In a speech last week at the Cyber Security Summit and Expo 2017, Nausicaa Delfas, Chief Operating Officer at the FCA, called out cyber risk as one of the FCA’s top priorities and noted its close intersection with supplier risk, and third, fourth and fifth party risk.
Boards need to lead the cultural mindset on security
Delfas noted that in addition to having the right technology to protect, detect, recover and respond to cyber risk, that it is important to move people into the right cultural mindset on security - and that this mind-shift starts with the Board. She astutely observed that investors play a part too. The trend here has been encouraging, she noted:
“[the FCA] has been encouraged to see that many firms within the financial sector are now treating cyber security as a business-led risk, with active engagement within the boardroom. We are also seeing the emergence of investment companies beginning to question the cyber security of the companies that they are investing in. This can only be a good thing – focus and pressure from directors and major shareholders can help drive the outcomes necessary”.
She also provided practical examples of five questions a Board should be asking:
- Have we identified and understood the value of our company’s critical information and data assets? What is the small percentage of the information within our business that makes us competitive? Being competitive also includes having regard to the public interest in data security. A breach from one company can easily impact another.
- Do we regularly receive updates showing the threat to our business and critical data assets? In such a fast moving area good intelligence is crucial in being able to prioritise defence efforts.
- Have we agreed a risk appetite for the cyber risks and are we confident that it is reflected in day-to-day decision making? It is important to think about what balances are made. An effective cyber stance, especially for a long established organisation with a legacy, can be expensive to achieve, but not having one could be much more so.
- Have we reviewed our attitudes to ‘sweating’ assets in this new light?
- Do we have the means to detect if a significant cyber breach has occurred, and should the need arise, to mobilise an effective and timely response?
Where risk lies beneath the surface – supplier and third party risk
Delfas called out the role of supply chains and third parties in cyber risk exposure. Pointing to the Target data breach and the NotPetya ransomware as examples of suppliers being under the surface of cybersecurity failings, she reminded the audience that when managing supplier and third party risk, it is not sufficient merely to consider IT suppliers – but all suppliers, from air conditioning, to delivery, to advertising, to lawyers, etc.
While this can seem overwhelming, she shared innovations that the FCA are seeing in the market in an effort to manage their supplier cyber security risk. These included:
This was seen as a double edged sword: it seems practical on the surface, but can add considerable burden operationally and for suppliers who are inundated with audit requests. “We end up with a world where everyone is auditing everyone else: is this really sustainable, and cost effective?”
Delfas observed that the FCA are seeing “services emerge where intermediaries perform assessments to a commonly accepted standard within the financial sector – standardising third party risk management processes, focussing on vendor due diligence and ongoing monitoring. Instead of individually auditing each of their suppliers an intermediary standardises these audits and provides firms with information about their suppliers, on an ongoing basis.”
Delfas also called out that they’d seen the rise of tools that automatically evaluate and measure the cyber security indicators of companies on the internet. These use publically available indicators to calculate an aggregated security score. This gives firms a sense of their suppliers’ security performance – and whether they pose a higher data breach risk, for example. This gives the means to prioritise suppliers and determine appropriate follow up and remediation associated with the level of risk. She noted that the regulator was also looking at using these tools in their own work.
Finally, Delfa noted that by applying small ‘nudges’ frequently to suppliers, such as ensuring cybersecurity is brought up regularly in conversation with them, helps set the tone that attention to cyber security is important and constant.
Some takeaways to consider
It’s obvious that cyber security, resilience and supplier/third party risk management are high on the regulator’s agenda. Here are a few takeaways from Delfa’s speech:
- Make sure your board is engaged and understands cyber risk, but supplier/third party risk too. They should have a risk register that notes cyber risk exposure, not just for the enterprise, but for the extended enterprise as well. This is something that regulators such as the FCA, OCC etc. are increasingly expecting as part of cyber resiliency and third party risk management. This is going to become even more important with GDPR – as breaches involving PII come with far reaching consequences; financial, reputational and otherwise.
- There needs to be greater efficiency in how institutes approach assessments. Standardisation of assessment tools, such as Shared Assessments is one approach. There’s also intermediaries that can provide efficiencies of scale – both for the buy side and the supplier side. Hellios is an example of a successful community in this space. Hellios standardise and manage requests for compliance and assurance data for major financial services organisations that have adopted the standard qualification system. It’s a cross-sector collaboration across both the banks and their suppliers which reduces the time, cost, resource and duplication currently needed to provide information to financial institutions.
- The regulators themselves are likely going to be using cyber security ratings data; data that you should be considering in your own third party risk management program. They could be assessing your security scores; they could be assessing your critical third parties’ security scores. Your regulators will have this insight. So should you. And you can be smart with these. For instance, Aravo has an integration with SecurityScorecard, that provides a sought after ability to triangulate data, allowing companies to compare third party self-assessment data with SecurityScorecard’s ratings to determine whether greater due diligence, such as virtual or onsite audits, are warranted.
- The nudge theory can be well-supported through score cards. Score cards can be a very effective collaborative tool, that help raise the bar of supplier performance and mitigate risk. In a cyber risk scenario, you could share your suppliers’ security posture and performance results and incorporate information from vendors such as SecurityScorecard to help raise the collective bar.