many firms need to do more to ensure that Board and Management Committee cybersecurity decisions are based on careful consideration of the cyber risks arising from the nature, scale and complexity of the firm’s activities and risk profile. Where a firm relies on group-level or other centralised arrangements, Management Committees and Boards should carefully assess whether these are fully aligned with the firm’s specific risks and ensure they address any identified gaps.
  • Firms should take proactive steps to foster a security-centric culture which transforms cyber from an IT issue to an organisation-wide priority.
  • In some cases, all 3 lines of defence were clear about their role and responsibilities for managing cyber risks and the second and third lines possessed a suitable level of knowledge, skill and expertise. In these firms, the second and third lines were able to appropriately challenge the first line and ensure they were sufficiently aware of current and emerging cyber risks.
  • One effective approach the FCA saw in third-party vendor risk management involved the firm identifying and engaging with the relevant stakeholders across the business for each supplier. The firm then carried out in-depth reviews of key third-party service providers’ controls as part of broader cyber-risk assessment frameworks. This model, which differs from a purely centralised vendor management function, appeared to offer a range of oversight and resilience benefits.
  • Incident management plans did not always appear to reflect the likely impacts of a successful cyber-attack in a variety of ways. These included the impact on customers, on other market participants, and on markets more generally, not simply the implications for the firm’s systems and technology.

Following the publication of the FCA’s warnings, Malcolm Taylor, Director of Cyber Advisory at ITC Secure gave IBS Intelligence the following comments: “I think this survey confirms what we in the cybersecurity industry have known for some time; the cyber threat is widely misunderstood and perhaps underestimated by some. I don’t think this is limited to these sectors, either – it’s every sector and at every level. None of this is a criticism; the cyber threat is a new threat, it is in places deeply complex, and it is presented as almost existentially dangerous.

“I also think the cybersecurity industry has to take some responsibility for this state of affairs. Cybersecurity products and services have been sold by some through overemphasising the fear and the complexity of the issue, but whilst that might work for a one-off sale it doesn’t build the essential, trusted partnerships that we need, to more expertly and successfully repel attacks.

“Good cybersecurity can be understood and, crucially, led by boards in all sectors. It’s about risk management; understand, assess, act, repeat. Boards are good at risk management – it’s at heart what they do. It is a specialist risk, granted; but so is legal, political, physical and more. Outside expertise will, for most of the mid-tier of the economy, be essential. Get good third party help, and manage the risk.”

by Bill Boyle
IBS Intelligence Senior Editor