A Compliance View of cyber Risk and Cyber Resilience
A Compliance View of cyber Risk and Cyber Resilience
Key points arising from the Protiviti breakfast seminar
Cyber risk and resilience is a key regulatory priority for the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority (“FCA”), which has included cyber resilience in its 2017/18 business plan as a cross-sector priority.
55 individuals from xx financial intuitions covering a wide range of segments including: consumer credit, investment banking, wealth and investment management, payments and market infrastructure, retail and commercial banking, insurance providers and brokers attended a seminar in London on 21 September 2017 hosted by Protiviti’s Regulatory and Technology Consulting practices. Simon Onyons, Principal Cyber Specialist at the FCA, provided an overview of the FCA’s approach to cyber resilience and its expectations of firms’ cyber risk strategy.
All of the speakers and panellists emphasised how digital affects all aspects of life and that cyber risk has become one of today’s key challenges in business. But there are equally opportunities to make processes more efficient with greater speed and accuracy.
Key themes emerging from the seminar
During the presentations and the question and answer sessions that followed, a number of themes emerged. The themes and issues include the following:
The existence, identification and assessment of cyber risk
Cyber Resilience is the ability for an organisation to resist, respond and recover from incidents that will impact the information they require to do business
- The definition of cyber resilience accepts that cyber risk will and do crystallise within any organisation.
- Research from countries like the US where breach reporting has been mandatory for several years shows customers are generally forgiving of organisations who respond well to incidents. If this addresses the risk of customer fallout, normal BCP impact analysis should cover off the losses related to outage time.
- There is need for a top-down business focussed (or business relevant) assessment covering: identification, protection, detection and recovery processes and with strong governance and senior management leadership. Currently much of the risk assessment is bottom up and too focussed on technology.
- Proportionate use of frameworks such as: CBEST Vulnerability Testing Framework, NIST Cybersecurity Framework; and the guidance produced by CPMI-IOSCO “Guidance on cyber resilience for financial market infrastructures”. To be applied with appropriate top-down business context in order to target the risks that matter most to the organisation.
- FCA’s cyber questionnaire programme to provide high level tailored feedback covering capability in and performance of critical controls such as: cyber resilience strategy, roles and accountabilities, delivery framework, critical business functions, network baselining, access management, information sharing, information protection, staff training, vulnerability assessment, contingency planning, exercising.
Need for greater collaboration
- Between firms say in clusters or segment groupings within financial services in order to share good practice and intelligence and also to identify emerging patterns in cyber-attacks.
- Within firms so that control functions and information security specialists have a common understanding of risks and challenges (see below comments on three lines of defence).
- With regulators so that material cyber events can be tracked and patterns identified at a national and international level.
- Encouragement to participate in quarterly cyber coordination groups that bring together firms, regulators and other agencies such as law enforcement to share, consider and assess: incidents, threat, landscape, risks, best practice, sector initiatives. These groups report to the Cross Market Operational Resilience Group (“CMORG”) at the Bank of England. CMORG disseminates information to sectors as appropriate.
- Use of a combination of peer group collaboration, threat intelligence providers and internal “insider threat” type monitoring of behaviour (often referred to as situational awareness) in order to be able to identify what the next attack might be, when it might occur and how to respond if not prevent it taking place.
Recognition that cyber risk should be viewed as a business issue
- Cyber events affect customers and the organisation as a whole.
- Consider overlaps between Cyber risk and other regulatory requirements such as Conduct risk and market abuse (inappropriate access to privileged information).
- Firm’s culture towards cyber risk requires a consistent message and reinforcement at all levels.
- The importance of ‘security by design’, particularly in the development of new technologies and products that rely on them and also in change management so that cyber risks are not addressed retrospectively and often with sub-optimal results.
- Effective cyber risk reporting needs to be aligned to business objectives/outcomes in order for reporting to be relevant to senior management (for instance how customers and business operations are affected by a cyber risk crystallising (numbers affected and duration, number of complaints about lack of access), number of customers yet to agree to two factor authentication and steps to address this).
- The importance of real time monitoring and assessment and immediate action in order to address identified issues – not relying on annual risk assessment processes.
- Chief Operating Officer should take executive responsibility for cyber risk.
Effectiveness of three lines of defence and the role of Compliance in particular
- Second line functions such as Compliance and Risk to be involved in cyber steering groups and also within product and solution development where there is heavy reliance on digital technology and/or that uses sensitive data (whether customer data or market related).
- Too much reliance on the subject matter expertise of first line of defence by second line functions who should have separate skill, knowledge and experience of cyber risk and cyber resilience.
- Second line function to educate, inform and to challenge with open questions in order to obtain non-technical explanations and descriptions.
- Need for better information sharing and exchange between all three lines of defence.
How can Protiviti help
We are working with clients to confidently face the future and to address these themes. We typically do so using multi-disciplinary teams that brings together our specialists with relevant technology and information security, risk and compliance, process re-engineering and internal audit experience and insight.
- Tom Lemon
Cyber Security Practice Lead for Protiviti UK
- Bernadine Reese
Risk and Compliance Practice Lead for Protiviti UK