FCA has published the results of its study of cyber-resilience and security in 20 asset management and wholesale banking firms. Its review comprised firms of varying size, scale, operating models and geography.
The review comes with many caveats, but the key messages include:
- Boards and Management Committees still have limited familiarity with the specific cyber-risks their businesses face, although they are more sensitive to the topic than in the past – most told FCA how challenging it was to fully understand and explain the risks to their businesses. FCA suggests that firms should not rely solely on their IT function to own cybersecurity, to provide better challenge and oversight. Some firms seek to address this by hiring third party advisors. FCA also comments on the importance of management receiving the right MI;
- second line functions tend to have limited technical cyber-expertise, which means limited ability to test and challenge a sophisticated first line. Some firms include the CISO in first line, saying often this makes it easier and more effective to incorporate security into the design and build of technical controls. Others saw potential conflicts between the CISO and IT function so made those responsible for cyber or information security part of the second line. Again, though, lack of in-house knowledge generally leads firms to rely heavily on third parties, which brings with it its own risks;
- many banks had not really considered how to incorporate cyber and cybersecurity risks into their broader approach to conduct risk. Firms with more mature frameworks had several suggestions for addressing “insider” threats, which they perceived to be among the greatest cyber risks;
- multi-national organisations tended to adopt a centralised security model, and it was not always clear that the local risk profile was aligned to the centralised approach.
FCA’s key messages focussed on understanding, and proper use and supervision of third parties, within both the sectors it included in the review. It suggests several questions that board and management committee members should consider asking themselves when considering the risks their firms face.