Cyber resilience and supplier risk: moving beyond compliance

Speech delivered by Nausicaa Delfas, Chief Operating Officer at the FCA, at the Cyber Security Summit and Expo 2017

Nausicaa Delfas

Speaker: Nausicaa Delfas, Chief Operating Officer ​​​​​​
Event: Cyber Security Summit and Expo 2017, London
Delivered: 15 November 2017
Note: this is the speech as drafted and may differ from delivered version

Highlights:

  • Cyber resilience is not tick box
  • It should be driven from the top down, with Boards asking probing questions
  • It involves consideration of: people, processes, technology
  • And this applies to managing risks posed by suppliers and partners too – you need to assess them as you do yourselves
  • Key is to continue to work together, share ideas and innovations

Thank you for inviting me to speak here today. I am Nausicaa Delfas, Executive Director at the FCA and for the past year, COO. Having for some time seen cyber issues from a regulatory perspective, I am now also seeing these also from an operational perspective – stepping more into your shoes. As such, the question of how to really address cyber issues within firms is a matter of ever greater interest to me.

Cyber risk remains one of the FCA’s top priorities – the financial crises of the past have been responded to with many global initiatives to shore up institutions’ financial resilience. But now, it is generally recognised that cyber resilience is a key area of focus – for us in the UK, and with our colleagues internationally. Global bodies such as the International Organization of Securities Commissions (IOSCO), Group of Seven (G7), Financial Stability Board (FSB) and many others have this at the top of their agenda, and we are actively engaged in the work of those bodies.

The FCA regulates 56,000 financial services firms, from the largest banks, insurers and market infrastructure providers to the smallest advisers. Our objectives are to secure appropriate protection for consumers, protect and enhance the integrity of the UK financial system and promote effective competition in the interests of consumers.

Cyber risks challenge each of these objectives - and can cause harm to consumers and markets through:

  • markets being disrupted through loss of availability of platforms
  • sensitive market or customer data being stolen or compromised
  • denial of access to core banking services

Our aim is to help firms to become more resilient to cyber attacks, to enhance market integrity and to protect consumers.

Cyber security is a shared responsibility, and we take a co-operative approach to address this threat, working with government, other regulators, nationally and internationally on this important issue.

What should we do to address this risk?

Managing cyber resilience is not ‘tick box’ – it requires real thinking outside the box.

I have spoken before about the importance of ‘people, processes and technology’ in addressing cyber risk – we do not consider cyber risk to be a purely technical issue. As well as having the right technology to protect, detect, recover and respond, it is important to move people into the right mindset on security – right from the top, board members, and staff; and from a process perspective, be able to recover and respond – essential for resilience of your business and services. Managing this is not ‘tick box’ – it requires real thinking outside the box.

To develop this further, today I will focus on two key areas:

  1. The fact that cyber resilience is indeed ‘beyond compliance’ – it should be business led. In this regard, I will cover the types of questions that firms should be asking themselves, from the top down.
  2. As a feature of this, how we should all manage the ever growing issue of ‘supplier risk’ – third, or fourth, or fifth party risk. This is not just about IT suppliers. There are many suppliers of professional or business services that handle sensitive information such as payroll providers, health providers, auditors, or others providing services that are important to the running of your businesses, such as delivery services. If they are compromised, this can significantly affect your business too.

What should Boards do?

As a regulator, we have been encouraged to see that many firms within the financial sector are now treating cyber security as a business-led risk, with active engagement within the boardroom. We are also seeing the emergence of investment companies beginning to question the cyber security of the companies that they are investing in. This can only be a good thing – focus and pressure from directors and major shareholders can help drive the outcomes necessary.

What questions should Boards ask?

Being competitive also includes having regard to the public interest in data security.

While the subject can appear to be highly technical and shadowed in mystery, fundamentally the core questions are surprisingly straight forward. For example:

  • Have we identified and understood the value of our company’s critical information and data assets? What is the small percentage of the information within our business that makes us competitive? Being competitive also includes having regard to the public interest in data security. A breach from one company can easily impact another.
  • Do we regularly receive updates showing the threat to our business and critical data assets? In such a fast moving area good intelligence is crucial in being able to prioritise defence efforts.
  • Have we agreed a risk appetite for the cyber risks and are we confident that it is reflected in day-to-day decision making? It is important to think about what balances are made. An effective cyber stance, especially for a long established organisation with a legacy, can be expensive to achieve, but not having one could be much more so.
  • Have we reviewed our attitudes to ‘sweating’ assets in this new light?
  • Do we have the means to detect if a significant cyber breach has occurred, and should the need arise, to mobilise an effective and timely response?

No serious company director can afford to ignore cyber security, because it fundamentally impacts the day-to-day activities of almost every individual and organisation.  It is vital that organisations protect themselves, their customers and their supply chains.

Supply chains: what lies beneath the surface?

When speaking with firms, whether business people, or leaders in the operational areas of firms, the question that always comes up is how to manage cyber risk on what lies ‘beneath the surface’ – managing the risks of harm posed from suppliers and partners. We rely on suppliers and partners, but by doing so we also adopt their risk profile – and from a regulatory perspective, as you know, firms remain responsible where failings occur in services they have outsourced. The key here is:

  • What assurances do we have that our suppliers and extended supply chains are secure, and can be trusted with our information?
  • And are we consuming the services in a secure way?

By way of example, as we look across the breadth of the 56,000 organisations that we regulate, be it large multinational banks or small independent financial advisors, one common theme is the adoption of cloud technology. For small businesses this provides reliable and readily accessible IT facilities. For big businesses, such cloud services offer economies of scale and business agility. The major cloud providers invest heavily in cyber security and operate their services to a high standard of security.

However, a number of consuming organisations have had security incidents or near misses, including companies such as Deloitte, Accenture and Verizon, to name but three. In all these cases, it was not a failing in the cloud service, but the technical controls around how organisations used the services: be this the use of weak administration passwords, or insecure access settings which allowed potential access to anyone on the internet.

So, remembering to assess the completeness of your own technical controls is key – getting your basics right: patching systems, security monitoring, and staff awareness of phishing and security protocols. We know that getting those basics right can prevent about 80% of the breaches that occur.

However, that’s not to say we shouldn’t assure our supply chain – in its broadest sense. As I mentioned earlier, it is not sufficient merely to consider your IT suppliers – it could be any suppliers, from air conditioning, to delivery, to advertising, to lawyers, etc.

Indeed, if we were to consider the breach of US retailer Target, one of the largest data breaches in the last few years, the company was breached via Fazio Mechanical Services who maintained their air conditioning systems. Target finally agreed to an $18.5 million litigation settlement. Who would have thought an air-conditioning provider would have been a risk?

And in the context of the NotPetya ransomware incident both TNT and WPP experienced critical impacts which resulted in significant disruption, reputational impact and cost to their customers, as well as cost to them.

For a large company, assuring its supply chain can appear to be a Herculean task, with possibly hundreds of thousands of suppliers to consider.

So, I will now briefly share some innovations we are seeing in the marketplace that can help firms develop their strategies for tackling the problem – we have seen firms combinations of these approaches:

Audits

Some firms have created mammoth initiatives to prioritise and audit their key suppliers. A sensible approach, but from a practical perspective, for a large organisation this could result in a team of hundreds. This has a knock-on impact of the suppliers, who themselves are inundated with audit requests. We end up with a world where everyone is auditing everyone else: is this really sustainable, and cost effective?

Intermediaries

We are seeing services emerge where intermediaries perform assessments to a commonly accepted standard within the financial sector – standardising third party risk management processes, focussing on vendor due diligence and ongoing monitoring. Instead of individually auditing each of their suppliers an intermediary standardises these audits and provides firms with information about their suppliers, on an ongoing basis. Whilst this sort of initiative started with a few large institutions, I understand this is now spreading to smaller firms who can gain efficiencies through this too.

Automated tools

We are also seeing the growth of tools that automatically evaluate and measure the cyber security indicators of companies on the internet.

They use publically available indicators to calculate an aggregated security score. This gives firms a sense of their suppliers’ security performance – and whether they pose a higher data breach risk, for example. This is a similar model to credit reference agencies, which provide credit worthiness assessments of business partners.

Potentially these tools provide a convenient way to prioritise your suppliers and determine which might need additional follow up. Similarly, we are looking at this technology to help us in our regulatory work.

‘Nudge theory’

Alternatively, or in addition, many companies are finding that ‘nudge theory’ can be useful in changing staff security behaviours – by applying small nudges frequently to staff, people are encouraged to talk about cyber and we see far better cultural outcomes than traditional annual mandatory training regimes. Examples of this include: introducing fake phishing scams, educating staff who click on them, reward those who avoid/spot attacks, take further action on those who persistently do not.

Perhaps the same technique could be used with suppliers - talk to your suppliers, and make cyber security part of the routine conversation. In addition to usual due diligence, simply asking about what they are doing, what you are doing on security, whether they have had issues with security, all serve as useful prompts. Setting tone, and showing cyber security is of importance in the relationship is a great first step.

In conclusion

As we all know, cyber is a complex and enormous challenge, even for the best funded and mature organisations.

It is particularly challenging for many of the smaller businesses that we regulate, where access to specialist skills and resources is constrained.

The threat is asymmetric and our adversaries have the advantage that it is easier to perpetrate than defend.

But what we can all do to address this is to ensure that this is regarded as a business-led risk, from the top of the organisation down. Only then will resources and processes be deployed to address the key risks that face the whole of an organisation. Remember people, processes and technology:

  • Move towards creating a secure culture where people are naturally alert to security issues and act accordingly – a change in behaviour rather than simply sending staff on a training programme.
  • Look at your processes. Be able to recover and respond to attacks effectively.
  • Get the basics right – keep technology updated and patched, and have the right technical controls in place to prevent and detect attacks.

All of this applies not just to your firm, but also to your suppliers and partners, in their broadest sense – not just IT, but also the broader group of suppliers and partners your business relies on. Consider them in the same light as you consider your own security, through the full lifecycle of the relationship, including pre-contract planning, due diligence, in life contracting, monitoring and end of life termination phases. This can be a challenging task, but we are encouraged to see firms seeking and applying new and innovative tools and techniques being applied in the management of the risk.

Cyber remains one of the top risks for the financial services industry, and in society more broadly – so it is incumbent on us all to continue to work together, share ideas and think outside the box. It is an issue that is certainly ‘beyond compliance’.