On 10 December 2018, the FCA published the key findings from its cyber multi-firm review of a sample of 20 firms operating in the asset management and wholesale banking sectors. The review involved meetings with board members, management committees and executives from the firms’ first and second lines of defence.
Key findings include:
- whilst boards and management committees were more sensitive to the topic of cyber security than in the past, most continue to have limited familiarity with the specific cyber risks their organisations face;
- firms can do more to help board members and senior managers think about cyber as a ‘global’ key risk theme. That is, one which firms should not see as an isolated responsibility of the IT function, but as part of a firm’s activities and business as a whole;
- firms that rely exclusively on their IT function to own cybersecurity may find this limits the extent to which their IT strategy is independently challenged;
- a solution to the management information issue on cyber is not simply providing a large quantity of detailed key performance indicators and key risk indicators as too much detail or detail without context can be counterproductive as it affects boards’ ability to identify meaningful trends, particularly for those who are not familiar with the area. Several asset management firms had experimented with different formats of MI on operational resilience issues, including cyber, to refine the quality and effectiveness of the papers they gave to their board;
- as an overall observation, the second line of defence – the risk and compliance functions – has limited cyber-expertise. Without adequate expertise, second line functions may have limited ability to independently test and challenge a strong, technically-sophisticated first line. Firms that chose to include their chief information security officer function in the first line alongside, or as part of, the IT function appeared to show a significant difference in the level of knowledge between the first and second line;
- the lack of in-house cyber knowledge results in a high level of reliance, potentially over reliance, on third-party advisors to supplement the firm’s cyber capabilities. External expertise may be helpful but may also, if overly relied on, undermine the effectiveness of the ‘3 lines of defence’ model in identifying and managing cyber risks in a timely way. In some cases, it was also unclear whether firms would be able to rely on timely access to these third-party resources if there was a serious problem;
- many firms did not actively consider how far they should or could incorporate cyber and cybersecurity risks into their broader approach to conduct risk. More specifically, there was limited evidence of firms proactively trying to ‘connect the dots’ between cyber and other conduct issues which may occur through cyber channels, such as market abuse and financial crime. The FCA saw little evidence that firms had considered what role, if any, information security functions could play in terms of these firms’ broader conduct risk agendas; and
- many wholesale banks with overseas headquarters adopted a centralised security model. Key cyber-controls and policies were developed, owned and administered at the group, rather than at a local level. There was similar reliance on group-level arrangements in asset management firms that were part of larger groups. Where firms had centralised models, it was not always clear that local boards and management committees had considered whether there was effective dialogue with the central / group function so that: (i) even if the centralised approach and local risk profile were not aligned, they were at least compatible; and (ii) gaps were addressed between the centrally defined arrangements and the risks from the business services carried out locally.
At the end of the web page the FCA sets out certain questions that board and management committee members may want to ask themselves:
- How can I assure myself that I have sufficient grasp and understanding of the cyber risks (including those from the use of third parties) that my firm faces and the impact tolerances of our business services so that I can provide effective challenge to the business on an ongoing basis?
- What can we, as a Board or Management Committee, do to make sure the firm’s second line of defence is able to provide effective challenge to the first line on cyber-related matters?
- Which aspects of our approach to conduct risk management could we apply to the way we manage our cyber risk. Does this offer value?
- How confident are we that our incident management plans would be effective in dealing with the aftermath of a cyber incident?
- How can we best assure ourselves that we have appropriate future goals and timeframes for cyber risk?