Shutterstock_400930579_lo
 

The WannaCry cyber attack this month did not hit financial services (FS) firms as directly as it did some other industries, but its sheer scale across more than 150 countries and the level of disruption caused by the ransomware it deployed will force all businesses to re-examine their preparation for a major cyber event. In financial services, an industry characterised by the highest levels of interconnectivity, enhancing cyber resilience has been an urgently growing priority for firms and their boards. 

Financial regulators are playing a large part in pushing this forward, with 2016 and 2017 seeing a flurry of new rules and heightened expectations for how FS firms manage their cyber resilience. Importantly, however, regulators and supervisors are also starting to take a closer look at how effectively FS boards engage on cyber risk issues and how non-executive directors (NEDs) access the necessary expertise to be able to provide oversight and challenge of management on this topic.  

From a board perspective, growing cyber threats and increased supervisory scrutiny of firms’ resilience raises at least three questions that need to be answered:

  1. What kind of expertise do NEDs need in cyber security?
  2. How should cyber resilience be governed within firms?
  3. What kind of Management Information (MI) on cyber should a board receive?

Cyber as a growing source of regulatory risk for FS boards 

The importance of cyber threats as a growing source of risk for FS firms is not in doubt. Deloitte’s 2017 Cyber Reporting Survey found that 89% of FS firms in the FTSE 100 identified cyber threats as a principal risk in their annual reports, and 76% indicated that they expected this risk to increase in the coming year. 

The challenge is that there is much less consensus in the financial sector around what the appropriate governance response to cyber risk is. For instance, the same Deloitte survey found that only a very small share of FS firms in the FTSE 100 publicly disclosed having a director on their board with experience relevant to cyber security or conducting board-level training on cyber issues.

Supervisors, however, are taking a larger interest in verifying that firms have effective internal governance structures suited to deal with cyber risk. The European Banking Authority’s (EBA) Guidelines on the supervisory assessment of Information and Communications Technology (ICT) risk in banks, published this month, emphasises the importance of a strong oversight framework in the assessment of a bank’s susceptibility to cyber risks. Similarly, the Advance Notice of Proposed Rulemaking (ANPR) on cyber risk issued by the U.S. federal regulatory agencies in 2016 stresses the active role that NEDs must play in setting a firm’s cyber risk appetite, and ensuring that the implementation of cyber resilience initiatives are in line with their policies.

An important shift here has been the gradual evolution of supervisory concerns from being primarily focused on the consumer protection and privacy risks of cyber threats, to becoming increasingly concerned with its potential systemic implications. What WannaCry demonstrated was that a global cyber attack can cause long-lasting disruptions in organisations as well-established and diverse as telecoms companies, railway operators, major hospitals and the Russian interior ministry. We think it’s a safe assumption that the appetite of regulators to see similar standstills in cashpoints, exchanges, payments infrastructures and clearing houses is next to nil.

How FS boards can respond to supervisory expectations on cyber risk

Boards are well placed to get ahead of this trend and not be caught on the back foot by rising supervisory expectations. When thinking about how boards engage with their firms’ cyber resilience activities, a good place to start is with the three questions introduced at the start of this blog:

  • Specialist cyber expertise on the board: It’s clear enough that board members shouldn’t abdicate responsibility for cyber issues to just one of their members. Given the active role they need to play collectively in setting a firm’s cyber risk appetite and cyber resilience strategy, all NEDs should be able to show that they have taken steps to build a stronger understanding of cyber risks and have developed a practised response to cyber breaches for when they occur. This can include holding regular briefings and scenario-based exercises with the whole board or at the level of the responsible committee. Beyond this, however, boards still need to consider how they access deeper expertise in cyber in order to demonstrate to their supervisors that they can understand and effectively challenge management in often technical and jargon-heavy briefings on cyber issues. Firms have taken different approaches here, but having an independent cyber or IT expert either on or advising the board could increasingly become part of the solution, as could having a member with a background in signals intelligence. A more detailed discussion of these issues by Stephen Bonner, a Partner in Deloitte’s Cyber Risk Practice, can be found here
  • Internal governance of cyber risks: Boards need to see that effective governance structures and procedures are put in place across their firms for handling, escalating and reporting cyber-related information to them. This includes clarifying the roles and interaction of the Chief Information Officer (CIO), the Chief Operating Officer (COO) and Chief Risk Officer (CRO) and demonstrating that cyber resilience is not organisationally siloed as an IT concern. In the UK, we expect the creation of a “Chief Operations” function under the Senior Managers Regime, responsible for the resilience and continuity of internal technology, to drive the clarification of cyber resilience governance within firms there. In addition, we also expect the UK Financial Conduct Authority’s efforts to assess the effectiveness of instilling a “security culture” in firms to shine a light on areas where insufficient efforts by boards to set a “tone from the top” on cyber security and resilience practices may create vulnerabilities. Similar levels of supervisory pressure should also evolve quickly in other key financial jurisdictions.
  • MI on cyber readiness: Boards need to ensure that the MI they receive paints a comprehensive picture of a firm’s cyber readiness. As discussed in our Regulating Cyber Resilience blog last year, we see three areas that board MI needs to cover. The first is cyber risk identification; how comprehensively a firm has mapped its cyber risk exposure, including risks arising from third parties, and if it can identify critical systems and explain the interdependencies between them in a cyber event. In this respect, applying a cyber risk lens to M&A decisions should increasingly become part of a board’s basic considerations going forward. The second has to do with cyber risk governance, as discussed above, but particularly for MI on the effectiveness of the first and second lines of defence in communicating with each other and escalating potential cyber threats. This could include data on the frequency and speed of escalation of breach reporting, compared to industry or business-line averages. The third is MI covering the cyber resilience of firms to respond to breaches. MI here will be challenging to collect and interpret given how different cyber risks are from financial ones, the lack of a history of losses and the potential for unexpected correlations in cyber breaches (i.e. WannaCry targeting healthcare, logistics, transport and telecoms all simultaneously). One benchmark boards should look to see evidence of in their MI is the ability of their firm to bring critical systems back online within the 2-hour downtime window set by IOSCO/CPMI for market infrastructures and repeated in the US ANPR for significant banks. 

Given how cyber attacks like WannaCry can swiftly, and not always predictably, drive the regulatory and supervisory response to cyber risks, FS firms have to get on the front foot in managing their cyber resilience. This underscores the need for their boards to re-assess their engagement with their firms’ cyber resilience activities and to think about how they ensure they are able to keep pace with the rapidly evolving nature of cyber threats that the industry now faces. 

Stephen


Stephen Bonner - Partner, Cyber Risk Services, Deloitte

Stephen is a Partner within Deloitte’s Cyber Risk Services practice with over 5 years of security consulting experience and over 20 years of financial services industry experience. In particular, Stephen ran global security teams and was accountable for Cyber Security, Records Management, Data Privacy and IAM for a global FS institution. He also led IT Security for a derivatives exchange for four years.

Email | LinkedIn

Picture1

Nick Seaver - Partner, Cyber Risk Services, Deloitte

Nick is a partner within Deloitte and leads Deloitte UK's Cyber Risk services within the financial services industry. Nick is also Deloitte's Banking Cyber Risk leader across EMEA. In addition to his client work, Nick has significant internal responsibilities around team leadership, marketing and business development. Nick is a board member of the Institute of Information Security Professionals (IISP), holding the position of treasurer. In addition to his technology qualifications, Nick is a qualified accountant (FCCA), holds a Masters degree in Engineering and Management and an Masters in Business Administration.

Email | LinkedIn

Simon

Simon Brennan - Director, EMEA Centre for Regulation Strategy, Deloitte

Simon specialises in prudential regulation for banks. Simon joined Deloitte after 11 years at the Bank of England, where he worked in a number of areas covering macro and micro prudential policy, and financial institution risk assessment.

Email | LinkedIn

Suchitra

Suchitra Nair - Director, EMEA Centre for Regulatory Strategy, Deloitte

Suchitra is a Director in the EMEA Centre for Regulatory Strategy, specialising in the strategic implications of banking regulation and Brexit is one of her focus areas. Prior to joining the Centre, Suchitra managed a number of large Basel and Structural Reform regulatory implementation projects for UK and international banks. She is a qualified Chartered Accountant and spent the early years of her career in Deloitte’s Audit and Corporate Finance.

Email | LinkedIn

Scott

Scott Martin - Manager, EMEA Centre for Regulatory Strategy, Deloitte

Scott is a Manager in the Centre for Regulatory Strategy advising on UK and EU banking regulation, with a particular focus on prudential rules and structural reform. Before joining Deloitte in 2015, he spent four years as an EU financial regulation consultant in Brussels after graduating from the London School of Economics. He previously spent a number of years working as a political advisor to Canada’s Minister of Finance and Minister of Foreign Affairs.    

Email | LinkedIn

Comments

  • I agree, before anything happens with hacking, financial services need to put security measures in place. It's security how a few individuals could bring whole networks down

    Posted by: charlotte on 23/05/2017

  • Very true.


    Daniel

    Posted by: Daniel Shikuku on 02/07/2017

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.