In late 2017 and early 2018 we carried out a cyber multi-firm review with a sample of 20 firms in the asset management and wholesale banking sectors. The firms we selected varied in terms of their size, scale, operating models and geography. These are our key findings.
This review was a further stage of discovery work which followed on from our Technology and Cyber Resilience Questionnaire exercise in these sectors. Its aim was to help assess how wholesale banking and asset management firms oversee and manage their cybersecurity, how far they identify and mitigate relevant risks and their current capability to respond to and recover from incidents and successful attacks.
Data and information about products, clients and business services are central to asset management and wholesale banking activities. A significant failure by a firm in these sectors to manage cybersecurity effectively could cause serious harm to its clients and to the markets in which it operates.
While this report is based on observations from a small sample of firms, our findings are relevant to all firms in the asset management and wholesale banking sectors. We encourage all these firms to consider our findings and how they apply to their own organisations.
The review involved meetings with Board members, Management Committees and executives from the firms’ first and second lines of defence. We set out our key observations and conclusions below, including a number of key relevant limitations.
- This review was not an in-depth end-to-end review or audit. For example, the review did not attempt to test the operational effectiveness of cyber technical controls.
- We met specific selected individuals, rather than performing a holistic assessment of cybersecurity arrangements across each of the organisations.
- Variations in firms’ structures and operating models meant that we did not meet people performing exactly the equivalent roles in every single firm.
- While the number of firms we selected for the review is not statistically significant (20 out of approximately 3,000 firms in these sectors), we did select a variety of firms in terms of size, structure and business model. The asset management sample, for example, included firms with client assets ranging from below £15 billion to over £500 billion. The wholesale banks sample included firms from large global groups with full-service models and those offering a handful of specific business services, such as corporate finance advisory services.
How well Boards and Management Committees understand and manage the cyber risks their firms face
There has been a growing level of public and regulatory focus on cybersecurity across financial services. Despite this, we found that although Boards and Management Committees were more sensitive to the topic than in the past, most continue to have limited familiarity with the specific cyber risks their organisations face.
We asked Board and Management Committee members to describe their firm’s cyber-related risk profile or risk appetite. We did this to see how clearly they could explain these issues and relate them to the ways their firm could cause harm to its clients or the markets in which it operates. Almost all the Board members and non-IT senior management told us how challenging it was to fully understand and explain the specific risks that their firms face. This suggests firms can do more to help Board members and senior managers think about cyber as a ‘global’ key risk theme. That is, one which firms should not see as an isolated responsibility of the IT function but as part of a firm’s activities and business as a whole.
Firms that rely exclusively on their IT function to own cybersecurity may find this limits the extent to which their IT strategy is independently challenged. Having an independent owner for cyber, or an ownership model that is not solely made up of IT staff, can enable challenge and deliver incident management and recovery plans which reflect the impact of cyber more widely than just that on systems and technology.
Firms in our sample generally lacked Board members with strong familiarity or specific technical cyber-expertise. Many said this was because of their size, low risk-profile or the limited availability of that skillset in the wider independent non-executive director (INED) population. Given the overall responsibilities of Board members, and INEDs, which include providing effective challenge and oversight, this raises an important question. What other steps, such as ongoing training and simulation exercises, do these firms take to strengthen capabilities at that level?
Some firms have hired third-party firms or advisors to independently advise them on cybersecurity. Depending on the firm’s size and cyber maturity, this may be an effective way of helping the Board up-skill without hiring a dedicated Board member. Several asset management firms we met had adopted a creative approach to developing their Board’s cyber awareness, including arranging presentations from chief information security officers (CISOs) and other specialists from peers in other firms and industries. Clearly, however, retaining the services of third parties to assist and advise Board members on cyber matters can potentially result in firms’ over-reliance on these services. This could affect the firm’s development of its own in-house cyber capabilities and the longer-term abilities of the Board to objectively assess their firm’s cyber and control environment.
One of the more prominent areas of discussion was Management Information (MI) and the key role it plays for senior management. All Board members and senior management would like to receive MI which is clear, thoughtfully designed and easily understandable. The design of MI is critical, particularly when Boards need to be sighted on and understand the risks an organisation faces on an ongoing basis, and where it is relevant to risk appetite. Our discussions suggested that the solution to the MI issue on cyber was not simply providing a large quantity of detailed key performance indicators (KPIs) and key risk indicators (KRIs). Too much detail or detail without context was seen as counterproductive, as it affects Boards’ ability to identify meaningful trends, particularly for those who are not familiar with the area. Several asset management firms had experimented with different formats of MI on operational resilience issues, including cyber, to refine the quality and effectiveness of the papers they gave to their Board.
While many firms recognise the range of threats they are exposed to, including those that are opportunistic and targeted, others had defined the threat landscape much more narrowly. We also saw a similar range in the way firms viewed the range of consequences from a successful cyber-attack. For example, in both the asset management and wholesale banking sectors, not all firms appeared to have considered the risk that their firm may be used as conduits to damage other firms or connected infrastructure. Nor had they considered the risk that attacks may be motivated by attempts to commit market abuse.
How effective second line functions are in overseeing the identification and management of cyber risks
Beyond the Board and Management Committee, our overall observation was that the second line of defence – the risk and compliance functions – has limited technical cyber-expertise. Without adequate expertise, second line functions may have limited ability to independently test and challenge a strong, technically-sophisticated first line. Firms that chose to include their CISO function in the first line alongside, or as part of, the IT function appeared to show a significant difference in the level of knowledge between the first and second line.
Firms which have chosen to include the CISO in the first line gave similar reasons for doing so. These included that having this function work closely with IT made it easier, quicker and more effective to incorporate security into the design and build of technical controls. Other firms have recognised the potential for, or perception of, conflict between the objectives of the CISO and IT function. As a result, they have chosen to make those functions which are principally responsible for cyber and/or information security a second line function, responsible for overseeing the first line to ensure the confidentiality, integrity and availability of the firm’s data. In some cases, firms have re-assigned personnel with cyber knowledge from the first line to the second line to address any imbalance, bolster the ability of the second line to meaningfully challenge the first line and play a key role in identifying and mitigating risk. These firms indicated that they developed these arrangements after considering whether cybersecurity roles and responsibilities were clear and well-understood across all 3 lines of defence. These arrangements were also fully embedded across business services, so that all personnel are clear on the role they play in their firm’s cybersecurity.
Most of the firms we met appeared to rely on their risk and control self-assessment (RCSA) or equivalent process to identify cyber and information security risks. This process usually involves the first-line IT and cybersecurity functions identifying risks at a point in time, which can then be challenged by the second line. In our discussions, firms which lacked cybersecurity professionals in the second line did not make it clear how they could comprehensively oversee the first line’s identification of relevant risks, including those which had been potentially missed. Where the second line lacked cyber expertise, the firm relied heavily on the first line IT and cybersecurity functions to ‘translate’ risks and issues into comprehensible terms. They heavily relied on the first line to help senior management understand the potential impacts cyber events could have on the firm and its operations. These firms also placed significant reliance on the third line (internal audit) to identify issues. All the firms we met said both the limited availability of second line risk and compliance professionals and the shortage of relevant cyber-expertise in the market more broadly was a challenge for them.
The lack of in-house cyber knowledge results in a high level of reliance, potentially overreliance, on third-party advisors to supplement the firm’s cyber capabilities. External expertise may be helpful but may also, if overly relied on, undermine the effectiveness of the ‘3 lines of defence’ model in identifying and managing cyber risks in a timely way. In some cases, it was also unclear whether firms would be able to rely on timely access to these third-party resources if there was a serious problem.
Despite the limited cyber-specific expertise we saw in the second line, we generally found a positive correlation between a firm’s cyber-resilience maturity and how far its cyber and information security risk was embedded into an existing enterprise risk management (ERM) framework. The firms which appeared to be more ‘cyber mature’ were better able to talk about cyber risk versus other risks. They were also better informed about the potential interdependencies of these risks and the detailed commercial and operational impact they could have on their firm, if and when they crystallised and how their firm could recover.
Have firms drawn connections between cyber and conduct risk?
Within the wholesale banks review, we paid close attention to how far firms had connected cyber risks to conduct issues. Many firms, including those with more developed conduct risk frameworks, did not actively consider how and how far they should or could incorporate cyber and cybersecurity risks into their broader approach to conduct risk. More specifically, we saw limited evidence of firms proactively trying to ‘connect the dots’ between cyber and other conduct issues which may occur through cyber channels, such as market abuse and financial crime. We also saw little evidence firms had considered what role, if any, information security functions could play in terms of these firms’ broader conduct risk agendas.
Firms spoke about the threats posed by ‘insiders’ and consider these to be some of their most significant cyber-risks. The ability of those within the firm to either intentionally or negligently raise its cyber risk emphasises the importance of embedding a security culture through all aspects of business services. Firms which appeared to have more mature cyber-risk frameworks told us they tried to address this threat in various ways, including:
- Improving logical access controls. They recognised that poor access control, where users have unrestricted or inappropriate access to sensitive data, increases the risk of information being removed or misused.
- Data classification that identifies and maps data based on its sensitivity, commercial value or other special characteristics helps firms target specific controls against the risk of insiders misappropriating or misusing it. A disciplined approach to data classification is a key element of effective information and cyber-security risk management; people cannot protect what they do not know about.
- Training and building awareness about the threat landscape and cyber risk, tailored to the roles and responsibilities of the audience. For example, firms identified staff at risk of ‘spear-phishing’ and similar attacks because of their privileged access to systems and/or data and gave them additional training and other protections.
- Building a fuller understanding of the range of threats the firm faces, and the possible motivations of those behind them. Most asset management firms recognised information-sharing networks as vital to broadening their understanding of the threat environment and learning good practices from their peers. They used these forums in addition to receiving threat intelligence updates from security software providers and threat intelligence providers.
Relying on developing an effective technical control environment alone may not deliver the best results. It needs to be accompanied by positive steps to increase staff awareness and understanding, such as providing training and engaging with high-risk personnel. Conduct risk and cyber-risk share many similarities in that they:
- may occur in any part of the organisation, not just those which are client-facing or revenue-generating
- can occur and/or be exacerbated or mitigated by staff’s actions and behaviour
- are difficult to identify and quantify because of the various different forms in which issues and related impact may occur
- cannot be addressed only through applying technical controls alone – they rely on integration with the business
What else did we observe in our review?
Many of the wholesale banks with overseas headquarters adopted a centralised security model. Here, key cyber-controls and policies were developed, owned and administered at the group, rather than at a local level. We also saw a similar reliance on group-level arrangements in asset management firms that are part of larger groups. Where firms had centralised models, it wasn’t always clear that local Boards and Management Committees had considered whether there was effective dialogue with the central / group function so that:
- even if the centralised approach and the local risk profile were not aligned, they were is at least compatible
- they address any gaps between the centrally defined arrangements and the risks from the business services carried out locally
With more activities being outsourced, and with firms establishing more third-party relationships, it becomes even more important to have an effective approach to third-party risk management in place. Some firms have looked at building in-depth reviews of key third-party service providers’ controls into their broader cyber-risk assessment frameworks. Some firms did not purely define key third-party relationships as based on the contract’s size or value. Instead, their assessments were based on risk, reflecting an understanding of how critical the service was, the sensitivity of the data the third-party holds and a more holistic analysis of the impact of any loss, misuse or corruption of this data.
Asset management firms which used a forum focusing on the range services provided to them by third parties with input from right across the business to specifically manage and escalate third-party supplier risk seemed to be more effective than those solely relying on a supplier-management or procurement function. The increasing number of cloud services, which promise greater resilience, security and cost-savings, will continue to make oversight of third-party suppliers even more important. Put simply, service providers that play a key role in the activities of a firm can significantly affect its business services, and so, consumers and markets, if firms do not manage it adequately.
Testing was an area where we saw particularly wide differences in maturity and approach. We met firms who had carried out almost no testing of their cyber arrangements at all. We also met others who had run extensive programmes covering both staff, such as ethical phishing, and systems, including near-real simulated, so-called ‘red team’ attacks. Testing seemed to have most value where it was part of a considered strategy for managing cyber risks, and less value where the tests appeared piecemeal, with no clear plan on how to address the test’s findings.
The main aim of the review was to assess how wholesale banking and asset management firms oversee and manage their cybersecurity, how far they identify and mitigate relevant risks and their current capability to respond to and recover from incidents and successful attacks. All the firms acknowledged the importance of strong cybersecurity. But there were different degrees of understanding of the many potential ways that weak cybersecurity could affect business activities and lead to harm to clients and the wider markets. This was particularly the case at the Board or Management Committee levels. Awareness is lower in firms that do not have a cyber-specific strategy and proportionate cyber risk framework, where cyber is not part of their broader risk management framework, and where their incident response plans take little account of non-technical consequences such as the impact to their reputation, clients and markets more broadly.
Main observations from our findings:
- Many firms need to do more to ensure that Board and Management Committee cybersecurity decisions are based on careful consideration of the cyber risks arising from the nature, scale and complexity of the firm’s activities and risk profile. Where a firm relies on group-level or other centralised arrangements, Management Committees and Boards should carefully assess whether these are fully aligned with the firm’s specific risks and ensure they address any identified gaps.
- Firms should take proactive steps to foster a security-centric culture which transforms cyber from an IT issue to an organisation-wide priority.
- In some cases, all 3 lines of defence were clear about their role and responsibilities for managing cyber risks and the second and third lines possessed a suitable level of knowledge, skill and expertise. In these firms, the second and third lines were able to appropriately challenge the first line and ensure they were sufficiently aware of current and emerging cyber risks.
- One effective approach we saw in third-party vendor risk management involved the firm identifying and engaging with the relevant stakeholders across the business for each supplier. The firm then carried out in-depth reviews of key third-party service providers’ controls as part of broader cyber-risk assessment frameworks. This model, which differs from a purely centralised vendor management function, appeared to offer a range of oversight and resilience benefits.
- Incident management plans did not always appear to reflect the likely impacts of a successful cyber-attack in a variety of ways. These included the impact on customers, on other market participants, and on markets more generally, not simply the implications for the firm’s systems and technology.
Questions Board and Management Committee members may want to ask themselves as they consider this area more broadly
Cybersecurity and managing cyber risk is inherently complex due to the dynamic, ever-changing nature of the threat. When considering the risks faced by their firms, Board members may wish to ask themselves the following questions:
- How can I assure myself that I have sufficient grasp and understanding of the cyber risks (including those from the use of third parties) that my firm faces and the impact tolerances of our business services so that I can provide effective challenge to the business on an ongoing basis?
- What can we, as a Board or Management Committee, do to make sure the firm’s second line of defence is able to provide effective challenge to the first line on cyber-related matters?
- Which aspects of our approach to conduct risk management could we apply to the way we manage our cyber risk. Does this offer value?
- How confident are we that our incident management plans would be effective in dealing with the aftermath of a cyber incident?
- How can we best assure ourselves that we have appropriate future goals and timeframes for cyber risk?