The Financial Conduct Authority (FCA) published the key findings from its cyber multi-firm review of a sample of 20 firms operating in the asset management and wholesale banking sectors.
This review was a further stage of discovery work which followed on from the FCA’s Technology and Cyber Resilience Questionnaire exercise in these sectors. Its aim was to help assess how wholesale banking and asset management firms oversee and manage their cybersecurity, how far they identify and mitigate relevant risks and their current capability to respond to and recover from incidents and successful attacks. The review involved meetings with Board members, Management Committees and executives from the firms’ first and second lines of defence.
FCA’s review key findings are:
- whilst boards and management committees were more sensitive to the topic of cyber security than in the past, most continue to have limited familiarity with the specific cyber risks their organisations face;
- firms can do more to help board members and senior managers think about cyber as a ‘global’ key risk theme. That is, one which firms should not see as an isolated responsibility of the IT function, but as part of a firm’s activities and business as a whole;
- firms that rely exclusively on their IT function to own cybersecurity may find this limits the extent to which their IT strategy is independently challenged;
- a solution to the management information issue on cyber is not simply providing a large quantity of detailed key performance indicators and key risk indicators as too much detail or detail without context can be counterproductive as it affects boards’ ability to identify meaningful trends, particularly for those who are not familiar with the area. Several asset management firms had experimented with different formats of MI on operational resilience issues, including cyber, to refine the quality and effectiveness of the papers they gave to their board;
- as an overall observation, the second line of defence – the risk and compliance functions – has limited cyber-expertise. Without adequate expertise, second line functions may have limited ability to independently test and challenge a strong, technically-sophisticated first line. Firms that chose to include their chief information security officer function in the first line alongside, or as part of, the IT function appeared to show a significant difference in the level of knowledge between the first and second line;
- the lack of in-house cyber knowledge results in a high level of reliance, potentially over reliance, on thirdparty advisors to supplement the firm’s cyber capabilities. External expertise may be helpful but may also, if overly relied on, undermine the effectiveness of the ‘3 lines of defence’ model in identifying and managing cyber risks in a timely way. In some cases, it was also unclear whether firms would be able to rely on timely access to these third-party resources if there was a serious problem;
- many firms did not actively consider how far they should or could incorporate cyber and cybersecurity risks into their broader approach to conduct risk. More specifically, there was limited evidence of firms proactively trying to ‘connect the dots’ between cyber and other conduct issues which may occur through cyber channels, such as market abuse and financial crime. The FCA saw little evidence that firms had considered what role, if any, information security functions could play in terms of these firms’ broader conduct risk agendas; and
- many wholesale banks with overseas headquarters adopted a centralised security model. Key cybercontrols and policies were developed, owned and administered at the group, rather than at a local level. There was similar reliance on group-level arrangements in asset management firms that were part of larger groups. Where firms had centralised models, it was not always clear that local boards and management committees had considered whether there was effective dialogue with the central / group function so that: (i) even if the centralised approach and local risk profile were not aligned, they were at least compatible; and (ii) gaps were addressed between the centrally defined arrangements and the risks from the business services carried out locally.
FCA’s main observations from its findings:
- Many firms need to do more to ensure that Board and Management Committee cybersecurity decisions are based on careful consideration of the cyber risks arising from the nature, scale and complexity of the firm’s activities and risk profile. Where a firm relies on group-level or other centralised arrangements, Management Committees and Boardsshould carefully assess whether these are fully aligned with the firm’s specific risks and ensure they address any identified gaps.
- Firms should take proactive steps to foster a security-centric culture which transforms cyber from an IT issue to an organisation-wide priority.
- In some cases, all 3 lines of defence were clear about their role and responsibilities for managing cyber risks and the second and third lines possessed a suitable level of knowledge, skill and expertise. In these firms, the second and third lines were able to appropriately challenge the first line and ensure they were sufficiently aware of current and emerging cyber risks.
- One effective approach the FCA saw in third-party vendor risk management involved the firm identifying and engaging with the relevant stakeholders across the business for each supplier. The firm then carried out in-depth reviews of key third-party service providers’ controls as part of broader cyber-risk assessment frameworks. This model, which differs from a purely centralised vendor management function, appeared to offer a range of oversight and resilience benefits.
- Incident management plans did not always appear to reflect the likely impacts of a successful cyber-attack in a variety of ways. These included the impact on customers, on other market participants, and on markets more generally, not simply the implications for the firm’s systems and technology.
Cybersecurity and managing cyber risk is inherently complex due to the dynamic, ever-changing nature of the threat. When considering the risks faced by their firms, Board members may wish to ask themselves the following questions:
- How can I assure myself that I have sufficient grasp and understanding of the cyber risks (including those from the use of third parties) that my firm faces and the impact tolerances of our business services so that I can provide effective challenge to the business on an ongoing basis?
- What can we, as a Board or Management Committee, do to make sure the firm’s second line of defence is able to provide effective challenge to the first line on cyber-related matters?
- Which aspects of our approach to conduct risk management could we apply to the way we manage our cyber risk. Does this offer value?
- How confident are we that our incident management plans would be effective in dealing with the aftermath of a cyber incident?
- How can we best assure ourselves that we have appropriate future goals and timeframes for cyber risk?
While this report is based on observations from a small sample of firms, the review findings are relevant to all firms
in the asset management and wholesale banking sectors. The FCA encourages all these firms to consider the
findings and how they apply to their own organisations.
To read more, please follow this link:
Contact us here
Please Note: This publication is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to. Readers should take legal advice before applying the information contained in this publication to specific issues or transactions.